Revert "Anonymous: Enforce org role Viewer setting (#102070)" (#103043)

This reverts commit e216c2f29d.
2 months ago · 180f579f18
parent ae0bcbd006
commit 180f579f18
8 changed files with 35 additions and 5 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -677,6 +677,9 @@ enabled = false
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.

+# specify role for unauthenticated users
+org_role = Viewer
+
 # mask the Grafana version number for unauthenticated users
 hide_version = false

--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -665,6 +665,9 @@
 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.

+# specify role for unauthenticated users
+;org_role = Viewer
+
 # mask the Grafana version number for unauthenticated users
 ;hide_version = false

--- a/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md
@ -54,6 +54,9 @@ enabled = true
 # Organization name that should be used for unauthenticated users
 org_name = Main Org.

+# Role for unauthenticated users, other valid values are `Editor` and `Admin`
+org_role = Viewer
+
 # Hide the Grafana version text from the footer and help tooltip for unauthenticated users (default: false)
 hide_version = true

--- a/pkg/services/accesscontrol/dualwrite/collectors.go
+++ b/pkg/services/accesscontrol/dualwrite/collectors.go
@ -10,7 +10,6 @@ import (
 	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
 	"github.com/grafana/grafana/pkg/services/authz/zanzana"
 	"github.com/grafana/grafana/pkg/services/folder"
-	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/setting"
 )

@ -470,7 +469,7 @@ func fixedRolePermissionsCollector(store db.DB) legacyTupleCollector {
 func anonymousRoleBindingsCollector(cfg *setting.Cfg, store db.DB) legacyTupleCollector {
 	return func(ctx context.Context, orgID int64) (map[string]map[string]*openfgav1.TupleKey, error) {
 		tuples := make(map[string]map[string]*openfgav1.TupleKey)
-		object := zanzana.NewTupleEntry(zanzana.TypeRole, zanzana.TranslateBasicRole(string(org.RoleViewer)), "")
+		object := zanzana.NewTupleEntry(zanzana.TypeRole, zanzana.TranslateBasicRole(cfg.Anonymous.OrgRole), "")
 		// Object should be set to delete obsolete permissions
 		tuples[object] = make(map[string]*openfgav1.TupleKey)

--- a/pkg/services/anonymous/anonimpl/client.go
+++ b/pkg/services/anonymous/anonimpl/client.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"strings"

 	claims "github.com/grafana/authlib/types"
 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
@ -93,6 +94,18 @@ func (a *Anonymous) ResolveIdentity(ctx context.Context, orgID int64, typ claims
 	return a.newAnonymousIdentity(o), nil
 }

+func (a *Anonymous) UsageStatFn(ctx context.Context) (map[string]any, error) {
+	m := map[string]any{}
+
+	// Add stats about anonymous auth
+	m["stats.anonymous.customized_role.count"] = 0
+	if !strings.EqualFold(a.cfg.Anonymous.OrgRole, "Viewer") {
+		m["stats.anonymous.customized_role.count"] = 1
+	}
+
+	return m, nil
+}
+
 func (a *Anonymous) Priority() uint {
 	return 100
 }
@ -103,7 +116,7 @@ func (a *Anonymous) newAnonymousIdentity(o *org.Org) *authn.Identity {
 		Type:         claims.TypeAnonymous,
 		OrgID:        o.ID,
 		OrgName:      o.Name,
-		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleViewer},
+		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleType(a.cfg.Anonymous.OrgRole)},
 		ClientParams: authn.ClientParams{SyncPermissions: true},
 	}
 }
--- a/pkg/services/anonymous/anonimpl/client_test.go
+++ b/pkg/services/anonymous/anonimpl/client_test.go
@ -31,6 +31,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 			org:  &org.Org{ID: 1, Name: "some org"},
 			cfg: &setting.Cfg{
 				Anonymous: setting.AnonymousSettings{
+					OrgRole: "Viewer",
 					OrgName: "some org",
 				},
 			},
@ -40,6 +41,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 			err:  fmt.Errorf("some error"),
 			cfg: &setting.Cfg{
 				Anonymous: setting.AnonymousSettings{
+					OrgRole: "Viewer",
 					OrgName: "some org",
 				},
 			},
@ -65,6 +67,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 				assert.Equal(t, "anonymous:0", user.GetID())
 				assert.Equal(t, tt.org.ID, user.OrgID)
 				assert.Equal(t, tt.org.Name, user.OrgName)
+				assert.Equal(t, tt.cfg.Anonymous.OrgRole, string(user.GetOrgRole()))
 			}
 		})
 	}
--- a/pkg/services/searchV2/service.go
+++ b/pkg/services/searchV2/service.go
@ -165,7 +165,7 @@ func (s *StandardSearchService) getUser(ctx context.Context, backendUser *backen
 		usr = &user.SignedInUser{
 			OrgID:       orga.ID,
 			OrgName:     orga.Name,
-			OrgRole:     org.RoleViewer,
+			OrgRole:     org.RoleType(s.cfg.Anonymous.OrgRole),
 			IsAnonymous: true,
 		}
 	} else {
--- a/pkg/setting/setting_anonymous.go
+++ b/pkg/setting/setting_anonymous.go
@ -3,6 +3,7 @@ package setting
 type AnonymousSettings struct {
 	Enabled     bool
 	OrgName     string
+	OrgRole     string
 	HideVersion bool
 	DeviceLimit int64
 }
@ -13,7 +14,12 @@ func (cfg *Cfg) readAnonymousSettings() {
 	anonSettings := AnonymousSettings{}
 	anonSettings.Enabled = anonSection.Key("enabled").MustBool(false)
 	anonSettings.OrgName = valueAsString(anonSection, "org_name", "")
-
+	// Deprecated:
+	// only viewer role is supported
+	anonSettings.OrgRole = valueAsString(anonSection, "org_role", "")
+	if anonSettings.OrgRole != "Viewer" {
+		cfg.Logger.Warn("auth.anonymous.org_role is deprecated, only viewer role is supported")
+	}
 	anonSettings.HideVersion = anonSection.Key("hide_version").MustBool(false)
 	anonSettings.DeviceLimit = anonSection.Key("device_limit").MustInt64(0)
 	cfg.Anonymous = anonSettings