Deprecate the prometheus_disable_rbac cfg option

The current implementation of the observabilityclient rbac feature can't be used by services, it's usable by regular users only. Using this feature can cause some Prometheus type alarms to not work correctly and end up in the "insufficient data" state. This change deprecates this config option and hardcodes it to "True" for disabling the feature. Closes-Bug: #2106029 Change-Id: I2146e8e753fd7b1214ff583d9d85bbd71bd36fed
2025-04-02 12:02:48 -04:00 · 2025-04-02 12:02:48 -04:00 · 79ae37256d
commit 79ae37256d
parent d8d4d94383
2 changed files with 18 additions and 3 deletions
--- a/aodh/evaluator/prometheus.py
+++ b/aodh/evaluator/prometheus.py
@ -26,7 +26,13 @@ LOG = log.getLogger(__name__)
 OPTS = [
    cfg.BoolOpt('prometheus_disable_rbac',
                default=False,
-                help='Disable RBAC for Prometheus evaluator.'),
+                help='Disable RBAC for Prometheus evaluator.',
+                deprecated_for_removal=True,
+                deprecated_reason="Prometheus RBAC is always disabled. "
+                                  "It's not possible to correctly use "
+                                  "client-side rbac enforcement from within "
+                                  "services. Using it can cause issues.",
+                deprecated_since="Flamingo")
 ]


@ -34,7 +40,6 @@ class PrometheusBase(threshold.ThresholdEvaluator):
    def __init__(self, conf):
        super(PrometheusBase, self).__init__(conf)
        self._set_obsclient(conf)
-        self._no_rbac = conf.prometheus_disable_rbac

    def _set_obsclient(self, conf):
        session = keystone_client.get_session(conf)
@ -44,7 +49,7 @@ class PrometheusBase(threshold.ThresholdEvaluator):

    def _get_metric_data(self, query):
        LOG.debug(f'Querying Prometheus instance on: {query}')
-        return self._prom.query.query(query, disable_rbac=self._no_rbac)
+        return self._prom.query.query(query, disable_rbac=True)


 class PrometheusEvaluator(PrometheusBase):
--- a/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml
+++ b/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml
@ -0,0 +1,10 @@
+---
+deprecations:
+  - >
+    Deprecate the prometheus_disable_rbac config option.
+    The observabilityclient rbac feature isn't meant for services and will
+    always be disabled from now on.
+fixes:
+  - >
+    [`bug 2106029 <https://bugs.launchpad.net/aodh/+bug/2106029>`_]
+    Fix Prometheus type queries misusing observabilityclient rbac feature.