OAuth: Allow assigning Server Admin (#54780)

* extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
2025-02-25 18:55:37 -06:00 · 2022-09-08 12:11:00 +02:00
parent 1353177e15
commit ef245874da
20 changed files with 561 additions and 321 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread.md
@@ -61,8 +61,8 @@ To enable the Azure AD OAuth2, register your application with Azure AD.
   				"allowedMemberTypes": [
   					"User"
   				],
-   				"description": "Grafana admin Users",
-   				"displayName": "Grafana Admin",
+   				"description": "Grafana org admin Users",
+   				"displayName": "Grafana Org Admin",
   				"id": "SOME_UNIQUE_ID",
   				"isEnabled": true,
   				"lang": null,
@@ -100,6 +100,30 @@ To enable the Azure AD OAuth2, register your application with Azure AD.

 1. Click on **Users and Groups** and add Users/Groups to the Grafana roles by using **Add User**.

+### Assign server administrator privileges
+
+> Available in Grafana v9.2 and later versions.
+
+If the application role received by Grafana is `GrafanaAdmin`, Grafana grants the user server administrator privileges.  
+This is useful if you want to grant server administrator privileges to a subset of users.  
+Grafana also assigns the user the `Admin` role of the default organization.
+
+The setting `allow_assign_grafana_admin` under `[auth.azuread]` must be set to `true` for this to work.  
+If the setting is set to `false`, the user is assigned the role of `Admin` of the default organization, but not server administrator privileges.
+
+```json
+{
+  "allowedMemberTypes": ["User"],
+  "description": "Grafana server admin Users",
+  "displayName": "Grafana Server Admin",
+  "id": "SOME_UNIQUE_ID",
+  "isEnabled": true,
+  "lang": null,
+  "origin": "Application",
+  "value": "GrafanaAdmin"
+}
+```
+
 ## Enable Azure AD OAuth in Grafana

 1. Add the following to the [Grafana configuration file]({{< relref "../../configure-grafana/#config-file-locations" >}}):
@@ -117,6 +141,7 @@ token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
 allowed_domains =
 allowed_groups =
 role_attribute_strict = false
+allow_assign_grafana_admin = false
 ```

 You can also use these environment variables to configure **client_id** and **client_secret**:
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth.md
@@ -296,6 +296,27 @@ Config:
 role_attribute_path = contains(info.roles[*], 'admin') && 'Admin' || contains(info.roles[*], 'editor') && 'Editor' || 'Viewer'
 ```

+#### Map server administrator privileges
+
+> Available in Grafana v9.2 and later versions.
+
+If the application role received by Grafana is `GrafanaAdmin`, Grafana grants the user server administrator privileges.  
+This is useful if you want to grant server administrator privileges to a subset of users.  
+Grafana also assigns the user the `Admin` role of the default organization.
+
+The setting `allow_assign_grafana_admin` under `[auth.generic_oauth]` must be set to `true` for this to work.  
+If the setting is set to `false`, the user is assigned the role of `Admin` of the default organization, but not server administrator privileges.
+
+```ini
+allow_assign_grafana_admin = true
+```
+
+Example:
+
+```ini
+role_attribute_path = contains(info.roles[*], 'admin') && 'GrafanaAdmin' || contains(info.roles[*], 'editor') && 'Editor' || 'Viewer'
+```
+
 ### Groups mapping

 > Available in Grafana Enterprise v8.1 and later versions.
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/github.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/github.md
@@ -130,6 +130,27 @@ role_attribute_path = contains(groups[*], '@github/example-group') && 'Editor' |

 Note: If a match is found in other fields, teams will be ignored.

