Allow --no-rbac flag that allows users to not pass rbac config

go/cmd/vtadmin/main.go

@@ -43,6 +43,8 @@ var (
 	defaultClusterConfig cluster.Config
 
 	rbacConfigPath string
+	enableRbac     bool
+	disableRbac    bool
 
 	traceCloser io.Closer = &noopCloser{}
 
@@ -101,14 +103,20 @@ func run(cmd *cobra.Command, args []string) {
 	}
 
 	var rbacConfig *rbac.Config
-	if rbacConfigPath != "" {
+	if !disableRbac && !enableRbac {
+		fatal("must explicitly enable or disable RBAC by passing --no-rbac or --rbac")
+	}
+	if enableRbac && !disableRbac && rbacConfigPath != "" {
 		cfg, err := rbac.LoadConfig(rbacConfigPath)
 		if err != nil {
 			fatal(err)
 		}
 
 		rbacConfig = cfg
 	}
+	if disableRbac && !enableRbac {
+		rbacConfig = rbac.DefaultConfig()
+	}
 
 	for i, cfg := range configs {
 		cluster, err := cfg.Cluster()
@@ -163,6 +171,8 @@ func main() {
 
 	// rbac flags
 	rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "rbac.yaml", "")
+	rootCmd.Flags().BoolVar(&enableRbac, "rbac", false, "whether to enable rbac")
+	rootCmd.Flags().BoolVar(&disableRbac, "no-rbac", false, "whether to disable rbac")
 
 	// glog flags, no better way to do this
 	rootCmd.Flags().AddGoFlag(flag.Lookup("v"))

go/vt/vtadmin/api.go

@@ -225,6 +225,7 @@ func (api *API) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		api.Handler().ServeHTTP(w, r)
 		return
 	}
+
 	dynamicAPI := &API{
 		clusters:   api.clusters,
 		clusterMap: api.clusterMap,

go/vt/vtadmin/rbac/config.go

@@ -163,3 +163,41 @@ func (c *Config) GetAuthenticator() Authenticator {
 func (c *Config) GetAuthorizer() *Authorizer {
 	return c.authorizer
 }
+
+func DefaultConfig() *Config {
+	log.Info("[rbac]: using default rbac configuration")
+	actions := []string{"get", "create", "delete", "put", "ping"}
+	subjects := []string{"*"}
+	clusters := []string{"*"}
+
+	cfg := map[string][]*Rule{
+		"*": {
+			{
+				clusters: sets.NewString(clusters...),
+				actions:  sets.NewString(actions...),
+				subjects: sets.NewString(subjects...),
+			},
+		},
+	}
+
+	return &Config{
+		Rules: []*struct {
+			Resource string
+			Actions  []string
+			Subjects []string
+			Clusters []string
+		}{
+			{
+				Resource: "*",
+				Actions:  actions,
+				Subjects: subjects,
+				Clusters: clusters,
+			},
+		},
+		cfg: cfg,
+		authorizer: &Authorizer{
+			policies: cfg,
+		},
+		authenticator: nil,
+	}
+}