Auth: Lock down Grafana admin role updates if the role is externally synced

[IevaVasiljeva]

What is this feature?

Roles should either be manually updated or externally synced. If they are externally synced, we lock manual role updates.

Why do we need this feature?

For clearer and more secure role management.

Who is this feature for?

Anyone who uses external auth providers to sync user's roles.

Special notes for your reviewer:

Please check that:

• It works as expected from a user's perspective.
• If this is a pre-GA feature, it is behind a feature toggle.
• The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

[grafana-delivery-bot]

Hello @IevaVasiljeva!
Backport pull requests need to be either:

• Pull requests which address bugs,
• Urgent fixes which need product approval, in order to get merged,
• Docs changes.

Please, if the current pull request addresses a bug fix, label it with the type/bug label.
If it already has the product approval, please add the product-approved label. For docs changes, please add the type/docs label.
If the pull request modifies CI behaviour, please add the type/ci label.
If none of the above applies, please consider removing the backport label and target the next major/minor release.
Thanks!

[IevaVasiljeva]

question: am I correct in assuming that Grafana Admin role can only be synced for JWT and OAuth providers?

I'm also not keen on the variable naming here, but couldn't come up with anything better.

[Jguer]

I think only JWT, OAuth and LDAP

[IevaVasiljeva]

Thanks for the heads up about LDAP, I had missed that one.

[IevaVasiljeva]

note: annoyingly, I couldn't pass in the whole oauthInfo or SocialService, as that creates a circular dependency.

[grafana-delivery-bot]

The backport to v10.1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-72677-to-v10.1.x origin/v10.1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x d3b481dac87aaeae26195bbedfd80ed33a1cebed
# When the conflicts are resolved, stage and commit the changes
git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Create the PR body template
PR_BODY=$(gh pr view 72677 --json body --template 'Backport d3b481dac87aaeae26195bbedfd80ed33a1cebed from #72677{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Push the branch to GitHub and a PR
echo "${PR_BODY}" | gh pr create --title "[v10.1.x] Auth: Lock down Grafana admin role updates if the role is externally synced" --body-file - --label "type/bug" --label "area/backend" --label "area/frontend" --label "add to changelog" --label "backport" --base v10.1.x --milestone 10.1.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# If you don't have the GitHub CLI installed: Push the branch to GitHub and manually create a PR:
git push --set-upstream origin backport-72677-to-v10.1.x
# Remove the local backport branch
git switch main
git branch -D backport-72677-to-v10.1.x

Unless you've used the GitHub CLI above, now create a pull request where the base branch is v10.1.x and the compare/head branch is backport-72677-to-v10.1.x.