From 180f579f18bfb4fbd51495497019a489587f1e1f Mon Sep 17 00:00:00 2001
From: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Date: Mon, 31 Mar 2025 10:31:53 +0100
Subject: [PATCH] Revert "Anonymous: Enforce org role Viewer setting (#102070)"
 (#103043)

This reverts commit e216c2f29dcc5d2c2b396c26e5f07437566a3359.
---
 conf/defaults.ini                                 |  3 +++
 conf/sample.ini                                   |  3 +++
 .../anonymous-auth/index.md                       |  3 +++
 .../accesscontrol/dualwrite/collectors.go         |  3 +--
 pkg/services/anonymous/anonimpl/client.go         | 15 ++++++++++++++-
 pkg/services/anonymous/anonimpl/client_test.go    |  3 +++
 pkg/services/searchV2/service.go                  |  2 +-
 pkg/setting/setting_anonymous.go                  |  8 +++++++-
 8 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/conf/defaults.ini b/conf/defaults.ini
index 48916ad1509..6997156c517 100644
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -677,6 +677,9 @@ enabled = false
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.
 
+# specify role for unauthenticated users
+org_role = Viewer
+
 # mask the Grafana version number for unauthenticated users
 hide_version = false
 
diff --git a/conf/sample.ini b/conf/sample.ini
index 1f47f36e95c..e23dd0631c5 100644
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -665,6 +665,9 @@
 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.
 
+# specify role for unauthenticated users
+;org_role = Viewer
+
 # mask the Grafana version number for unauthenticated users
 ;hide_version = false
 
diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md
index 15afa2aa635..4538d36fd7e 100644
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md
@@ -54,6 +54,9 @@ enabled = true
 # Organization name that should be used for unauthenticated users
 org_name = Main Org.
 
+# Role for unauthenticated users, other valid values are `Editor` and `Admin`
+org_role = Viewer
+
 # Hide the Grafana version text from the footer and help tooltip for unauthenticated users (default: false)
 hide_version = true
 
diff --git a/pkg/services/accesscontrol/dualwrite/collectors.go b/pkg/services/accesscontrol/dualwrite/collectors.go
index ab1ec62f926..1580b151b09 100644
--- a/pkg/services/accesscontrol/dualwrite/collectors.go
+++ b/pkg/services/accesscontrol/dualwrite/collectors.go
@@ -10,7 +10,6 @@ import (
 	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
 	"github.com/grafana/grafana/pkg/services/authz/zanzana"
 	"github.com/grafana/grafana/pkg/services/folder"
-	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/setting"
 )
 
@@ -470,7 +469,7 @@ func fixedRolePermissionsCollector(store db.DB) legacyTupleCollector {
 func anonymousRoleBindingsCollector(cfg *setting.Cfg, store db.DB) legacyTupleCollector {
 	return func(ctx context.Context, orgID int64) (map[string]map[string]*openfgav1.TupleKey, error) {
 		tuples := make(map[string]map[string]*openfgav1.TupleKey)
-		object := zanzana.NewTupleEntry(zanzana.TypeRole, zanzana.TranslateBasicRole(string(org.RoleViewer)), "")
+		object := zanzana.NewTupleEntry(zanzana.TypeRole, zanzana.TranslateBasicRole(cfg.Anonymous.OrgRole), "")
 		// Object should be set to delete obsolete permissions
 		tuples[object] = make(map[string]*openfgav1.TupleKey)
 
diff --git a/pkg/services/anonymous/anonimpl/client.go b/pkg/services/anonymous/anonimpl/client.go
index 573b5ad53fa..f619ec0b032 100644
--- a/pkg/services/anonymous/anonimpl/client.go
+++ b/pkg/services/anonymous/anonimpl/client.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"strings"
 
 	claims "github.com/grafana/authlib/types"
 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
@@ -93,6 +94,18 @@ func (a *Anonymous) ResolveIdentity(ctx context.Context, orgID int64, typ claims
 	return a.newAnonymousIdentity(o), nil
 }
 
