Auth: lock down Grafana admin sync for SAML (#72828)

lock down Grafana admin sync for SAML
2025-02-25 18:55:37 -06:00 · 2023-08-03 17:02:40 +01:00 · 2023-08-03 17:02:40 +01:00 · 3a2538c2ca
commit 3a2538c2ca
parent 5d99fdeb46
2 changed files with 6 additions and 2 deletions
--- a/pkg/services/login/authinfo.go
+++ b/pkg/services/login/authinfo.go
@ -125,6 +125,8 @@ func IsGrafanaAdminExternallySynced(cfg *setting.Cfg, authModule string, oAuthAn
 	switch authModule {
 	case JWTModule:
 		return cfg.JWTAuthAllowAssignGrafanaAdmin
 	case SAMLAuthModule:
 		return cfg.SAMLRoleValuesGrafanaAdmin != ""
 	case LDAPAuthModule:
 		return true
 	default:
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -517,8 +517,9 @@ type Cfg struct {
 	SecureSocksDSProxy SecureSocksDSProxySettings
 	// SAML Auth
-	SAMLAuthEnabled     bool
+	SAMLAuthEnabled            bool
-	SAMLSkipOrgRoleSync bool
+	SAMLSkipOrgRoleSync        bool
 	SAMLRoleValuesGrafanaAdmin string
 	// Okta OAuth
 	OktaAuthEnabled     bool
@ -1265,6 +1266,7 @@ func (cfg *Cfg) readSAMLConfig() {
 	samlSec := cfg.Raw.Section("auth.saml")
 	cfg.SAMLAuthEnabled = samlSec.Key("enabled").MustBool(false)
 	cfg.SAMLSkipOrgRoleSync = samlSec.Key("skip_org_role_sync").MustBool(false)
 	cfg.SAMLRoleValuesGrafanaAdmin = samlSec.Key("role_values_grafana_admin").MustString("")
 }
 func (cfg *Cfg) readLDAPConfig() {