From c52ec21c75ab72c2f7d28259bac0364edae560d0 Mon Sep 17 00:00:00 2001 From: Misi Date: Thu, 9 Jan 2025 18:02:49 +0100 Subject: [PATCH] Auth: Add a feature toggle to roll out SAML session improvements (#98750) Add separate feature toggle to roll out SAML-related external session improvements --- .../feature-toggles/index.md | 61 ++++++++++--------- .../src/types/featureToggles.gen.ts | 1 + pkg/services/featuremgmt/registry.go | 8 ++- pkg/services/featuremgmt/toggles_gen.csv | 1 + pkg/services/featuremgmt/toggles_gen.go | 6 +- pkg/services/featuremgmt/toggles_gen.json | 21 ++++++- 6 files changed, 63 insertions(+), 35 deletions(-) diff --git a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md index 2ac4720ff29..0036f786a19 100644 --- a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md +++ b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md @@ -92,36 +92,37 @@ Most [generally available](https://grafana.com/docs/release-life-cycle/#general- [Public preview](https://grafana.com/docs/release-life-cycle/#public-preview) features are supported by our Support teams, but might be limited to enablement, configuration, and some troubleshooting. -| Feature toggle name | Description | -| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `panelTitleSearch` | Search for dashboards using panel title | -| `autoMigrateOldPanels` | Migrate old angular panels to supported versions (graph, table-old, worldmap, etc) | -| `autoMigrateGraphPanel` | Migrate old graph panel to supported time series panel - broken out from autoMigrateOldPanels to enable granular tracking | -| `autoMigrateTablePanel` | Migrate old table panel to supported table panel - broken out from autoMigrateOldPanels to enable granular tracking | -| `autoMigratePiechartPanel` | Migrate old piechart panel to supported piechart panel - broken out from autoMigrateOldPanels to enable granular tracking | -| `autoMigrateWorldmapPanel` | Migrate old worldmap panel to supported geomap panel - broken out from autoMigrateOldPanels to enable granular tracking | -| `autoMigrateStatPanel` | Migrate old stat panel to supported stat panel - broken out from autoMigrateOldPanels to enable granular tracking | -| `disableAngular` | Dynamic flag to disable angular at runtime. The preferred method is to set `angular_support_enabled` to `false` in the [security] settings, which allows you to change the state at runtime. | -| `grpcServer` | Run the GRPC server | -| `alertingNoNormalState` | Stop maintaining state of alerts that are not firing | -| `renderAuthJWT` | Uses JWT-based auth for rendering instead of relying on remote cache | -| `refactorVariablesTimeRange` | Refactor time range variables flow to reduce number of API calls made when query variables are chained | -| `faroDatasourceSelector` | Enable the data source selector within the Frontend Apps section of the Frontend Observability | -| `enableDatagridEditing` | Enables the edit functionality in the datagrid panel | -| `sqlDatasourceDatabaseSelection` | Enables previous SQL data source dataset dropdown behavior | -| `reportingRetries` | Enables rendering retries for the reporting feature | -| `externalServiceAccounts` | Automatic service account and token setup for plugins | -| `cloudWatchBatchQueries` | Runs CloudWatch metrics queries as separate batches | -| `teamHttpHeaders` | Enables LBAC for datasources to apply LogQL filtering of logs to the client requests for users in teams | -| `pdfTables` | Enables generating table data as PDF in reporting | -| `canvasPanelPanZoom` | Allow pan and zoom in canvas panel | -| `regressionTransformation` | Enables regression analysis transformation | -| `onPremToCloudMigrations` | Enable the Grafana Migration Assistant, which helps you easily migrate on-prem dashboards, folders, and data source configurations to your Grafana Cloud stack. | -| `ssoSettingsSAML` | Use the new SSO Settings API to configure the SAML connector | -| `azureMonitorPrometheusExemplars` | Allows configuration