Auth: Enforce role sync except if skip org role sync is enabled #70766
Conversation
Jguer
requested review from
linoman and
IevaVasiljeva
and removed request for
a team
There was a problem hiding this comment.
Mostly looks good, but I added some questions about:
- the behaviour when
roleAttributeStrictis set for generic OAuth; - the role that we should default to if default org role is not set in the config;
- the use of
errutil.
I think we should also update the description of auto_assign_org_role in the config and docs, as it's currently not very accurate ("# Default role new users will be automatically assigned (if auto_assign_org above is set to true)"). I'm happy to handle docs as part of the docs work, but I think we should update the description in config files now.
| errRoleAttributePathNotSet = errutil.NewBase(errutil.StatusBadRequest, | ||
| "oauth.role_attribute_path_not_set", | ||
| errutil.WithPublicMessage("Instance role_attribute_path misconfigured, please contact your administrator")) |
There was a problem hiding this comment.
I'm not sure the errors will be parsed correctly, as we seem to use errutil error where this error is returned: https://github.com/grafana/grafana/blob/main/pkg/services/authn/clients/oauth.go#L125
Maybe it's fine, but worth testing (I can give it a go if you want).
pkg/login/social/social.go
Outdated
| if role != "" { | ||
| return "", false, errInvalidRole.Errorf("invalid role: %s", role) |
There was a problem hiding this comment.
Note: looks like we already check that the role is valid when we read the settings: https://github.com/grafana/grafana/blob/main/pkg/setting/setting.go#L1641 But I guess it doesn't hurt to do it twice.
pkg/login/social/generic_oauth.go
Outdated
| } | ||
| } | ||
| if (userInfo.Role == "" || userInfo.Role == s.defaultRole()) && !s.skipOrgRoleSync { | ||
| role, grafanaAdmin, err := s.extractRoleAndAdmin(data.rawJSON, []string{}, true) |
There was a problem hiding this comment.
This will fail if we fail to get the role from the token and roleAttributeStrict, right? I think we should allow for the role to be extracted from the API.
Jguer
requested review from
papagian,
zserge,
suntala,
IevaVasiljeva and
mgyongyosi
and removed request for
a team
| } else if role != "" { | ||
| return "", false, errInvalidRole.Errorf("invalid role: %s", role) |
There was a problem hiding this comment.
question: should we fail if an invalid role is found? Or just if the role is invalid + roleAttributeStrict is set?
There was a problem hiding this comment.
we'll only log and fallthrough to the next method.
After the 2 methods are evaluated we'll set to default role if the role is still "".
|
|
||
| func (s *SocialBase) extractRoleAndAdmin(rawJSON []byte, groups []string) (org.RoleType, bool, error) { | ||
| role, gAdmin, err := s.extractRoleAndAdminOptional(rawJSON, groups) | ||
| if role == "" { |
There was a problem hiding this comment.
question: should we still set the role to default even if an error is returned?
There was a problem hiding this comment.
fixed so it's only handled after the 2 methods
| role, grafanaAdmin, err := s.extractRoleAndAdminOptional(data.rawJSON, []string{}) | ||
| if err != nil { |
There was a problem hiding this comment.
I still don't think we can return an error here - this would fail if roleAttributeStrict is set to true, but the role is being sent through the user info endpoint (it would fail, as the role won't be successfully parsed from the token).
There was a problem hiding this comment.
fixed so role attribute strict is only evaluated after the 2 methods
Jguer
added
breaking change
There was a problem hiding this comment.
LGTM, great job! 🙂
I like how tidy the extractRoleAndAdmin code is.
Food for thought: Would it be possible to use extractRoleAndAdmin for AzureAD as well with a default role_attribute_path correctly set? To have all providers falling back on the same function.
| @@ -1645,7 +1646,11 @@ func readUserSettings(iniFile *ini.File, cfg *Cfg) error { | |||
| AllowUserOrgCreate = users.Key("allow_org_create").MustBool(true) | |||
| cfg.AutoAssignOrg = users.Key("auto_assign_org").MustBool(true) | |||
| cfg.AutoAssignOrgId = users.Key("auto_assign_org_id").MustInt(1) | |||
| cfg.AutoAssignOrgRole = users.Key("auto_assign_org_role").In("Editor", []string{"Editor", "Admin", "Viewer"}) | |||
| cfg.AutoAssignOrgRole = users.Key("auto_assign_org_role").In( | |||
| string(roletype.RoleViewer), []string{ | |||
There was a problem hiding this comment.
Seems more logic to be in line with defaults.ini 😄
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* enforce role sync except if skip org role sync is enabled * move errors to errors file and set codes * fix docs and defaults * remove legacy parameter * support fall through token-api in generic oauth * fix error handling for generic_oauth * Update pkg/login/social/generic_oauth.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
What is this feature?
If the information provided by the identity provider is empty, make the idP set the default org role.
Use
skip_org_role_syncto leave it emptyUse
role_attribute_strictto ensure it gets set by the idPRelease notice breaking change
This change impacts GitHub OAuth, Gitlab OAuth, Okta OAuth and Generic OAuth
Currently if no organization role mapping is found for a user when connecting via OAuth, Grafana doesn’t update the user’s organization role.
With Grafana 10.1, on every login, if the role_attribute_path property does not return a role, then the user is assigned the role specified by the auto_assign_org_role option.
To avoid overriding manually set roles, enable the
skip_org_role_syncoption in the Grafana configuration for your OAuth provider.