IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Add Generic oauth skip org role sync setting (#62418)

Browse Source 
* add: generic oauth skip org role sync

* add: docs

* add: backend login skip sync

* fix: docs typo

* add: tests

* remove public key

* fix markdown for generic oauth

* add: generic oauth to the configuration

* refactor: change debug to warn
This commit is contained in:
Eric Leijonmarck
2023-02-01 16:27:53 +00:00
committed by GitHub
parent 6b6b733229
commit 8ff19bd901
12 changed files with 107 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@@ -936,10 +936,25 @@ The following table shows the OAuth provider's setting with the default value an
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
| --- | --- | --- | --- |
| GitLab | false | false | User organization roles are set with `defaultRole` and cannot be changed |
| Github | true | false | User organization roles are set with `defaultRole` for GitLab, and Grafana Admins are set. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
| GitLab | true | false | User organization roles are set with `defaultRole` for GitLab, and Grafana Admins are set. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
| GitLab | false | true | User organization roles are set with `defaultRole`, and the organization role can be changed for GitLab synced users. |
| GitLab | true | true | User organization roles are set with `defaultRole` for GitLab. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
### [auth.generic_oauth] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. the OAuth provider syncs organization roles and sets Grafana Admins.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from the OAuth provider.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
| --- | --- | --- | --- |
| Generic OAuth | false | false | User organization roles are set with `defaultRole` and cannot be changed |
| Generic OAuth | true | false | User organization roles are set with `defaultRole` for Generic OAuth, and Grafana Admins are set. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
| Generic OAuth | false | true | User organization roles are set with `defaultRole`, and the organization role can be changed for Generic OAuth synced users. |
| Generic OAuth | true | true | User organization roles are set with `defaultRole` for Generic OAuth. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
### [auth.okta] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles through Grafana's UI, set the `skip_org_role_sync` option to `true`.