of Azure Monitor as a data source that can provide Prometheus exemplars | -| `ssoSettingsLDAP` | Use the new SSO Settings API to configure LDAP | -| `improvedExternalSessionHandling` | Enable improved support for OAuth and SAML external sessions in Grafana | -| `elasticsearchCrossClusterSearch` | Enables cross cluster search in the Elasticsearch datasource | +| Feature toggle name | Description | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `panelTitleSearch` | Search for dashboards using panel title | +| `autoMigrateOldPanels` | Migrate old angular panels to supported versions (graph, table-old, worldmap, etc) | +| `autoMigrateGraphPanel` | Migrate old graph panel to supported time series panel - broken out from autoMigrateOldPanels to enable granular tracking | +| `autoMigrateTablePanel` | Migrate old table panel to supported table panel - broken out from autoMigrateOldPanels to enable granular tracking | +| `autoMigratePiechartPanel` | Migrate old piechart panel to supported piechart panel - broken out from autoMigrateOldPanels to enable granular tracking | +| `autoMigrateWorldmapPanel` | Migrate old worldmap panel to supported geomap panel - broken out from autoMigrateOldPanels to enable granular tracking | +| `autoMigrateStatPanel` | Migrate old stat panel to supported stat panel - broken out from autoMigrateOldPanels to enable granular tracking | +| `disableAngular` | Dynamic flag to disable angular at runtime. The preferred method is to set `angular_support_enabled` to `false` in the [security] settings, which allows you to change the state at runtime. | +| `grpcServer` | Run the GRPC server | +| `alertingNoNormalState` | Stop maintaining state of alerts that are not firing | +| `renderAuthJWT` | Uses JWT-based auth for rendering instead of relying on remote cache | +| `refactorVariablesTimeRange` | Refactor time range variables flow to reduce number of API calls made when query variables are chained | +| `faroDatasourceSelector` | Enable the data source selector within the Frontend Apps section of the Frontend Observability | +| `enableDatagridEditing` | Enables the edit functionality in the datagrid panel | +| `sqlDatasourceDatabaseSelection` | Enables previous SQL data source dataset dropdown behavior | +| `reportingRetries` | Enables rendering retries for the reporting feature | +| `externalServiceAccounts` | Automatic service account and token setup for plugins | +| `cloudWatchBatchQueries` | Runs CloudWatch metrics queries as separate batches | +| `teamHttpHeaders` | Enables LBAC for datasources to apply LogQL filtering of logs to the client requests for users in teams | +| `pdfTables` | Enables generating table data as PDF in reporting | +| `canvasPanelPanZoom` | Allow pan and zoom in canvas panel | +| `regressionTransformation` | Enables regression analysis transformation | +| `onPremToCloudMigrations` | Enable the Grafana Migration Assistant, which helps you easily migrate on-prem dashboards, folders, and data source configurations to your Grafana Cloud stack. | +| `ssoSettingsSAML` | Use the new SSO Settings API to configure the SAML connector | +| `azureMonitorPrometheusExemplars` | Allows configuration of Azure Monitor as a data source that can provide Prometheus exemplars | +| `ssoSettingsLDAP` | Use the new SSO Settings API to configure LDAP | +| `improvedExternalSessionHandling` | Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves. | +| `elasticsearchCrossClusterSearch` | Enables cross cluster search in the Elasticsearch datasource | +| `improvedExternalSessionHandlingSAML` | Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly. | ## Experimental feature toggles diff --git a/packages/grafana-data/src/types/featureToggles.gen.ts b/packages/grafana-data/src/types/featureToggles.gen.ts index 29dd5d1ffae..65eb9404dd1 100644 --- a/packages/grafana-data/src/types/featureToggles.gen.ts +++ b/packages/grafana-data/src/types/featureToggles.gen.ts @@ -249,4 +249,5 @@ export interface