-
Notifications
You must be signed in to change notification settings - Fork 11.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Lock down Grafana admin role updates if the role is externally synced #72677
Conversation
Hello @IevaVasiljeva!
Please, if the current pull request addresses a bug fix, label it with the |
return cfg.JWTAuthAllowAssignGrafanaAdmin | ||
default: | ||
return oAuthAndAllowAssignGrafanaAdmin | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: am I correct in assuming that Grafana Admin role can only be synced for JWT and OAuth providers?
I'm also not keen on the variable naming here, but couldn't come up with anything better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think only JWT, OAuth and LDAP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the heads up about LDAP, I had missed that one.
oAuthAndAllowAssignGrafanaAdmin := false | ||
if oauthInfo := hs.SocialService.GetOAuthInfoProvider(strings.TrimPrefix(authInfo.AuthModule, "oauth_")); oauthInfo != nil { | ||
oAuthAndAllowAssignGrafanaAdmin = oauthInfo.AllowAssignGrafanaAdmin | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: annoyingly, I couldn't pass in the whole oauthInfo or SocialService, as that creates a circular dependency.
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-72677-to-v10.1.x origin/v10.1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x d3b481dac87aaeae26195bbedfd80ed33a1cebed
# When the conflicts are resolved, stage and commit the changes
git add . && git cherry-pick --continue If you have the GitHub CLI installed: # Create the PR body template
PR_BODY=$(gh pr view 72677 --json body --template 'Backport d3b481dac87aaeae26195bbedfd80ed33a1cebed from #72677{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Push the branch to GitHub and a PR
echo "${PR_BODY}" | gh pr create --title "[v10.1.x] Auth: Lock down Grafana admin role updates if the role is externally synced" --body-file - --label "type/bug" --label "area/backend" --label "area/frontend" --label "add to changelog" --label "backport" --base v10.1.x --milestone 10.1.x --web Or, if you don't have the GitHub CLI installed (we recommend you install it!): # If you don't have the GitHub CLI installed: Push the branch to GitHub and manually create a PR:
git push --set-upstream origin backport-72677-to-v10.1.x
# Remove the local backport branch
git switch main
git branch -D backport-72677-to-v10.1.x Unless you've used the GitHub CLI above, now create a pull request where the |
…synced (#72677) * lock down server admin role updates on the frontend if the user is externally synced * add tests * lock Grafana Server admin role updates from the backend * rename variables * check that the user has auth info * add LDAP to providers for which Grafana Server admin role can be synced * linting
…synced (grafana#72677) * lock down server admin role updates on the frontend if the user is externally synced * add tests * lock Grafana Server admin role updates from the backend * rename variables * check that the user has auth info * add LDAP to providers for which Grafana Server admin role can be synced * linting
What is this feature?
Roles should either be manually updated or externally synced. If they are externally synced, we lock manual role updates.
Why do we need this feature?
For clearer and more secure role management.
Who is this feature for?
Anyone who uses external auth providers to sync user's roles.
Special notes for your reviewer:
Please check that: