From 5b6d20fbceb6ab0a74e149af97aa6907b4e2011b Mon Sep 17 00:00:00 2001
From: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Thu, 19 May 2022 09:29:36 +0200
Subject: [PATCH] Access Control: Remove built-in role assignment by default
 (#49058)

* Remove FF-bultins

* Add a param to test br-simplifying
---
 packages/grafana-data/src/types/featureToggles.gen.ts     | 1 -
 .../accesscontrol/ossaccesscontrol/ossaccesscontrol.go    | 8 +++-----
 .../ossaccesscontrol/ossaccesscontrol_test.go             | 1 -
 pkg/services/featuremgmt/registry.go                      | 6 ------
 pkg/services/featuremgmt/toggles_gen.go                   | 4 ----
 pkg/services/featuremgmt/toggles_gen_test.go              | 1 -
 pkg/setting/setting.go                                    | 4 ++++
 7 files changed, 7 insertions(+), 18 deletions(-)

diff --git a/packages/grafana-data/src/types/featureToggles.gen.ts b/packages/grafana-data/src/types/featureToggles.gen.ts
index 51ff4d07698..f60e068b81a 100644
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@@ -32,7 +32,6 @@ export interface FeatureToggles {
   tempoBackendSearch?: boolean;
   tempoServiceGraph?: boolean;
   lokiBackendMode?: boolean;
-  ['accesscontrol-builtins']?: boolean;
   prometheus_azure_auth?: boolean;
   influxdbBackendMigration?: boolean;
   newNavigation?: boolean;
diff --git a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
index 65963ef0f5a..49b4d04de5b 100644
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
@@ -18,7 +18,7 @@ import (
 func ProvideService(features featuremgmt.FeatureToggles, cfg *setting.Cfg,
 	provider accesscontrol.PermissionsProvider, routeRegister routing.RouteRegister) (*OSSAccessControlService, error) {
 	var errDeclareRoles error
-	s := ProvideOSSAccessControl(features, cfg, provider)
+	s := ProvideOSSAccessControl(cfg, provider)
 	if !s.IsDisabled() {
 		api := api.AccessControlAPI{
 			RouteRegister: routeRegister,
@@ -32,9 +32,8 @@ func ProvideService(features featuremgmt.FeatureToggles, cfg *setting.Cfg,
 	return s, errDeclareRoles
 }
 
-func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, cfg *setting.Cfg, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
+func ProvideOSSAccessControl(cfg *setting.Cfg, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
 	s := &OSSAccessControlService{
-		features:       features,
 		cfg:            cfg,
 		provider:       provider,
 		log:            log.New("accesscontrol"),
@@ -48,7 +47,6 @@ func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, cfg *setting.C
 // OSSAccessControlService is the service implementing role based access control.
 type OSSAccessControlService struct {
 	log            log.Logger
-	features       featuremgmt.FeatureToggles
 	cfg            *setting.Cfg
 	scopeResolvers accesscontrol.ScopeResolvers
 	provider       accesscontrol.PermissionsProvider
@@ -158,7 +156,7 @@ func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser
 	builtInRoles := []string{string(user.OrgRole)}
 
 	// With built-in role simplifying, inheritance is performed upon role registration.
-	if !ac.features.IsEnabled(featuremgmt.FlagAccesscontrolBuiltins) {
+	if ac.cfg.RBACBuiltInRoleAssignmentEnabled {
 		for _, br := range user.OrgRole.Children() {
 			builtInRoles = append(builtInRoles, string(br))
 		}
diff --git a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
index 82242481aec..ac26cfa5e3d 100644
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
@@ -24,7 +24,6 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
 
 	ac := &OSSAccessControlService{
 		cfg:            cfg,
-		features:       featuremgmt.WithFeatures(),
 		log:            log.New("accesscontrol"),
 		registrations:  accesscontrol.RegistrationList{},
 		scopeResolvers: accesscontrol.NewScopeResolvers(),
diff --git a/pkg/services/featuremgmt/registry.go b/pkg/services/featuremgmt/registry.go
index 216251e1f0c..05f45a1608e 100644
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@@ -94,12 +94,6 @@ var (
 			State:        FeatureStateAlpha,
 			FrontendOnly: true,
 		},
-		{
-			Name:            "accesscontrol-builtins",
-			Description:     "Simplify access control builtin roles",
-			State:           FeatureStateAlpha,
-			RequiresDevMode: true,
-		},
 		{
 			Name:        "prometheus_azure_auth",
 			Description: "Experimental. Azure authentication for Prometheus datasource",
diff --git a/pkg/services/featuremgmt/toggles_gen.go b/pkg/services/featuremgmt/toggles_gen.go
index 4aad3fd8cb1..76c6c377770 100644
--- a/pkg/services/featuremgmt/toggles_gen.go
+++ b/pkg/services/featuremgmt/toggles_gen.go
@@ -71,10 +71,6 @@ const (
 	// Loki datasource works as backend datasource
 	FlagLokiBackendMode = "lokiBackendMode"
 
-	// FlagAccesscontrolBuiltins
-	// Simplify access control builtin roles
-	FlagAccesscontrolBuiltins = "accesscontrol-builtins"
-
 	// FlagPrometheusAzureAuth
 	// Experimental. Azure authentication for Prometheus datasource
 	FlagPrometheusAzureAuth = "prometheus_azure_auth"
diff --git a/pkg/services/featuremgmt/toggles_gen_test.go b/pkg/services/featuremgmt/toggles_gen_test.go
index 8bc082537e7..423057d6f3a 100644
--- a/pkg/services/featuremgmt/toggles_gen_test.go
+++ b/pkg/services/featuremgmt/toggles_gen_test.go
@@ -24,7 +24,6 @@ func TestFeatureToggleFiles(t *testing.T) {
 		"live-config":                    true,
 		"live-pipeline":                  true,
 		"live-service-web-worker":        true,
-		"accesscontrol-builtins":         true,
 		"prometheus_azure_auth":          true,
 		"disable_http_request_histogram": true,
 	}
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 8e0e532de04..51e1dd77eb9 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -447,6 +447,9 @@ type Cfg struct {
 	// Access Control
 	RBACEnabled         bool
 	RBACPermissionCache bool
+	// Undocumented option as a backup in case removing builtin-role assignment
+	// fails
+	RBACBuiltInRoleAssignmentEnabled bool
 }
 
 type CommandLineArgs struct {
@@ -1360,6 +1363,7 @@ func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
 	rbac := iniFile.Section("rbac")
 	cfg.RBACEnabled = rbac.Key("enabled").MustBool(true)
 	cfg.RBACPermissionCache = rbac.Key("permission_cache").MustBool(true)
+	cfg.RBACBuiltInRoleAssignmentEnabled = rbac.Key("builtin_role_assignment_enabled").MustBool(false)
 }
 
 func readUserSettings(iniFile *ini.File, cfg *Cfg) error {