mirror of
https://github.com/grafana/grafana.git
synced 2024-11-21 16:38:03 -06:00
Auth: Remove oauth skip org role sync (#84972)
* remove oauth wide skip org role sync * we are warning from config * set it to false * removed from config ini files and updated docs
This commit is contained in:
parent
f2c7023fe6
commit
bb792ff540
@ -561,10 +561,6 @@ oauth_auto_login = false
|
||||
# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
|
||||
oauth_state_cookie_max_age = 600
|
||||
|
||||
# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
|
||||
# Deprecated, use skip_org_role_sync option for specific provider instead.
|
||||
oauth_skip_org_role_update_sync = false
|
||||
|
||||
# limit of api_key seconds to live before expiration
|
||||
api_key_max_seconds_to_live = -1
|
||||
|
||||
|
@ -538,10 +538,6 @@
|
||||
# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
|
||||
;oauth_state_cookie_max_age = 600
|
||||
|
||||
# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
|
||||
# Deprecated, use skip_org_role_sync option for specific provider instead.
|
||||
;oauth_skip_org_role_update_sync = false
|
||||
|
||||
# limit of api_key seconds to live before expiration
|
||||
;api_key_max_seconds_to_live = -1
|
||||
|
||||
|
@ -938,10 +938,10 @@ Administrators can increase this if they experience OAuth login state mismatch e
|
||||
### oauth_skip_org_role_update_sync
|
||||
|
||||
{{% admonition type="note" %}}
|
||||
This option is deprecated in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
|
||||
This option is removed from G11 in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
|
||||
{{% /admonition %}}
|
||||
|
||||
If you want to change the `oauth_skip_org_role_update_sync` setting to `false`, then for each provider you have set up, use the `skip_org_role_sync` setting to specify whether you want to skip the synchronization.
|
||||
If you want to change the `oauth_skip_org_role_update_sync` setting from `true` to `false`, then each provider you have set up, use the `skip_org_role_sync` setting to specify whether you want to skip the synchronization.
|
||||
|
||||
{{% admonition type="warning" %}}
|
||||
Currently if no organization role mapping is found for a user, Grafana doesn't update the user's organization role.
|
||||
|
@ -327,7 +327,6 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
|
||||
oauthProviders := hs.SocialService.GetOAuthInfoProviders()
|
||||
frontendSettings.Auth = dtos.FrontendSettingsAuthDTO{
|
||||
AuthProxyEnableLoginToken: hs.Cfg.AuthProxy.EnableLoginToken,
|
||||
OAuthSkipOrgRoleUpdateSync: hs.Cfg.OAuthSkipOrgRoleUpdateSync,
|
||||
SAMLSkipOrgRoleSync: hs.Cfg.SAMLSkipOrgRoleSync,
|
||||
LDAPSkipOrgRoleSync: hs.Cfg.LDAPSkipOrgRoleSync,
|
||||
JWTAuthSkipOrgRoleSync: hs.Cfg.JWTAuth.SkipOrgRoleSync,
|
||||
|
@ -800,8 +800,7 @@ func TestSocialAzureAD_SkipOrgRole(t *testing.T) {
|
||||
SkipOrgRoleSync: false,
|
||||
},
|
||||
cfg: &setting.Cfg{
|
||||
AutoAssignOrgRole: "",
|
||||
OAuthSkipOrgRoleUpdateSync: false,
|
||||
AutoAssignOrgRole: "",
|
||||
},
|
||||
},
|
||||
claims: &azureClaims{
|
||||
@ -831,8 +830,7 @@ func TestSocialAzureAD_SkipOrgRole(t *testing.T) {
|
||||
SkipOrgRoleSync: false,
|
||||
},
|
||||
cfg: &setting.Cfg{
|
||||
AutoAssignOrgRole: "",
|
||||
OAuthSkipOrgRoleUpdateSync: false,
|
||||
AutoAssignOrgRole: "",
