remove deprecated rbac workaround (#4377)

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
    show up in the autogenerated release notes.

engine/apps/user_management/models/organization.py

@@ -1,5 +1,4 @@
 import logging
-import math
 import typing
 import uuid
 from urllib.parse import urljoin
@@ -345,20 +344,6 @@ class Organization(MaintainableObject):
             .distinct()
         )
 
-    def should_be_considered_for_rbac_permissioning(self) -> bool:
-        """
-        this is sort of a hacky workaround to address a cloud issue we introduced with the accessControlOncall
-        feature flag. The flag is technically enabled for all stacks, but the way in which OnCall used to be
-        reading it (via GCOM config.feature_flags for the stack) made it such that RBAC wasn't actually being
-        enabled for most stacks from the oncall backend perspective. Once we change things to start HEADing
-        the permissions search endpoint, this will effectively turn on RBAC for all orgs.. soo instead lets
-        slowly turn it on via the logic here
-        """
-        # if rbac permissions are already enabled for the org, they're "grandfathered" in
-        if self.is_rbac_permissions_enabled:
-            return True
-        return self.id <= math.floor(Organization.objects.last().id * settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE)
-
     @property
     def web_link(self):
         return urljoin(self.grafana_url, "a/grafana-oncall-app/")

engine/apps/user_management/sync.py

@@ -43,9 +43,7 @@ def _sync_organization(organization: Organization) -> None:
         stack_id = organization.stack_id
         gcom_client = GcomAPIClient(settings.GRAFANA_COM_ADMIN_API_TOKEN)
 
-        if not organization.should_be_considered_for_rbac_permissioning():
-            rbac_is_enabled = False
-        elif gcom_client.is_stack_active(stack_id):
+        if gcom_client.is_stack_active(stack_id):
             # the stack MUST be active for this check.. if it is in any other state
             # the Grafana API risks returning an HTTP 200 but the actual permissions data that is
             # synced later on will be empty (and we'd erase all RBAC permissions stored in OnCall)

engine/apps/user_management/tests/test_sync.py

@@ -288,37 +288,28 @@ def test_sync_organization_is_rbac_permissions_enabled_open_source(make_organiza
 
 
 @pytest.mark.parametrize(
-    "should_be_considered_for_rbac_permissioning,gcom_api_response,grafana_api_response,org_initial_value,org_is_rbac_permissions_enabled_expected_value",
+    "gcom_api_response,grafana_api_response,org_initial_value,org_is_rbac_permissions_enabled_expected_value",
     [
-        # org shouldn't be considered for RBAC permissioning
-        (False, True, True, True, False),
-        # org should be considered for RBAC permissioning
-        #
         # stack is in an inactive state, rely on org's previous state of is_rbac_permissions_enabled
-        (True, False, False, False, False),
-        (True, False, False, True, True),
+        (False, False, False, False),
+        (False, False, True, True),
         # stack is active, Grafana API tells us RBAC is not enabled
-        (True, True, False, True, False),
+        (True, False, True, False),
         # stack is active, Grafana API tells us RBAC is enabled
-        (True, True, True, False, True),
+        (True, True, False, True),
     ],
 )
-@patch("apps.user_management.models.Organization.should_be_considered_for_rbac_permissioning")
 @patch("apps.user_management.sync.GcomAPIClient")
 @override_settings(LICENSE=settings.CLOUD_LICENSE_NAME)
 @pytest.mark.django_db
 def test_sync_organization_is_rbac_permissions_enabled_cloud(
     mock_gcom_client,
-    mock_should_be_considered_for_rbac_permissioning,
     make_organization,
-    should_be_considered_for_rbac_permissioning,
     gcom_api_response,
     grafana_api_response,
     org_initial_value,
     org_is_rbac_permissions_enabled_expected_value,
 ):
-    mock_should_be_considered_for_rbac_permissioning.return_value = should_be_considered_for_rbac_permissioning
-
     stack_id = 5
     organization = make_organization(stack_id=stack_id, is_rbac_permissions_enabled=org_initial_value)
     mock_gcom_client.return_value.is_stack_active.return_value = gcom_api_response
@@ -332,11 +323,10 @@ def test_sync_organization_is_rbac_permissions_enabled_cloud(
 
     assert organization.is_rbac_permissions_enabled == org_is_rbac_permissions_enabled_expected_value
 
-    if should_be_considered_for_rbac_permissioning:
-        mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id)
+    mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id)
 
-        if gcom_api_response:
-            mock_grafana_api_client.return_value.is_rbac_enabled_for_organization.assert_called_once_with()
+    if gcom_api_response:
+        mock_grafana_api_client.return_value.is_rbac_enabled_for_organization.assert_called_once_with()
 
 
 @pytest.mark.django_db

engine/settings/base.py

@@ -7,7 +7,7 @@ from random import randrange
 from celery.schedules import crontab
 from firebase_admin import credentials, initialize_app
 
-from common.utils import getenv_boolean, getenv_float, getenv_integer, getenv_list
+from common.utils import getenv_boolean, getenv_integer, getenv_list
 
 VERSION = "dev-oss"
 SEND_ANONYMOUS_USAGE_STATS = getenv_boolean("SEND_ANONYMOUS_USAGE_STATS", default=True)
@@ -914,5 +914,3 @@ ZVONOK_VERIFICATION_TEMPLATE = os.getenv("ZVONOK_VERIFICATION_TEMPLATE", None)
 DETACHED_INTEGRATIONS_SERVER = getenv_boolean("DETACHED_INTEGRATIONS_SERVER", default=False)
 
 ACKNOWLEDGE_REMINDER_TASK_EXPIRY_DAYS = os.environ.get("ACKNOWLEDGE_REMINDER_TASK_EXPIRY_DAYS", default=14)
-
-CLOUD_RBAC_ROLLOUT_PERCENTAGE = getenv_float("CLOUD_RBAC_ROLLOUT_PERCENTAGE", default=0.0)