Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthN: Lock down manual role updates for users synced through Grafana Com portal #72044

Merged
merged 1 commit into from Jul 21, 2023
Merged

AuthN: Lock down manual role updates for users synced through Grafana Com portal #72044

merged 1 commit into from Jul 21, 2023

Conversation

IevaVasiljeva
Copy link
Contributor

@IevaVasiljeva IevaVasiljeva commented Jul 20, 2023
edited

What is this feature?

Make sure that roles can't be manually updated for users synced through GCom.

Looks like for HG instances we enable GCom provider in [auth.grafananet] config section and not [auth.grafana_com] config section. However, we only looked at [auth.grafana_com] config section when checking if GCom auth is enabled, and therefore correctly reported that it is not enabled and that users synced through GCom auth are not externally synced.

Why do we need this feature?

Users roles should either be updated manually or synced through the auth provider, we want to avoid the mix of both.

Which issue(s) does this PR fix?:

Fixes https://github.com/grafana/grafana-authnz-team/issues/247

Special notes for your reviewer:

Note that we'll roll this change out behind a feature toggle (#72202), so that we can gradually introduce this to hosted Grafana users.

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@IevaVasiljeva IevaVasiljeva added no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes labels Jul 20, 2023
@IevaVasiljeva IevaVasiljeva added this to the 10.1.x milestone Jul 20, 2023
@IevaVasiljeva IevaVasiljeva requested review from a team as code owners July 20, 2023 16:43
@IevaVasiljeva IevaVasiljeva requested review from sakjur, papagian and yangkb09 and removed request for a team July 20, 2023 16:43
@IevaVasiljeva IevaVasiljeva changed the title AuthN: properly lock down manual role updates for users synced through GCom AuthN: Lock down manual role updates for users synced through Grafana Com portal Jul 21, 2023
@IevaVasiljeva IevaVasiljeva merged commit 59eb2f6 into main Jul 21, 2023
23 checks passed
@IevaVasiljeva IevaVasiljeva deleted the update-gcom-enabled-check branch July 21, 2023 14:22
@IevaVasiljeva IevaVasiljeva added add to changelog and removed no-changelog Skip including change in changelog/release notes labels Jul 24, 2023
@IevaVasiljeva IevaVasiljeva mentioned this pull request Jul 24, 2023
Merged
3 tasks
@github-actions github-actions bot added the pr/external This PR is from external contributor label Jul 24, 2023
linoman pushed a commit that referenced this pull request Jul 24, 2023
@IevaVasiljeva @linoman
AuthN: Lock down manual role updates for users synced through Grafana…
8dd11e8 
… Com portal (#72044)

take into account auth.grafananet config section when checking if gcom auth is enabled
gamab
gamab reviewed Jul 24, 2023
View reviewed changes
pkg/setting/setting.go
@@ -1452,6 +1455,11 @@ func readAuthGrafanaComSettings(cfg *Cfg) {
cfg.GrafanaComSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
}

func readAuthGrafanaNetSettings(cfg *Cfg) {
sec := cfg.SectionWithEnvOverrides("auth.grafananet")
cfg.GrafanaNetAuthEnabled = sec.Key("enabled").MustBool(false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a SkipOrgRoleSync attribute there as well?

@ricky-undeadcoders ricky-undeadcoders modified the milestones: 10.1.x, 10.1.0 Aug 1, 2023
@chenrui333 chenrui333 mentioned this pull request Aug 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gamab gamab gamab left review comments

@Jguer Jguer Jguer approved these changes

@eleijonmarck eleijonmarck Awaiting requested review from eleijonmarck

@sakjur sakjur Awaiting requested review from sakjur sakjur was automatically assigned from grafana/backend-platform

@papagian papagian Awaiting requested review from papagian papagian was automatically assigned from grafana/backend-platform

@yangkb09 yangkb09 Awaiting requested review from yangkb09 yangkb09 was automatically assigned from grafana/backend-platform

Assignees
No one assigned
Labels
add to changelog area/backend no-backport Skip backport of PR pr/external This PR is from external contributor
Projects
None yet
Milestone
10.1.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@IevaVasiljeva @gamab @Jguer @ricky-undeadcoders @grafanabot