IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Add deprecation notice for oauth_skip_org_role_update_sync (#62712)

Browse Source 
* add: deprecaation notice for overall setting

* add: deprecation notice for configuration files

* chore: update docs with deprecation notice

* refactor: change to note the new setting instead

* Update pkg/setting/setting.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* refactor: based on review comments

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
This commit is contained in:
Eric Leijonmarck
2023-02-07 15:28:40 +00:00
committed by GitHub
parent ba9bdf3455
commit 7019287f88
10 changed files with 35 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
conf/defaults.ini
View File

@@ -487,6 +487,7 @@ oauth_auto_login = false
oauth_state_cookie_max_age = 600 oauth_state_cookie_max_age = 600
# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins # Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
# Deprecated, use skip_org_role_sync option for specific provider instead.
oauth_skip_org_role_update_sync = false oauth_skip_org_role_update_sync = false
# limit of api_key seconds to live before expiration # limit of api_key seconds to live before expiration

1
conf/sample.ini
View File

@@ -488,6 +488,7 @@
;oauth_state_cookie_max_age = 600 ;oauth_state_cookie_max_age = 600
# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins # Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
# Deprecated, use skip_org_role_sync option for specific provider instead.
;oauth_skip_org_role_update_sync = false ;oauth_skip_org_role_update_sync = false
# limit of api_key seconds to live before expiration # limit of api_key seconds to live before expiration

39
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@@ -857,7 +857,7 @@ Administrators can increase this if they experience OAuth login state mismatch e
### oauth_skip_org_role_update_sync ### oauth_skip_org_role_update_sync
> **Note**: This option will soon be a legacy option in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider. > **Note**: This option is deprecated in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
Skip forced assignment of OrgID `1` or `auto_assign_org_id` for external logins. Default is `false`. Skip forced assignment of OrgID `1` or `auto_assign_org_id` for external logins. Default is `false`.
Use this setting to allow users with external login to be manually assigned to multiple organizations. Use this setting to allow users with external login to be manually assigned to multiple organizations.
@@ -868,11 +868,14 @@ By default, the users' organization and role is reset on every new login.
> With Grafana 10, if `oauth_skip_org_role_update_sync` option is set to `false`, users with no mapping will be > With Grafana 10, if `oauth_skip_org_role_update_sync` option is set to `false`, users with no mapping will be
> reset to the default organization role on every login. [See `auto_assign_org_role` option]({{< relref ".#auto_assign_org_role" >}}). > reset to the default organization role on every login. [See `auto_assign_org_role` option]({{< relref ".#auto_assign_org_role" >}}).
### skip_org_role_sync
To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`.
This option is useful when you want to manage the organization roles of your users from within Grafana or when you want to prevent synchronization conflicts when they are synchronized from another provider.
### [auth.grafana_com] skip_org_role_sync ### [auth.grafana_com] skip_org_role_sync
To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is also a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
The table below show the OAuth provider and their setting with the default value and the skip org role sync setting. The table below show the OAuth provider and their setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -884,9 +887,7 @@ The table below show the OAuth provider and their setting with the default value
### [auth.azuread] skip_org_role_sync ### [auth.azuread] skip_org_role_sync
To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is also a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -898,9 +899,7 @@ The following table shows the OAuth provider's setting with the default value an
### [auth.google] skip_org_role_sync ### [auth.google] skip_org_role_sync
Upon the first login from a user, we set the organization roles from the setting `AutoAssignOrgRole`. If you want to manage organizational roles, set the `skip_org_role_sync` option to `true`. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -912,10 +911,9 @@ The following table shows the OAuth provider's setting with the default value an
### [auth.github] skip_org_role_sync ### [auth.github] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. GitHub syncs organization roles and sets Grafana Admins. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. GitHub syncs organization roles and sets Grafana Admins. This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitHub.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitHub.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. Please note that there is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -927,10 +925,9 @@ The following table shows the OAuth provider's setting with the default value an
### [auth.gitlab] skip_org_role_sync ### [auth.gitlab] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. GitLab syncs organization roles and sets Grafana Admins. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. GitLab syncs organization roles and sets Grafana Admins. This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitLab.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitLab.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. > **Note:** There is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -942,10 +939,9 @@ The following table shows the OAuth provider's setting with the default value an
### [auth.generic_oauth] skip_org_role_sync ### [auth.generic_oauth] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. the OAuth provider syncs organization roles and sets Grafana Admins. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. OAuth syncs organization roles and sets Grafana Admins. This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from the OAuth provider.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from the OAuth provider.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. > **Note:** There is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
@@ -957,10 +953,9 @@ The following table shows the OAuth provider's setting with the default value an
### [auth.okta] skip_org_role_sync ### [auth.okta] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles through Grafana's UI, set the `skip_org_role_sync` option to `true`. To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. Okta syncs organization roles and sets Grafana Admins. This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from Okta.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitLab.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers. > **Note:** There is a deprecated setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting. The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior | | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |

