opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-08-02 17:22:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Add skip_org_role_sync to GitLab OAuth (#62055)

Browse Source 
* Auth: Add skip_org_role_sync to GitLab OAuth

- add: tests
- docs added

* Update pkg/login/social/gitlab_oauth.go

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

* fix: for import

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
This commit is contained in:
Eric Leijonmarck
2023-01-25 13:39:54 +01:00
committed by GitHub
parent 5f6616ff3e
commit 143ee0c49f
11 changed files with 85 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@ -904,6 +904,21 @@ The following table shows the OAuth provider's setting with the default value an
| Google | false | true | User organization roles are set with `defaultRole` and the org role can be changed for Google synced users. |
| Google | true | true | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
### [auth.gitlab] skip_org_role_sync
When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles, set the `skip_org_role_sync` option to `true`. GitLab syncs organization roles and sets Grafana Admins.
This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitLab.
> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
| --- | --- | --- | --- |
| GitLab | false | false | User organization roles are set with `defaultRole` and cannot be changed |
| Github | true | false | User organization roles are set with `defaultRole` for GitLab, and Grafana Admins are set. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
| GitLab | false | true | User organization roles are set with `defaultRole`, and the organization role can be changed for GitLab synced users. |
| GitLab | true | true | User organization roles are set with `defaultRole` for GitLab. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
### api_key_max_seconds_to_live
Limit of API key seconds to live before expiration. Default is -1 (unlimited).

13
docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
View File

@ -223,3 +223,16 @@ the correct teams.
Your GitLab groups can be referenced in the same way as `allowed_groups`, like `example` or `foo/bar`.
[Learn more about Team Sync]({{< relref "../../configure-team-sync/" >}})
## Skip organization role sync
To prevent the sync of organization roles from GitLab, set `skip_org_role_sync` to `true`. This is useful if you want to manage the organization roles for your users from within Grafana.
This also impacts the `allow_assign_grafana_admin` setting by not syncing the Grafana admin role from GitLab.
```ini
[auth.gitlab]
# ..
# prevents the sync of org roles from Github
skip_org_role_sync = true
``
```