IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Add skip_org_role_sync for AzureAD OAuth (#60322)

Browse Source 
* [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth

- add: skipOrgRoleSync
- rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that
  it is the base version of SocialBase)
- add: tests for skipOrgRoleSync in AzureAD

TODO:
- [ ] frontend changes

* add: docs

* refactor: remove role from basicinfo

* add: settings for grafanacom

* add: settigns for frontend

* add: logic for azureAD user skip org role

* add: docs for skip_org_role_sync

* refactor: docs a bit

* add: tests for userinfo

* refactor: to only extract if skiporgrolesync false

* refactor: based on review comments

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
This commit is contained in:
Eric Leijonmarck
2023-01-16 13:16:01 +01:00
committed by GitHub
parent 7e505ea49c
commit c5e74ee607
10 changed files with 217 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@@ -849,7 +849,7 @@ Administrators can increase this if they experience OAuth login state mismatch e
### oauth_skip_org_role_update_sync
> **Note**: This option will soon be a legacy option in favor of OAuth provider specific `skip_org_role_sync` settings.
> **Note**: This option will soon be a legacy option in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
Skip forced assignment of OrgID `1` or `auto_assign_org_id` for external logins. Default is `false`.
Use this setting to allow users with external login to be manually assigned to multiple organizations.
@@ -860,13 +860,13 @@ By default, the users' organization and role is reset on every new login.
> With Grafana 10, if `oauth_skip_org_role_update_sync` option is set to `false`, users with no mapping will be
> reset to the default organization role on every login. [See `auto_assign_org_role` option]({{< relref ".#auto_assign_org_role" >}}).
### [auth.grafana_com] skip_org_role_update_sync
### [auth.grafana_com] skip_org_role_sync
To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is also a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
The table below shows the available OAuth providers and their setting with the default value and the skip org role sync setting.
The table below show the OAuth provider and their setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
| --- | --- | --- | --- |
| Grafana.com | false | false | will sync with Grafana.com roles |
@@ -874,6 +874,20 @@ The table below shows the available OAuth providers and their setting with the d
| Grafana.com | false | true | skip org role sync for grafana.com users |
| Grafana.com | true | true | skip org role sync for Grafana.com users and all other OAuth providers |
### [auth.azuread] skip_org_role_sync
To prevent synchronization of organization roles for a specific OAuth integration, you can set the `skip_org_role_sync` option to `true`. Please note that there is also a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
The following table shows the OAuth providers, the default value setting, and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
| --- | --- | --- | --- |
| AzureAD | false | false | will sync with AzureAD roles |
| AzureAD | true | false | skip org role sync for OAuth providers including AzureAD users |
| AzureAD | false | true | skip org role sync for AzureAD users |
| AzureAD | true | true | skip org role sync for AzureAD users and all other OAuth providers |
### api_key_max_seconds_to_live
Limit of API key seconds to live before expiration. Default is -1 (unlimited).