diff --git a/engine/apps/user_management/models/organization.py b/engine/apps/user_management/models/organization.py index 5db1cd0c..8564a195 100644 --- a/engine/apps/user_management/models/organization.py +++ b/engine/apps/user_management/models/organization.py @@ -1,5 +1,4 @@ import logging -import math import typing import uuid from urllib.parse import urljoin @@ -345,20 +344,6 @@ class Organization(MaintainableObject): .distinct() ) - def should_be_considered_for_rbac_permissioning(self) -> bool: - """ - this is sort of a hacky workaround to address a cloud issue we introduced with the accessControlOncall - feature flag. The flag is technically enabled for all stacks, but the way in which OnCall used to be - reading it (via GCOM config.feature_flags for the stack) made it such that RBAC wasn't actually being - enabled for most stacks from the oncall backend perspective. Once we change things to start HEADing - the permissions search endpoint, this will effectively turn on RBAC for all orgs.. soo instead lets - slowly turn it on via the logic here - """ - # if rbac permissions are already enabled for the org, they're "grandfathered" in - if self.is_rbac_permissions_enabled: - return True - return self.id <= math.floor(Organization.objects.last().id * settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE) - @property def web_link(self): return urljoin(self.grafana_url, "a/grafana-oncall-app/") diff --git a/engine/apps/user_management/sync.py b/engine/apps/user_management/sync.py index e6c6008d..6000a9d1 100644 --- a/engine/apps/user_management/sync.py +++ b/engine/apps/user_management/sync.py @@ -43,9 +43,7 @@ def _sync_organization(organization: Organization) -> None: stack_id = organization.stack_id gcom_client = GcomAPIClient(settings.GRAFANA_COM_ADMIN_API_TOKEN) - if not organization.should_be_considered_for_rbac_permissioning(): - rbac_is_enabled = False - elif gcom_client.is_stack_active(stack_id): + if gcom_client.is_stack_active(stack_id): # the stack MUST be active for this check.. if it is in any other state # the Grafana API risks returning an HTTP 200 but the actual permissions data that is # synced later on will be empty (and we'd erase all RBAC permissions stored in OnCall) diff --git a/engine/apps/user_management/tests/test_sync.py b/engine/apps/user_management/tests/test_sync.py index 131893ab..7502557c 100644 --- a/engine/apps/user_management/tests/test_sync.py +++ b/engine/apps/user_management/tests/test_sync.py @@ -288,37 +288,28 @@ def test_sync_organization_is_rbac_permissions_enabled_open_source(make_organiza @pytest.mark.parametrize( - "should_be_considered_for_rbac_permissioning,gcom_api_response,grafana_api_response,org_initial_value,org_is_rbac_permissions_enabled_expected_value", + "gcom_api_response,grafana_api_response,org_initial_value,org_is_rbac_permissions_enabled_expected_value", [ - # org shouldn't be considered for RBAC permissioning - (False, True, True, True, False), - # org should be considered for RBAC permissioning - # # stack is in an inactive state, rely on org's previous state of is_rbac_permissions_enabled - (True, False, False, False, False), - (True, False, False, True, True), + (False, False, False, False), + (False, False, True, True), # stack is active, Grafana API tells us RBAC is not enabled - (True, True, False, True, False), + (True, False, True, False), # stack is active, Grafana API tells us RBAC is enabled - (True, True, True, False, True), + (True, True, False, True), ], ) -@patch("apps.user_management.models.Organization.should_be_considered_for_rbac_permissioning") @patch("apps.user_management.sync.GcomAPIClient") @override_settings(LICENSE=settings.CLOUD_LICENSE_NAME) @pytest.mark.django_db def test_sync_organization_is_rbac_permissions_enabled_cloud( mock_gcom_client, - mock_should_be_considered_for_rbac_permissioning, make_organization, - should_be_considered_for_rbac_permissioning, gcom_api_response, grafana_api_response, org_initial_value, org_is_rbac_permissions_enabled_expected_value, ): - mock_should_be_considered_for_rbac_permissioning.return_value = should_be_considered_for_rbac_permissioning - stack_id = 5 organization = make_organization(stack_id=stack_id, is_rbac_permissions_enabled=org_initial_value) mock_gcom_client.return_value.is_stack_active.return_value = gcom_api_response @@ -332,11 +323,10 @@ def test_sync_organization_is_rbac_permissions_enabled_cloud( assert organization.is_rbac_permissions_enabled == org_is_rbac_permissions_enabled_expected_value - if should_be_considered_for_rbac_permissioning: - mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id) + mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id) - if gcom_api_response: - mock_grafana_api_client.return_value.is_rbac_enabled_for_organization.assert_called_once_with() + if gcom_api_response: + mock_grafana_api_client.return_value.is_rbac_enabled_for_organization.assert_called_once_with() @pytest.mark.django_db diff --git a/engine/settings/base.py b/engine/settings/base.py index 48c9e16b..ecdac1a1 100644 --- a/engine/settings/base.py +++ b/engine/settings/base.py @@ -7,7 +7,7 @@ from random import randrange from celery.schedules import crontab from firebase_admin import credentials, initialize_app -from common.utils import getenv_boolean, getenv_float, getenv_integer, getenv_list +from common.utils import getenv_boolean, getenv_integer, getenv_list VERSION = "dev-oss" SEND_ANONYMOUS_USAGE_STATS = getenv_boolean("SEND_ANONYMOUS_USAGE_STATS", default=True) @@ -914,5 +914,3 @@ ZVONOK_VERIFICATION_TEMPLATE = os.getenv("ZVONOK_VERIFICATION_TEMPLATE", None) DETACHED_INTEGRATIONS_SERVER = getenv_boolean("DETACHED_INTEGRATIONS_SERVER", default=False) ACKNOWLEDGE_REMINDER_TASK_EXPIRY_DAYS = os.environ.get("ACKNOWLEDGE_REMINDER_TASK_EXPIRY_DAYS", default=14) - -CLOUD_RBAC_ROLLOUT_PERCENTAGE = getenv_float("CLOUD_RBAC_ROLLOUT_PERCENTAGE", default=0.0)