Access Control: Remove built-in role assignment by default (#49058)

* Remove FF-bultins * Add a param to test br-simplifying
2025-02-25 18:55:37 -06:00 · 2022-05-19 09:29:36 +02:00
parent a3c5834594
commit 5b6d20fbce
7 changed files with 7 additions and 18 deletions
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@@ -32,7 +32,6 @@ export interface FeatureToggles {
  tempoBackendSearch?: boolean;
  tempoServiceGraph?: boolean;
  lokiBackendMode?: boolean;
-  ['accesscontrol-builtins']?: boolean;
  prometheus_azure_auth?: boolean;
  influxdbBackendMigration?: boolean;
  newNavigation?: boolean;
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
@@ -18,7 +18,7 @@ import (
 func ProvideService(features featuremgmt.FeatureToggles, cfg *setting.Cfg,
 	provider accesscontrol.PermissionsProvider, routeRegister routing.RouteRegister) (*OSSAccessControlService, error) {
 	var errDeclareRoles error
-	s := ProvideOSSAccessControl(features, cfg, provider)
+	s := ProvideOSSAccessControl(cfg, provider)
 	if !s.IsDisabled() {
 		api := api.AccessControlAPI{
 			RouteRegister: routeRegister,
@@ -32,9 +32,8 @@ func ProvideService(features featuremgmt.FeatureToggles, cfg *setting.Cfg,
 	return s, errDeclareRoles
 }

-func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, cfg *setting.Cfg, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
+func ProvideOSSAccessControl(cfg *setting.Cfg, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
 	s := &OSSAccessControlService{
-		features:       features,
 		cfg:            cfg,
 		provider:       provider,
 		log:            log.New("accesscontrol"),
@@ -48,7 +47,6 @@ func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, cfg *setting.C
 // OSSAccessControlService is the service implementing role based access control.
 type OSSAccessControlService struct {
 	log            log.Logger
-	features       featuremgmt.FeatureToggles
 	cfg            *setting.Cfg
 	scopeResolvers accesscontrol.ScopeResolvers
 	provider       accesscontrol.PermissionsProvider
@@ -158,7 +156,7 @@ func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser
 	builtInRoles := []string{string(user.OrgRole)}

 	// With built-in role simplifying, inheritance is performed upon role registration.
-	if !ac.features.IsEnabled(featuremgmt.FlagAccesscontrolBuiltins) {
+	if ac.cfg.RBACBuiltInRoleAssignmentEnabled {
 		for _, br := range user.OrgRole.Children() {
 			builtInRoles = append(builtInRoles, string(br))
 		}
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
@@ -24,7 +24,6 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {

 	ac := &OSSAccessControlService{
 		cfg:            cfg,
-		features:       featuremgmt.WithFeatures(),
 		log:            log.New("accesscontrol"),
 		registrations:  accesscontrol.RegistrationList{},
 		scopeResolvers: accesscontrol.NewScopeResolvers(),
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@@ -94,12 +94,6 @@ var (
 			State:        FeatureStateAlpha,
 			FrontendOnly: true,
 		},
-		{
-			Name:            "accesscontrol-builtins",
-			Description:     "Simplify access control builtin roles",
-			State:           FeatureStateAlpha,
-			RequiresDevMode: true,
-		},
 		{
 			Name:        "prometheus_azure_auth",
 			Description: "Experimental. Azure authentication for Prometheus datasource",
--- a/pkg/services/featuremgmt/toggles_gen.go
+++ b/pkg/services/featuremgmt/toggles_gen.go
@@ -71,10 +71,6 @@ const (
 	// Loki datasource works as backend datasource
 	FlagLokiBackendMode = "lokiBackendMode"

-	// FlagAccesscontrolBuiltins
-	// Simplify access control builtin roles
-	FlagAccesscontrolBuiltins = "accesscontrol-builtins"
-
 	// FlagPrometheusAzureAuth
 	// Experimental. Azure authentication for Prometheus datasource
 	FlagPrometheusAzureAuth = "prometheus_azure_auth"
--- a/pkg/services/featuremgmt/toggles_gen_test.go
+++ b/pkg/services/featuremgmt/toggles_gen_test.go
@@ -24,7 +24,6 @@ func TestFeatureToggleFiles(t *testing.T) {
 		"live-config":                    true,
 		"live-pipeline":                  true,
 		"live-service-web-worker":        true,
-		"accesscontrol-builtins":         true,
 		"prometheus_azure_auth":          true,
 		"disable_http_request_histogram": true,
 	}
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -447,6 +447,9 @@ type Cfg struct {
 	// Access Control
 	RBACEnabled         bool
 	RBACPermissionCache bool
+	// Undocumented option as a backup in case removing builtin-role assignment
+	// fails
+	RBACBuiltInRoleAssignmentEnabled bool
 }

 type CommandLineArgs struct {
@@ -1360,6 +1363,7 @@ func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
 	rbac := iniFile.Section("rbac")
 	cfg.RBACEnabled = rbac.Key("enabled").MustBool(true)
 	cfg.RBACPermissionCache = rbac.Key("permission_cache").MustBool(true)
+	cfg.RBACBuiltInRoleAssignmentEnabled = rbac.Key("builtin_role_assignment_enabled").MustBool(false)
 }

 func readUserSettings(iniFile *ini.File, cfg *Cfg) error {