+#### Map server administrator privileges
+
+> Available in Grafana v9.2 and later versions.
+
+If the application role received by Grafana is `GrafanaAdmin`, Grafana grants the user server administrator privileges.  
+This is useful if you want to grant server administrator privileges to a subset of users.  
+Grafana also assigns the user the `Admin` role of the default organization.
+
+The setting `allow_assign_grafana_admin` under `[auth.github]` must be set to `true` for this to work.  
+If the setting is set to `false`, the user is assigned the role of `Admin` of the default organization, but not server administrator privileges.
+
+```ini
+allow_assign_grafana_admin = true
+```
+
+Example:
+
+```ini
+role_attribute_path = [login==octocat] && 'GrafanaAdmin' || 'Viewer'
+```
+
 ### Team Sync (Enterprise only)

 > Only available in Grafana Enterprise v6.3+
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab.md
@@ -58,6 +58,9 @@ auth_url = https://gitlab.com/oauth/authorize
 token_url = https://gitlab.com/oauth/token
 api_url = https://gitlab.com/api/v4
 allowed_groups =
+role_attribute_path =
+role_attribute_strict = false
+allow_assign_grafana_admin = false
 ```

 You may have to set the `root_url` option of `[server]` for the callback URL to be
@@ -102,7 +105,7 @@ characters. Make sure you always use the group or subgroup name as it appears
 in the URL of the group or subgroup.

 Here's a complete example with `allow_sign_up` enabled, with access limited to
-the `example` and `foo/bar` groups. The example also promotes all GitLab Admins to Grafana Admins:
+the `example` and `foo/bar` groups. The example also promotes all GitLab Admins to Grafana organization admins:

 ```ini
 [auth.gitlab]
@@ -116,6 +119,8 @@ token_url = https://gitlab.com/oauth/token
 api_url = https://gitlab.com/api/v4
 allowed_groups = example, foo/bar
 role_attribute_path = is_admin && 'Admin' || 'Viewer'
+role_attribute_strict = true
+allow_assign_grafana_admin = false
 ```

 ### Map roles
@@ -126,7 +131,7 @@ For the path lookup, Grafana uses JSON obtained from querying GitLab's API [`/ap

 An example Query could look like the following:

-```bash
+```ini
 role_attribute_path = is_admin && 'Admin' || 'Viewer'
 ```

@@ -139,12 +144,33 @@ Groups can also be used to map roles. Group name (lowercased and unique) is used
 For instance, if you have a group with display name 'Example-Group' you can use the following snippet to
 ensure those members inherit the role 'Editor'.

-```bash
+```ini
 role_attribute_path = contains(groups[*], 'example-group') && 'Editor' || 'Viewer'
 ```

 Note: If a match is found in other fields, groups will be ignored.

+#### Map server administrator privileges
+
+> Available in Grafana v9.2 and later versions.
+
+If the application role received by Grafana is `GrafanaAdmin`, Grafana grants the user server administrator privileges.  
+This is useful if you want to grant server administrator privileges to a subset of users.  
+Grafana also assigns the user the `Admin` role of the default organization.
+
+The setting `allow_assign_grafana_admin` under `[auth.gitlab]` must be set to `true` for this to work.  
+If the setting is set to `false`, the user is assigned the role of `Admin` of the default organization, but not server administrator privileges.
+
+```ini
+allow_assign_grafana_admin = true
+```
+
+Example:
+
+```ini
+role_attribute_path = is_admin && 'GrafanaAdmin' || 'Viewer'
+```
+
 ### Team Sync (Enterprise only)

 > Only available in Grafana Enterprise v6.4+
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/okta.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/okta.md
@@ -77,6 +77,27 @@ Grafana uses JSON obtained from querying the `/userinfo` endpoint for the path l

 Read about how to [add custom claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/) to the user info in Okta. Also, check Generic OAuth page for [JMESPath examples]({{< relref "generic-oauth/#jmespath-examples" >}}).

+#### Map server administrator privileges
+
+> Available in Grafana v9.2 and later versions.
+
+If the application role received by Grafana is `GrafanaAdmin`, Grafana grants the user server administrator privileges.  
+This is useful if you want to grant server administrator privileges to a subset of users.  
+Grafana also assigns the user the `Admin` role of the default organization.
+
+The setting `allow_assign_grafana_admin` under `[auth.okta]` must be set to `true` for this to work.  
+If the setting is set to `false`, the user is assigned the role of `Admin` of the default organization, but not server administrator privileges.
+
+```ini
+allow_assign_grafana_admin = true
+```
+
+Example:
+
+```ini
+role_attribute_path = contains(groups[*], 'admin') && 'GrafanaAdmin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'
+```
+
 ### Team Sync (Enterprise only)

 Map your Okta groups to teams in Grafana so that your users will automatically be added to