Revert fixed roles and service accounts (#44778)

* Revert fixed roles and service accounts

* Leave the fixed role for service accounts

pkg/api/api.go

@@ -13,7 +13,6 @@ import (
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	sa "github.com/grafana/grafana/pkg/services/serviceaccounts/manager"
 )
 
 var plog = log.New("api")
@@ -256,10 +255,10 @@ func (hs *HTTPServer) registerRoutes() {
 
 		// auth api keys
 		apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) {
-			keysRoute.Get("/", authorize(reqOrgAdmin, sa.ActionApikeyListEv), routing.Wrap(GetAPIKeys))
-			keysRoute.Post("/", authorize(reqOrgAdmin, sa.ActionApikeyAddEv), quota("api_key"), routing.Wrap(hs.AddAPIKey))
-			keysRoute.Post("/additional", authorize(reqOrgAdmin, sa.ActionApikeyAddAdditionalEv), quota("api_key"), routing.Wrap(hs.AdditionalAPIKey))
-			keysRoute.Delete("/:id", authorize(reqOrgAdmin, sa.ActionApikeyRemoveEv), routing.Wrap(DeleteAPIKey))
+			keysRoute.Get("/", routing.Wrap(GetAPIKeys))
+			keysRoute.Post("/", quota("api_key"), routing.Wrap(hs.AddAPIKey))
+			keysRoute.Post("/additional", quota("api_key"), routing.Wrap(hs.AdditionalAPIKey))
+			keysRoute.Delete("/:id", routing.Wrap(DeleteAPIKey))
 		}, reqOrgAdmin)
 
 		// Preferences

pkg/services/serviceaccounts/manager/roles.go

@@ -5,22 +5,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/serviceaccounts"
 )
 
-var (
-	ActionApikeyList          = "apikey:list"
-	ActionApikeyAdd           = "apikey:add"
-	ActionApikeyRemove        = "apikey:remove"
-	ActionApikeyAddAdditional = "apikey:addadditional"
-
-	apikeyWriter = "fixed:apikey:writer"
-	apikeyReader = "fixed:apikey:reader"
-
-	//API key actions
-	ActionApikeyListEv          = accesscontrol.EvalPermission(ActionApikeyList)
-	ActionApikeyAddEv           = accesscontrol.EvalPermission(ActionApikeyAdd)
-	ActionApikeyRemoveEv        = accesscontrol.EvalPermission(ActionApikeyRemove) //Improvement:Check here or in database layer that user has permissiono modify the service account attached to this api key
-	ActionApikeyAddAdditionalEv = accesscontrol.EvalPermission(ActionApikeyAddAdditional)
-)
-
 func RegisterRoles(ac accesscontrol.AccessControl) error {
 	role := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
@@ -50,49 +34,5 @@ func RegisterRoles(ac accesscontrol.AccessControl) error {
 		return err
 	}
 
-	apikeyAdminReadRole := accesscontrol.RoleRegistration{
-		Role: accesscontrol.RoleDTO{
-			Version:     1,
-			Name:        apikeyReader,
-			DisplayName: "Apikeys reader",
-			Description: "Gives access to list apikeys.",
-			Group:       "Service accounts",
-			Permissions: []accesscontrol.Permission{
-				{
-					Action: ActionApikeyList,
-					Scope:  accesscontrol.ScopeUsersAll,
-				},
-			},
-		},
-		Grants: []string{"Admin"},
-	}
-	if err := ac.DeclareFixedRoles(apikeyAdminReadRole); err != nil {
-		return err
-	}
-
-	apikeyAdminEditRole := accesscontrol.RoleRegistration{
-		Role: accesscontrol.RoleDTO{
-			Version:     1,
-			Name:        apikeyWriter,
-			DisplayName: "Apikeys writer",
-			Description: "Gives access to add and delete api keys.",
-			Group:       "Service accounts",
-			Permissions: accesscontrol.ConcatPermissions(apikeyAdminReadRole.Role.Permissions, []accesscontrol.Permission{
-				{
-					Action: ActionApikeyAdd,
-					Scope:  accesscontrol.ScopeUsersAll,
-				},
-				{
-					Action: ActionApikeyRemove,
-					Scope:  accesscontrol.ScopeUsersAll,
-				},
-			}),
-		},
-		Grants: []string{"Admin"},
-	}
-	if err := ac.DeclareFixedRoles(apikeyAdminEditRole); err != nil {
-		return err
-	}
-
 	return nil
 }

pkg/services/serviceaccounts/manager/service.go

@@ -36,8 +36,10 @@ func ProvideServiceAccountsService(
 		log:      log.New("serviceaccounts"),
 	}
 
-	if err := RegisterRoles(ac); err != nil {
-		s.log.Error("Failed to register roles", "error", err)
+	if features.IsEnabled(featuremgmt.FlagServiceAccounts) {
+		if err := RegisterRoles(ac); err != nil {
+			s.log.Error("Failed to register roles", "error", err)
+		}
 	}
 
 	serviceaccountsAPI := api.NewServiceAccountsAPI(s, ac, routeRegister, s.store)