|
||||
},
|
||||
},
|
||||
claims: &azureClaims{
|
||||
|
@ -362,8 +362,7 @@ func TestSocialGitlab_extractFromToken(t *testing.T) {
|
||||
TokenUrl: tc.config.Endpoint.TokenURL,
|
||||
},
|
||||
&setting.Cfg{
|
||||
AutoAssignOrgRole: "",
|
||||
OAuthSkipOrgRoleUpdateSync: false,
|
||||
AutoAssignOrgRole: "",
|
||||
}, &ssosettingstests.MockService{},
|
||||
featuremgmt.WithFeatures())
|
||||
|
||||
|
@ -111,8 +111,7 @@ func TestSocialOkta_UserInfo(t *testing.T) {
|
||||
SkipOrgRoleSync: tt.settingSkipOrgRoleSync,
|
||||
},
|
||||
&setting.Cfg{
|
||||
AutoAssignOrgRole: tt.autoAssignOrgRole,
|
||||
OAuthSkipOrgRoleUpdateSync: false,
|
||||
AutoAssignOrgRole: tt.autoAssignOrgRole,
|
||||
},
|
||||
&ssosettingstests.MockService{},
|
||||
featuremgmt.WithFeatures())
|
||||
|
@ -162,9 +162,6 @@ func (c *OAuth) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
|
||||
}
|
||||
|
||||
orgRoles, isGrafanaAdmin, _ := getRoles(c.cfg, func() (org.RoleType, *bool, error) {
|
||||
if c.cfg.OAuthSkipOrgRoleUpdateSync {
|
||||
return "", nil, nil
|
||||
}
|
||||
return userInfo.Role, userInfo.IsGrafanaAdmin, nil
|
||||
})
|
||||
|
||||
|
@ -78,12 +78,6 @@ func IsExternallySynced(cfg *setting.Cfg, authModule string, oauthInfo *social.O
|
||||
case JWTModule:
|
||||
return !cfg.JWTAuth.SkipOrgRoleSync
|
||||
}
|
||||
// then check the rest of the oauth providers
|
||||
// FIXME: remove this once we remove the setting
|
||||
// is a deprecated setting that is used to skip org role sync for all external oauth providers
|
||||
if cfg.OAuthSkipOrgRoleUpdateSync {
|
||||
return false
|
||||
}
|
||||
switch authModule {
|
||||
case GoogleAuthModule, OktaAuthModule, AzureADAuthModule, GitLabAuthModule, GithubAuthModule, GrafanaComAuthModule, GenericOAuthModule:
|
||||
if oauthInfo == nil {
|
||||
|
@ -32,14 +32,6 @@ func TestIsExternallySynced(t *testing.T) {
|
||||
provider: AzureADAuthModule,
|
||||
expected: false,
|
||||
},
|
||||
// FIXME: remove this test as soon as we remove the deprecated setting for skipping org role sync for all external oauth providers
|
||||
{
|
||||
name: "AzureAD external user should return that it is not externally synced when oauth org role sync is set",
|
||||
cfg: &setting.Cfg{OAuthSkipOrgRoleUpdateSync: true},
|
||||
oauthInfo: &social.OAuthInfo{Enabled: true, SkipOrgRoleSync: false},
|
||||
provider: AzureADAuthModule,
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
name: "AzureAD external user should return that it is not externally synced when the provider is not enabled",
|
||||
cfg: &setting.Cfg{},
|
||||
|
@ -1571,11 +1571,9 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
|
||||
|
||||
cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600)
|
||||
cfg.SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "")
|
||||
|
||||
// Deprecated
|
||||
cfg.OAuthSkipOrgRoleUpdateSync = auth.Key("oauth_skip_org_role_update_sync").MustBool(false)
|
||||
if cfg.OAuthSkipOrgRoleUpdateSync {
|
||||
cfg.Logger.Warn("[Deprecated] The oauth_skip_org_role_update_sync configuration setting is deprecated. Please use skip_org_role_sync inside the auth provider section instead.")
|
||||
}
|
||||
cfg.OAuthSkipOrgRoleUpdateSync = false
|
||||
|
||||
cfg.DisableLogin = auth.Key("disable_login").MustBool(false)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user