From 79ae37256d883e539ddcc6bb4ea2bf65d91b6ec5 Mon Sep 17 00:00:00 2001
From: Jaromir Wysoglad <jwysogla@redhat.com>
Date: Wed, 2 Apr 2025 12:02:48 -0400
Subject: [PATCH] Deprecate the prometheus_disable_rbac cfg option

The current implementation of the observabilityclient rbac feature
can't be used by services, it's usable by regular users only.
Using this feature can cause some Prometheus type alarms to not
work correctly and end up in the "insufficient data" state.

This change deprecates this config option and hardcodes it to
"True" for disabling the feature.

Closes-Bug: #2106029
Change-Id: I2146e8e753fd7b1214ff583d9d85bbd71bd36fed
---
 aodh/evaluator/prometheus.py                          | 11 ++++++++---
 .../fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml   | 10 ++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml

diff --git a/aodh/evaluator/prometheus.py b/aodh/evaluator/prometheus.py
index 6467867ef..22a4d024a 100644
--- a/aodh/evaluator/prometheus.py
+++ b/aodh/evaluator/prometheus.py
@@ -26,7 +26,13 @@ LOG = log.getLogger(__name__)
 OPTS = [
     cfg.BoolOpt('prometheus_disable_rbac',
                 default=False,
-                help='Disable RBAC for Prometheus evaluator.'),
+                help='Disable RBAC for Prometheus evaluator.',
+                deprecated_for_removal=True,
+                deprecated_reason="Prometheus RBAC is always disabled. "
+                                  "It's not possible to correctly use "
+                                  "client-side rbac enforcement from within "
+                                  "services. Using it can cause issues.",
+                deprecated_since="Flamingo")
 ]
 
 
@@ -34,7 +40,6 @@ class PrometheusBase(threshold.ThresholdEvaluator):
     def __init__(self, conf):
         super(PrometheusBase, self).__init__(conf)
         self._set_obsclient(conf)
-        self._no_rbac = conf.prometheus_disable_rbac
 
     def _set_obsclient(self, conf):
         session = keystone_client.get_session(conf)
@@ -44,7 +49,7 @@ class PrometheusBase(threshold.ThresholdEvaluator):
 
     def _get_metric_data(self, query):
         LOG.debug(f'Querying Prometheus instance on: {query}')
-        return self._prom.query.query(query, disable_rbac=self._no_rbac)
+        return self._prom.query.query(query, disable_rbac=True)
 
 
 class PrometheusEvaluator(PrometheusBase):
diff --git a/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml b/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml
new file mode 100644
index 000000000..679f8295b
--- /dev/null
+++ b/releasenotes/notes/fix-prometheus-alarm-rbac-6ee2f0abbd060184.yaml
@@ -0,0 +1,10 @@
+---
+deprecations:
+  - >
+    Deprecate the prometheus_disable_rbac config option.
+    The observabilityclient rbac feature isn't meant for services and will
+    always be disabled from now on.
+fixes:
+  - >
+    [`bug 2106029 <https://bugs.launchpad.net/aodh/+bug/2106029>`_]
+    Fix Prometheus type queries misusing observabilityclient rbac feature.