Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v10.0.x] LDAP: Fix user disabling #74107

Merged
merged 4 commits into from Aug 30, 2023
Merged

[v10.0.x] LDAP: Fix user disabling #74107

merged 4 commits into from Aug 30, 2023

Conversation

grafana-delivery-bot[bot]
Copy link
Contributor

@grafana-delivery-bot grafana-delivery-bot bot commented Aug 30, 2023
edited by gamab

Backport f900098 from #74016
Backport 9e52414 from #73834

What is this feature?

In v9.x releases, LDAP users used to be disabled on login if they had been removed from the LDAP directory tree.
But we had a bug, we'd also disable non-ldap users.
In v10.x releases, with the move to the AuthBroker, we changed the approach and even if it's still impossible to log in with a removed LDAP user, we do not disable the user anymore.
This PR intends to restore the previous behavior in the AuthBroker but also fix the disabling to only target users that logged via LDAP.

Additionally, for large amount of ldap users (>500 users), active sync was only retrieving a single iteration of users (max 500 users) and therefore was disabling every user that wasn't returned considering them as deleted from the LDAP directory tree.

Why do we need this feature?

[Add a description of the problem the feature is trying to solve.]

Who is this feature for?

[Add information on what kind of user the feature is for.]

Which issue(s) does this PR fix?:

Fixes #

Special notes for your reviewer:

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@gamab @grafana-delivery-bot
[LDAP] Disable removed users on login (#74016)
9e6e4f4 
* [LDAP] Disable removed users on login

* Fix tests

* Add test for user disabling

* Add tests for disabling user behind auth proxy

* Linting.

* Rename setup func

* Account for reviews comments

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

---------

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
(cherry picked from commit f900098)
@grafana-delivery-bot grafana-delivery-bot bot requested a review from a team as a code owner August 30, 2023 12:30
@grafana-delivery-bot grafana-delivery-bot bot requested review from eleijonmarck and kalleep and removed request for a team August 30, 2023 12:30
@grafana-delivery-bot grafana-delivery-bot bot added this to the 10.0.x milestone Aug 30, 2023
@grafana-delivery-bot grafana-delivery-bot bot added area/backend backport A backport PR no-changelog Skip including change in changelog/release notes type/bug labels Aug 30, 2023
@gamab gamab marked this pull request as draft August 30, 2023 12:39
@gamab gamab changed the title [v10.0.x] LDAP: Disable removed users on login [v10.0.x] LDAP: Fix user disabling Aug 30, 2023
@gamab gamab marked this pull request as ready for review August 30, 2023 12:56
@gamab gamab requested a review from a team as a code owner August 30, 2023 12:56
@gamab gamab requested review from papagian, suntala and yangkb09 and removed request for a team August 30, 2023 12:56
@gamab gamab mentioned this pull request Aug 30, 2023
Merged
3 tasks
@gamab gamab merged commit 31b1a7b into v10.0.x Aug 30, 2023
9 checks passed
@gamab gamab deleted the backport-74016-to-v10.0.x branch August 30, 2023 14:35
@gamab gamab added add to changelog and removed no-changelog Skip including change in changelog/release notes labels Sep 5, 2023
@zerok zerok modified the milestones: 10.0.x, 10.0.5 Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gamab gamab gamab approved these changes

@eleijonmarck eleijonmarck Awaiting requested review from eleijonmarck eleijonmarck is a code owner automatically assigned from grafana/grafana-authnz-team

@kalleep kalleep Awaiting requested review from kalleep kalleep is a code owner automatically assigned from grafana/grafana-authnz-team

@papagian papagian Awaiting requested review from papagian papagian is a code owner automatically assigned from grafana/backend-platform

@suntala suntala Awaiting requested review from suntala suntala is a code owner automatically assigned from grafana/backend-platform

@yangkb09 yangkb09 Awaiting requested review from yangkb09 yangkb09 is a code owner automatically assigned from grafana/backend-platform

Assignees
No one assigned
Labels
add to changelog area/backend backport A backport PR type/bug
Projects
None yet
Milestone
10.0.5
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gamab @zerok