9
docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md
View File

@@ -254,15 +254,12 @@ their organization membership will be reset to the default organization.
## Skip organization role sync ## Skip organization role sync
If Azure AD authentication is not intended to sync user roles and organization membership, If Azure AD authentication is not intended to sync user roles and organization membership and prevent the sync of org roles from AzureAD, set `skip_org_role_sync` to `true`. This is useful if you want to manage the organization roles for your users from within Grafana or that your organization roles are synced from another provider.
`oauth_skip_org_role_update_sync` should be enabled, this is not recommended to use in favor of setting provider specific `skip_org_role_sync` option. See [configure-grafana]({{< relref "../../../configure-grafana#authazuread-skip-org-role-sync" >}}) for more details.
See [configure-grafana]({{< relref "../../../configure-grafana#oauth_skip_org_role_update_sync" >}}) for more details.
To prevent the sync of org roles from Grafana.com, set `skip_org_role_sync` to `true`. This is useful if you want to manage the organization roles for your users from within Grafana.
```ini ```ini
[auth.azuread] [auth.azuread]
# .. # ..
# prevents the sync of org roles from Grafana.com # prevents the sync of org roles from AzureAD
skip_org_role_sync = true skip_org_role_sync = true
``` ```

4
docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md
View File

@@ -274,8 +274,8 @@ For more information, refer to the [JMESPath examples](#jmespath-examples).
> **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't > **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't
> update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles, > update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles,
> enable the `oauth_skip_org_role_update_sync` option. > enable the `skip_org_role_sync` option.
> See [configure-grafana]({{< relref "../../../configure-grafana#oauth_skip_org_role_update_sync" >}}) for more information. > See [configure-grafana]({{< relref "../../../configure-grafana#authgeneric_oauth-skip-org-role-sync" >}}) for more information.
On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role
specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}). specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}).

4
docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md
View File

@@ -134,8 +134,8 @@ The result of evaluating the `role_attribute_path` JMESPath expression must be a
> **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't > **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't
> update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles, > update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles,
> enable the `oauth_skip_org_role_update_sync` option. > enable the `skip_org_role_sync` option in the [auth.github] section.
> See [configure-grafana]({{< relref "../../../configure-grafana#oauth_skip_org_role_update_sync" >}}) for more information. > See [configure-grafana]({{< relref "../../../configure-grafana#authgithub-skip-org-role-sync" >}}) for more information.
On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role
specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}). specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}).

4
docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
View File

@@ -159,8 +159,8 @@ For the path lookup, Grafana uses JSON obtained from querying GitLab's API [`/ap
> **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't > **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't
> update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles, > update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles,
> enable the `oauth_skip_org_role_update_sync` option. > enable the `skip_org_role_sync` option.
> See [configure-grafana]({{< relref "../../../configure-grafana#oauth_skip_org_role_update_sync" >}}) for more information. > See [configure-grafana]({{< relref "../../../configure-grafana#authgitlab-skip-org-role-sync" >}}) for more information.
On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role
specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}). specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}).

4
docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md
View File

@@ -95,8 +95,8 @@ Grafana uses JSON obtained from querying the `/userinfo` endpoint for the path l
> **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't > **Warning**: Currently if no organization role mapping is found for a user, Grafana doesn't
> update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles, > update the user's organization role. This is going to change in Grafana 10. To avoid overriding manually set roles,
> enable the `oauth_skip_org_role_update_sync` option. > enable the `skip_org_role_sync` option.
> See [configure-grafana]({{< relref "../../../configure-grafana#oauth_skip_org_role_update_sync" >}}) for more information. > See [configure-grafana]({{< relref "../../../configure-grafana#authokta-skip-org-role-sync" >}}) for more information.
On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role On first login, if the`role_attribute_path` property does not return a role, then the user is assigned the role
specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}). specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}).

2
pkg/login/social/social.go
View File

@@ -367,7 +367,7 @@ func (s *SocialBase) defaultRole(legacy bool) org.RoleType {
if legacy && !s.skipOrgRoleSync { if legacy && !s.skipOrgRoleSync {
s.log.Warn("No valid role found. Skipping role sync. " + s.log.Warn("No valid role found. Skipping role sync. " +
"In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. " + "In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. " +
"If role sync is not desired, set oauth_skip_org_role_update_sync to true") "If role sync is not desired, set skip_org_role_sync for your provider to true")
} }
return "" return ""

4
pkg/setting/setting.go
View File

@@ -1452,7 +1452,11 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600) cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600)
SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "") SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "")
// Deprecated
cfg.OAuthSkipOrgRoleUpdateSync = auth.Key("oauth_skip_org_role_update_sync").MustBool(false) cfg.OAuthSkipOrgRoleUpdateSync = auth.Key("oauth_skip_org_role_update_sync").MustBool(false)
if cfg.OAuthSkipOrgRoleUpdateSync {
cfg.Logger.Warn("[Deprecated] The oauth_skip_org_role_update_sync configuration setting is deprecated. Please use skip_org_role_sync inside the auth provider section instead.")
}
cfg.DisableLogin = auth.Key("disable_login").MustBool(false) cfg.DisableLogin = auth.Key("disable_login").MustBool(false)