Grafana: [Feature Request] Add grafana.ini-settings to change behavior of allowed invites to account for enterprisey environments

Created on 16 Nov 2016  ·  3Comments  ·  Source: grafana/grafana
  • I'm submitting a ...
  • [ ] Bug report
  • [x] Feature request
  • [ ] Question / Support request: Please do not open a github issue. Support Options

..in relation to Issue #6567, we need a grafana.ini-setting(s) that controls whether..

  • Org-Admins are allowed to invite people that can't be found through the LDAP-settings (username or email attribute in LDAP).
  • Org-Admins are allowed to invite people by an external email-address (an email-address that's not found inside LDAP or local grafana-db)

Please include this information:

  • What Grafana version are you using?
    v3.1.1 (commit: a4d2708)
  • What datasource are you using?
    Elasticsearch/InfluxDB
  • What OS are you running grafana on?
    Linux, RHEL 7.2
  • What did you do?
    I invited a user by an email address. Only LDAP signups are allowed and general user signup is disallowed.
  • What was the expected result?
    I expected that it would deny my Invite if I gave an email address, because I only allow LDAP users to sign up and log in. So, it would allow my invite if I gave an LDAP-user with that username or an LDAP-user with that email address.
  • What happened instead?
    It created a new user with an email-address as "username" in the grafana-db. That user is a local user. Thus, the user could login and was then part of that organization he was invited to.

Corresponding settings could look like this in grafana.ini - using a new section to control it:

[invites]
enabled = true
allow_by_email = true
allow_external_emails = false
allow_by_username = true
search_db = true
search_ldap = true

In this constellation, it would be..

  • generally allowed to invite someone.
  • allowed to invite someone by an email address.

    • grafana would then look through existing users having that email address in the grafana-db.

    • if not found already: grafana would need to look through existing users having that email address in ldap, if ldap-configuration is set (see email attribute).

  • allowed to invite someone by a username.

    • grafana would need to look through existing users having that username in grafana-db

    • if not found already: grafana would need to look through existing users having that username in ldap, if ldap-configuration is set (see username attribute)

If search_ldap was false, it would not try to get a user from LDAP and only search the grafana-db.

If not even found in grafana-db and the invite given was an email address, it would need allow_external_emails to be true to send an email to the outside world.

As first step in development the "enabled" key would kinda suffice. At the current behavior, I would disable invites.

arebackenautldap typfeature-request
Source
picture PaulKlumpp
👍153

Most helpful comment

Any news on this topic ?
It seems to me it could be really important in a production environment to be able to deactivate invite.

picture tcheronneau on 12 Sep 2018
👍3

All 3 comments

Any news on this topic ?
It seems to me it could be really important in a production environment to be able to deactivate invite.

tcheronneau picture tcheronneau on 12 Sep 2018
👍3

Still no news on this topic :(
This feature would be very useful!

Hedinisey picture Hedinisey on 20 Aug 2019

so was this implemented or not? A thread on the forums says the config documentation details how to disable invites but there is nothing in there and no options in the config file

bogski87 picture bogski87 on 7 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dlintw picture dlintw  ·  3Comments
ADeane6 picture ADeane6  ·  3Comments
tcolgate picture tcolgate  ·  3Comments
utkarshcmu picture utkarshcmu  ·  3Comments
SATHVIKRAJU picture SATHVIKRAJU  ·  3Comments