Allow --no-rbac flag that allows users to not pass rbac config (#9972)

* Allow --no-rbac flag that allows users to not pass rbac config

Signed-off-by: notfelineit <notfelineit@gmail.com>

* Address PR comments

Signed-off-by: notfelineit <notfelineit@gmail.com>

* Update go/cmd/vtadmin/main.go

Co-authored-by: Andrew Mason <andrew@planetscale.com>

* Remove [rbac] prefix in error mssging

Signed-off-by: notfelineit <notfelineit@gmail.com>

Co-authored-by: Andrew Mason <andrew@planetscale.com>

go/cmd/vtadmin/main.go

@@ -43,6 +43,8 @@ var (
 	defaultClusterConfig cluster.Config
 
 	rbacConfigPath string
+	enableRBAC     bool
+	disableRBAC    bool
 
 	traceCloser io.Closer = &noopCloser{}
 
@@ -101,13 +103,19 @@ func run(cmd *cobra.Command, args []string) {
 	}
 
 	var rbacConfig *rbac.Config
-	if rbacConfigPath != "" {
+	if disableRBAC {
+		rbacConfig = rbac.DefaultConfig()
+	} else if enableRBAC && rbacConfigPath != "" {
 		cfg, err := rbac.LoadConfig(rbacConfigPath)
 		if err != nil {
 			fatal(err)
 		}
 
 		rbacConfig = cfg
+	} else if enableRBAC && rbacConfigPath == "" {
+		fatal("must pass --rbac-config path when enabling rbac")
+	} else {
+		fatal("must explicitly enable or disable RBAC by passing --no-rbac or --rbac")
 	}
 
 	for i, cfg := range configs {
@@ -162,7 +170,9 @@ func main() {
 	rootCmd.Flags().BoolVar(&httpOpts.EnableDynamicClusters, "http-enable-dynamic-clusters", false, "whether to enable dynamic clusters that are set by request header cookies")
 
 	// rbac flags
-	rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "rbac.yaml", "")
+	rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "", "path to an RBAC config file. must be set if passing --rbac")
+	rootCmd.Flags().BoolVar(&enableRBAC, "rbac", false, "whether to enable RBAC. must be set if not passing --rbac")
+	rootCmd.Flags().BoolVar(&disableRBAC, "no-rbac", false, "whether to disable RBAC. must be set if not passing --no-rbac")
 
 	// glog flags, no better way to do this
 	rootCmd.Flags().AddGoFlag(flag.Lookup("v"))

go/vt/vtadmin/api.go

@@ -225,6 +225,7 @@ func (api *API) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		api.Handler().ServeHTTP(w, r)
 		return
 	}
+
 	dynamicAPI := &API{
 		clusters:   api.clusters,
 		clusterMap: api.clusterMap,

go/vt/vtadmin/rbac/config.go

@@ -163,3 +163,43 @@ func (c *Config) GetAuthenticator() Authenticator {
 func (c *Config) GetAuthorizer() *Authorizer {
 	return c.authorizer
 }
+
+// DefaultConfig returns a default config that allows all actions on all resources
+// It is mainly used in the case where users explicitly pass --no-rbac flag.
+func DefaultConfig() *Config {
+	log.Info("[rbac]: using default rbac configuration")
+	actions := []string{string(GetAction), string(CreateAction), string(DeleteAction), string(PutAction), string(PingAction)}
+	subjects := []string{"*"}
+	clusters := []string{"*"}
+
+	cfg := map[string][]*Rule{
+		"*": {
+			{
+				clusters: sets.NewString(clusters...),
+				actions:  sets.NewString(actions...),
+				subjects: sets.NewString(subjects...),
+			},
+		},
+	}
+
+	return &Config{
+		Rules: []*struct {
+			Resource string
+			Actions  []string
+			Subjects []string
+			Clusters []string
+		}{
+			{
+				Resource: "*",
+				Actions:  actions,
+				Subjects: subjects,
+				Clusters: clusters,
+			},
+		},
+		cfg: cfg,
+		authorizer: &Authorizer{
+			policies: cfg,
+		},
+		authenticator: nil,
+	}
+}