Auth: OAuth sets skip_org_role_sync = true for auth.google by default (#72819)

* sets skip_org_role_sync to true for google * add google skiporgrolesync and sets to true always * add field * Update docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * add AKS to words * script back to mina --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-12 00:25:46 -06:00 · 2023-08-04 16:17:35 +02:00 · 2023-08-04 16:17:35 +02:00 · 95760cb021
commit 95760cb021
parent 3395ad03a7
4 changed files with 11 additions and 7 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
@ -102,7 +102,7 @@ auto_login = true

 ## Skip organization role sync

-We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. To manage your user's organization role from within Grafana, set `skip_org_role_sync` to `true`.
+We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. The default setting for `skip_org_role_sync` is `true`, which means that role modifications can still be made through the user interface.

 ```ini
 [auth.google]
--- a/pkg/login/social/google_oauth.go
+++ b/pkg/login/social/google_oauth.go
@ -20,8 +20,9 @@ const googleIAMScope = "https://www.googleapis.com/auth/cloud-identity.groups.re

 type SocialGoogle struct {
 	*SocialBase
-	hostedDomain string
-	apiUrl       string
+	hostedDomain    string
+	apiUrl          string
+	skipOrgRoleSync bool
 }

 type googleUserData struct {
--- a/pkg/login/social/social.go
+++ b/pkg/login/social/social.go
@ -189,9 +189,10 @@ func ProvideService(cfg *setting.Cfg,
 				ss.log.Warn("Using legacy Google API URL, please update your configuration")
 			}
 			ss.socialMap["google"] = &SocialGoogle{
-				SocialBase:   newSocialBase(name, &config, info, cfg.AutoAssignOrgRole, cfg.OAuthSkipOrgRoleUpdateSync, *features),
-				hostedDomain: info.HostedDomain,
-				apiUrl:       info.ApiUrl,
+				SocialBase:      newSocialBase(name, &config, info, cfg.AutoAssignOrgRole, cfg.OAuthSkipOrgRoleUpdateSync, *features),
+				hostedDomain:    info.HostedDomain,
+				apiUrl:          info.ApiUrl,
+				skipOrgRoleSync: cfg.GoogleSkipOrgRoleSync,
 			}
 		}

--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -1482,7 +1482,9 @@ func readAuthGithubSettings(cfg *Cfg) {
 func readAuthGoogleSettings(cfg *Cfg) {
 	sec := cfg.SectionWithEnvOverrides("auth.google")
 	cfg.GoogleAuthEnabled = sec.Key("enabled").MustBool(false)
-	cfg.GoogleSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
+	// FIXME: for now we skip org role sync for google auth
+	// as we do not sync organization roles from Google
+	cfg.GoogleSkipOrgRoleSync = true
 }

 func readAuthGitlabSettings(cfg *Cfg) {