FeatureToggles { investigationsBackend?: boolean; k8SFolderCounts?: boolean; k8SFolderMove?: boolean; + improvedExternalSessionHandlingSAML?: boolean; } diff --git a/pkg/services/featuremgmt/registry.go b/pkg/services/featuremgmt/registry.go index 45aa3ebdb29..f3fbfa1c14a 100644 --- a/pkg/services/featuremgmt/registry.go +++ b/pkg/services/featuremgmt/registry.go @@ -1489,7 +1489,7 @@ var ( }, { Name: "improvedExternalSessionHandling", - Description: "Enable improved support for OAuth and SAML external sessions in Grafana", + Description: "Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.", Stage: FeatureStagePublicPreview, Owner: identityAccessTeam, }, @@ -1723,6 +1723,12 @@ var ( Owner: grafanaSearchAndStorageSquad, Expression: "false", }, + { + Name: "improvedExternalSessionHandlingSAML", + Description: "Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.", + Stage: FeatureStagePublicPreview, + Owner: identityAccessTeam, + }, } ) diff --git a/pkg/services/featuremgmt/toggles_gen.csv b/pkg/services/featuremgmt/toggles_gen.csv index 85f1e4b2764..d760b497cac 100644 --- a/pkg/services/featuremgmt/toggles_gen.csv +++ b/pkg/services/featuremgmt/toggles_gen.csv @@ -230,3 +230,4 @@ lokiLabelNamesQueryApi,GA,@grafana/observability-logs,false,false,false investigationsBackend,experimental,@grafana/grafana-app-platform-squad,false,false,false k8SFolderCounts,experimental,@grafana/search-and-storage,false,false,false k8SFolderMove,experimental,@grafana/search-and-storage,false,false,false +improvedExternalSessionHandlingSAML,preview,@grafana/identity-access-team,false,false,false diff --git a/pkg/services/featuremgmt/toggles_gen.go b/pkg/services/featuremgmt/toggles_gen.go index 9c634107e0e..541629e58eb 100644 --- a/pkg/services/featuremgmt/toggles_gen.go +++ b/pkg/services/featuremgmt/toggles_gen.go @@ -796,7 +796,7 @@ const ( FlagAlertingQueryAndExpressionsStepMode = "alertingQueryAndExpressionsStepMode" // FlagImprovedExternalSessionHandling - // Enable improved support for OAuth and SAML external sessions in Grafana + // Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves. FlagImprovedExternalSessionHandling = "improvedExternalSessionHandling" // FlagUseSessionStorageForRedirection @@ -930,4 +930,8 @@ const ( // FlagK8SFolderMove // Enable folder's api server move FlagK8SFolderMove = "k8SFolderMove" + + // FlagImprovedExternalSessionHandlingSAML + // Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly. + FlagImprovedExternalSessionHandlingSAML = "improvedExternalSessionHandlingSAML" ) diff --git a/pkg/services/featuremgmt/toggles_gen.json b/pkg/services/featuremgmt/toggles_gen.json index 1074ad56730..c1670571600 100644 --- a/pkg/services/featuremgmt/toggles_gen.json +++ b/pkg/services/featuremgmt/toggles_gen.json @@ -1803,14 +1803,29 @@ { "metadata": { "name": "improvedExternalSessionHandling", - "resourceVersion": "1736255708514", + "resourceVersion": "1736440595516", "creationTimestamp": "2024-09-17T10:54:39Z", "annotations": { - "grafana.app/updatedTimestamp": "2025-01-07 13:15:08.514525 +0000 UTC" + "grafana.app/updatedTimestamp": "2025-01-09 16:36:35.516462 +0000 UTC" } }, "spec": { - "description": "Enable improved support for OAuth and SAML external sessions in Grafana", + "description": "Enables improved support for OAuth external sessions. After enabling this feature, users might need to re-authenticate themselves.", + "stage": "preview", + "codeowner": "@grafana/identity-access-team" + } + }, + { + "metadata": { + "name": "improvedExternalSessionHandlingSAML", + "resourceVersion": "1736440619329", + "creationTimestamp": "2025-01-09T16:33:07Z", + "annotations": { + "grafana.app/updatedTimestamp": "2025-01-09 16:36:59.329967 +0000 UTC" + } + }, + "spec": { + "description": "Enables improved support for SAML external sessions. Ensure the NameID format is correctly configured in Grafana for SAML Single Logout to function properly.", "stage": "preview", "codeowner": "@grafana/identity-access-team" }