LDAP: No longer shows incorrectly matching groups based on role in debug page #20018
Conversation
Org Role was used as a shortcut to figure out what groups were matching and which weren't. That lead to too all groups matching a specific role to show up for a user if that user got that role.
There was a problem hiding this comment.
I think we can simplify the code a bit by combining the to for loops:
So instead of looping over config groups then user groups (nested), and then user groups again. Should be the same as below:
orgRoles := []LDAPRoleDTO{}
for _, userGroup := range user.Groups {
matches := false
for _, configGroup := range serverConfig.Groups {
if configGroup.GroupDN == userGroup {
r := &LDAPRoleDTO{GroupDN: configGroup.GroupDN, OrgId: configGroup.OrgId, OrgRole: configGroup.OrgRole}
orgRoles = append(orgRoles, *r)
matches = true
break
}
}
if !matches {
r := &LDAPRoleDTO{GroupDN: userGroup}
orgRoles = append(orgRoles, *r)
}
}
The order of groups in the ldap.toml file is important, only the first match for an organisation will be used. This means we have to iterate based on the config and stop matching when a match is found. We might want to think about showing further matches as potential matches that are shadowed by the first match. That would possibly make it easier to understand why one match is used instead of another one.
|
@torkelo As we match groups based on the order of configs in the toml file I don't think we can do it quite this cleanly (thanks for pointing this out @gotjosh). It seems we need to match based on the toml config as only the first matching role for an org will be used. (We could consider choosing to show the others as matching as well if we have a way to signify that they are being shadowed by the first match). If we choose to iterate based on the user's groups we wouldn't know what the first match was. I've rewritten the code in a way that seems to match what the real LDAP mapping code is doing. It doesn't look great though as it ends up with a for -> if -> for cycle. I'll see if it's possible to clean that up a bit tomorrow. I am wondering if it would be possible to expose more meta-data about the mappings from the LDAP code rather than re-creating the logic here. |
|
Regarding the fact that only the first match is used (per org). Not sure what is best here. Not showing "Match" and listing them as "No Match" feels wrong as well as it might give the impression that the group is specified wrongly in the ldap toml. As long as we list them in the same way as they mappings are specified in the toml file so that the used match & role is first then maybe that is best? We should probably change so the order or mappings is not used and that the highest role/permission instead wins. (But not in this PR). |
|
I agree, showing as I agree. While the it is working now makes it possible to create more creative configuration, I think it's likely that we're paying too much for that power by making our code more complicated and the LDAP config harder to understand. |
Co-Authored-By: gotjosh <josue.abreu@gmail.com>
Co-Authored-By: gotjosh <josue.abreu@gmail.com>
…#20018) * LDAP Debug: No longer shows incorrectly matching groups based on role Org Role was used as a shortcut to figure out what groups were matching and which weren't. That lead to too all groups matching a specific role to show up for a user if that user got that role. * LDAP Debug: Fixes ordering of matches The order of groups in the ldap.toml file is important, only the first match for an organisation will be used. This means we have to iterate based on the config and stop matching when a match is found. We might want to think about showing further matches as potential matches that are shadowed by the first match. That would possibly make it easier to understand why one match is used instead of another one. * LDAP Debug: never display more than one match for the same LDAP group/mapping. * LDAP Debug: show all matches, even if they aren't used * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com> * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com> (cherry picked from commit 730bedf)
* SingleStat: apply mappings to no data response (#19951) (cherry picked from commit 8232659) * DataLinks: Fix blur issues (#19883) (cherry picked from commit a1e8157) * Docker: makes it possible to parse timezones in the docker image (#20081) (cherry picked from commit e940edc) * Backport: Bump crewjam/saml to the latest master Ref: #20126 * LDAP Debug: No longer shows incorrectly matching groups based on role (#20018) * LDAP Debug: No longer shows incorrectly matching groups based on role Org Role was used as a shortcut to figure out what groups were matching and which weren't. That lead to too all groups matching a specific role to show up for a user if that user got that role. * LDAP Debug: Fixes ordering of matches The order of groups in the ldap.toml file is important, only the first match for an organisation will be used. This means we have to iterate based on the config and stop matching when a match is found. We might want to think about showing further matches as potential matches that are shadowed by the first match. That would possibly make it easier to understand why one match is used instead of another one. * LDAP Debug: never display more than one match for the same LDAP group/mapping. * LDAP Debug: show all matches, even if they aren't used * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com> * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com> (cherry picked from commit 730bedf) * LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing (cherry picked from commit cce5557) * mysql: fix encoding in connection string (#20192) (cherry picked from commit 19dbd27) * release 6.4.4 * Settings: fix deprecation error
marefr
changed the title
marefr
changed the title
What this PR does / why we need it:
No longer show all groups that gives a specific Org Role for a user that gets that role from one of them.
Which issue(s) this PR fixes:
Fixes #20016
Special notes for your reviewer: