Allow --no-rbac flag that allows users to not pass rbac config (#9972)

* Allow --no-rbac flag that allows users to not pass rbac config Signed-off-by: notfelineit <notfelineit@gmail.com> * Address PR comments Signed-off-by: notfelineit <notfelineit@gmail.com> * Update go/cmd/vtadmin/main.go Co-authored-by: Andrew Mason <andrew@planetscale.com> * Remove [rbac] prefix in error mssging Signed-off-by: notfelineit <notfelineit@gmail.com> Co-authored-by: Andrew Mason <andrew@planetscale.com>
2022-03-25 11:59:01 -07:00 · 2022-03-25 11:59:01 -07:00 · c82d09aebf
--- a/go/cmd/vtadmin/main.go
+++ b/go/cmd/vtadmin/main.go
@ -43,6 +43,8 @@ var (
 	defaultClusterConfig cluster.Config

 	rbacConfigPath string
+	enableRBAC     bool
+	disableRBAC    bool

 	traceCloser io.Closer = &noopCloser{}

@ -101,13 +103,19 @@ func run(cmd *cobra.Command, args []string) {
 	}

 	var rbacConfig *rbac.Config
-	if rbacConfigPath != "" {
+	if disableRBAC {
+		rbacConfig = rbac.DefaultConfig()
+	} else if enableRBAC && rbacConfigPath != "" {
 		cfg, err := rbac.LoadConfig(rbacConfigPath)
 		if err != nil {
 			fatal(err)
 		}

 		rbacConfig = cfg
+	} else if enableRBAC && rbacConfigPath == "" {
+		fatal("must pass --rbac-config path when enabling rbac")
+	} else {
+		fatal("must explicitly enable or disable RBAC by passing --no-rbac or --rbac")
 	}

 	for i, cfg := range configs {
@ -162,7 +170,9 @@ func main() {
 	rootCmd.Flags().BoolVar(&httpOpts.EnableDynamicClusters, "http-enable-dynamic-clusters", false, "whether to enable dynamic clusters that are set by request header cookies")

 	// rbac flags
-	rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "rbac.yaml", "")
+	rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "", "path to an RBAC config file. must be set if passing --rbac")
+	rootCmd.Flags().BoolVar(&enableRBAC, "rbac", false, "whether to enable RBAC. must be set if not passing --rbac")
+	rootCmd.Flags().BoolVar(&disableRBAC, "no-rbac", false, "whether to disable RBAC. must be set if not passing --no-rbac")

 	// glog flags, no better way to do this
 	rootCmd.Flags().AddGoFlag(flag.Lookup("v"))
--- a/go/vt/vtadmin/api.go
+++ b/go/vt/vtadmin/api.go
@ -225,6 +225,7 @@ func (api *API) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		api.Handler().ServeHTTP(w, r)
 		return
 	}
+
 	dynamicAPI := &API{
 		clusters:   api.clusters,
 		clusterMap: api.clusterMap,
--- a/go/vt/vtadmin/rbac/config.go
+++ b/go/vt/vtadmin/rbac/config.go
@ -163,3 +163,43 @@ func (c *Config) GetAuthenticator() Authenticator {
 func (c *Config) GetAuthorizer() *Authorizer {
 	return c.authorizer
 }
+
+// DefaultConfig returns a default config that allows all actions on all resources
+// It is mainly used in the case where users explicitly pass --no-rbac flag.
+func DefaultConfig() *Config {
+	log.Info("[rbac]: using default rbac configuration")
+	actions := []string{string(GetAction), string(CreateAction), string(DeleteAction), string(PutAction), string(PingAction)}
+	subjects := []string{"*"}
+	clusters := []string{"*"}
+
+	cfg := map[string][]*Rule{
+		"*": {
+			{
+				clusters: sets.NewString(clusters...),
+				actions:  sets.NewString(actions...),
+				subjects: sets.NewString(subjects...),
+			},
+		},
+	}
+
+	return &Config{
+		Rules: []*struct {
+			Resource string
+			Actions  []string
+			Subjects []string
+			Clusters []string
+		}{
+			{
+				Resource: "*",
+				Actions:  actions,
+				Subjects: subjects,
+				Clusters: clusters,
+			},
+		},
+		cfg: cfg,
+		authorizer: &Authorizer{
+			policies: cfg,
+		},
+		authenticator: nil,
+	}
+}