diff --git a/aodh/evaluator/prometheus.py b/aodh/evaluator/prometheus.py index 6467867ef..22a4d024a 100644 --- a/aodh/evaluator/prometheus.py +++ b/aodh/evaluator/prometheus.py @@ -26,7 +26,13 @@ LOG = log.getLogger(__name__) OPTS = [ cfg.BoolOpt('prometheus_disable_rbac', default=False, - help='Disable RBAC for Prometheus evaluator.'), + help='Disable RBAC for Prometheus evaluator.', + deprecated_for_removal=True, + deprecated_reason="Prometheus RBAC is always disabled. " + "It's not possible to correctly use " + "client-side rbac enforcement from within " + "services. Using it can cause issues.", + deprecated_since="Flamingo") ] @@ -34,7 +40,6 @@ class PrometheusBase(threshold.ThresholdEvaluator): def __init__(self, conf): super(PrometheusBase, self).__init__(conf) self._set_obsclient(conf) - self._no_rbac = conf.prometheus_disable_rbac def _set_obsclient(self, conf): session = keystone_client.get_session(conf) @@ -44,7 +49,7 @@ class PrometheusBase(threshold.ThresholdEvaluator): def _get_metric_data(self, query): LOG.debug(f'Querying Prometheus instance on: {query}') - return self._prom.query.query(query, disable_rbac=self._no_rbac) + return self._prom.query.query(query, disable_rbac=True) class PrometheusEvaluator(PrometheusBase): diff --git a/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml b/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml new file mode 100644 index 000000000..679f8295b --- /dev/null +++ b/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml @@ -0,0 +1,10 @@ +--- +deprecations: + - > + Deprecate the prometheus_disable_rbac config option. + The observabilityclient rbac feature isn't meant for services and will + always be disabled from now on. +fixes: + - > + [`bug 2106029 `_] + Fix Prometheus type queries misusing observabilityclient rbac feature.