+func (a *Anonymous) UsageStatFn(ctx context.Context) (map[string]any, error) {
+	m := map[string]any{}
+
+	// Add stats about anonymous auth
+	m["stats.anonymous.customized_role.count"] = 0
+	if !strings.EqualFold(a.cfg.Anonymous.OrgRole, "Viewer") {
+		m["stats.anonymous.customized_role.count"] = 1
+	}
+
+	return m, nil
+}
+
 func (a *Anonymous) Priority() uint {
 	return 100
 }
@@ -103,7 +116,7 @@ func (a *Anonymous) newAnonymousIdentity(o *org.Org) *authn.Identity {
 		Type:         claims.TypeAnonymous,
 		OrgID:        o.ID,
 		OrgName:      o.Name,
-		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleViewer},
+		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleType(a.cfg.Anonymous.OrgRole)},
 		ClientParams: authn.ClientParams{SyncPermissions: true},
 	}
 }
diff --git a/pkg/services/anonymous/anonimpl/client_test.go b/pkg/services/anonymous/anonimpl/client_test.go
index b147b2da46a..e57f5c0dea6 100644
--- a/pkg/services/anonymous/anonimpl/client_test.go
+++ b/pkg/services/anonymous/anonimpl/client_test.go
@@ -31,6 +31,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 			org:  &org.Org{ID: 1, Name: "some org"},
 			cfg: &setting.Cfg{
 				Anonymous: setting.AnonymousSettings{
+					OrgRole: "Viewer",
 					OrgName: "some org",
 				},
 			},
@@ -40,6 +41,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 			err:  fmt.Errorf("some error"),
 			cfg: &setting.Cfg{
 				Anonymous: setting.AnonymousSettings{
+					OrgRole: "Viewer",
 					OrgName: "some org",
 				},
 			},
@@ -65,6 +67,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 				assert.Equal(t, "anonymous:0", user.GetID())
 				assert.Equal(t, tt.org.ID, user.OrgID)
 				assert.Equal(t, tt.org.Name, user.OrgName)
+				assert.Equal(t, tt.cfg.Anonymous.OrgRole, string(user.GetOrgRole()))
 			}
 		})
 	}
diff --git a/pkg/services/searchV2/service.go b/pkg/services/searchV2/service.go
index d2943180194..4bc5bd82f2d 100644
--- a/pkg/services/searchV2/service.go
+++ b/pkg/services/searchV2/service.go
@@ -165,7 +165,7 @@ func (s *StandardSearchService) getUser(ctx context.Context, backendUser *backen
 		usr = &user.SignedInUser{
 			OrgID:       orga.ID,
 			OrgName:     orga.Name,
-			OrgRole:     org.RoleViewer,
+			OrgRole:     org.RoleType(s.cfg.Anonymous.OrgRole),
 			IsAnonymous: true,
 		}
 	} else {
diff --git a/pkg/setting/setting_anonymous.go b/pkg/setting/setting_anonymous.go
index b7f7776db47..53e0830eb86 100644
--- a/pkg/setting/setting_anonymous.go
+++ b/pkg/setting/setting_anonymous.go
@@ -3,6 +3,7 @@ package setting
 type AnonymousSettings struct {
 	Enabled     bool
 	OrgName     string
+	OrgRole     string
 	HideVersion bool
 	DeviceLimit int64
 }
@@ -13,7 +14,12 @@ func (cfg *Cfg) readAnonymousSettings() {
 	anonSettings := AnonymousSettings{}
 	anonSettings.Enabled = anonSection.Key("enabled").MustBool(false)
 	anonSettings.OrgName = valueAsString(anonSection, "org_name", "")
-
+	// Deprecated:
+	// only viewer role is supported
+	anonSettings.OrgRole = valueAsString(anonSection, "org_role", "")
+	if anonSettings.OrgRole != "Viewer" {
+		cfg.Logger.Warn("auth.anonymous.org_role is deprecated, only viewer role is supported")
+	}
 	anonSettings.HideVersion = anonSection.Key("hide_version").MustBool(false)
 	anonSettings.DeviceLimit = anonSection.Key("device_limit").MustInt64(0)
 	cfg.Anonymous = anonSettings