pkg/registry/apis/iam/authorizer.go

@@ -24,7 +24,6 @@ func newIAMAuthorizer(accessClient authlib.AccessClient, legacyAccessClient auth
 	// Identity specific resources
 	legacyAuthorizer := gfauthorizer.NewResourceAuthorizer(legacyAccessClient)
 	resourceAuthorizer[iamv0.TeamResourceInfo.GetName()] = legacyAuthorizer
-	resourceAuthorizer[iamv0.TeamBindingResourceInfo.GetName()] = legacyAuthorizer
 	resourceAuthorizer["display"] = legacyAuthorizer
 
 	// Access specific resources

pkg/registry/apis/iam/legacy/create_team_member_query.sql

@@ -1,5 +1,5 @@
 INSERT INTO {{ .Ident .TeamMemberTable }}
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  ({{ .Arg .Command.TeamID }}, {{ .Arg .Command.UserID }}, {{ .Arg .Command.OrgID }}, {{ .Arg .Command.Created }},
+  ({{ .Arg .Command.TeamID }}, {{ .Arg .Command.UserID }}, {{ .Arg .Command.Created }},
   {{ .Arg .Command.Updated }}, {{ .Arg .Command.External }}, {{ .Arg .Command.Permission }})

pkg/registry/apis/iam/legacy/sql_test.go

@@ -226,8 +226,7 @@ func TestIdentityQueries(t *testing.T) {
 					Name: "team_1_bindings",
 					Data: listTeamBindings(&ListTeamBindingsQuery{
 						OrgID:      1,
-						TeamID:     1,
+						UID:        "team-1",
-						UserID:     1,
 						Pagination: common.Pagination{Limit: 1},
 					}),
 				},

pkg/registry/apis/iam/legacy/team.go

@@ -414,8 +414,8 @@ func (s *legacySQLStore) DeleteTeam(ctx context.Context, ns claims.NamespaceInfo
 }
 
 type ListTeamBindingsQuery struct {
-	TeamID     int64
+	// UID is team uid to list bindings for. If not set store should list bindings for all teams
-	UserID     int64
+	UID        string
 	OrgID      int64
 	Pagination common.Pagination
 }
@@ -432,7 +432,6 @@ type TeamMember struct {
 	TeamUID    string
 	UserID     int64
 	UserUID    string
-	OrgID      int64
 	Name       string
 	Email      string
 	Username   string
@@ -487,7 +486,7 @@ func (s *legacySQLStore) ListTeamBindings(ctx context.Context, ns claims.Namespa
 	req := newListTeamBindings(sql, &query)
 	q, err := sqltemplate.Execute(sqlQueryTeamBindingsTemplate, req)
 	if err != nil {
-		return nil, fmt.Errorf("execute template %q: %w", sqlQueryTeamBindingsTemplate.Name(), err)
+		return nil, fmt.Errorf("execute template %q: %w", sqlQueryTeamsTemplate.Name(), err)
 	}
 
 	rows, err := sql.DB.GetSqlxSession().Query(ctx, q, req.GetArgs()...)
@@ -509,7 +508,7 @@ func (s *legacySQLStore) ListTeamBindings(ctx context.Context, ns claims.Namespa
 
 	for rows.Next() {
 		m := TeamMember{}
-		err = rows.Scan(&m.ID, &m.TeamUID, &m.TeamID, &m.UserUID, &m.UserID, &m.Created, &m.Updated, &m.Permission)
+		err = rows.Scan(&m.ID, &m.TeamUID, &m.TeamID, &m.UserUID, &m.Created, &m.Updated, &m.Permission)
 		if err != nil {
 			return res, err
 		}
@@ -523,15 +522,16 @@ func (s *legacySQLStore) ListTeamBindings(ctx context.Context, ns claims.Namespa
 		}
 	}
 
+	if query.UID == "" {
+		res.RV, err = sql.GetResourceVersion(ctx, "team_member", "updated")
+	}
+
 	return res, err
 }
 
 type CreateTeamMemberCommand struct {
 	TeamID     int64
-	TeamUID    string
 	UserID     int64
-	UserUID    string
-	OrgID      int64
 	Created    DBTime
 	Updated    DBTime
 	External   bool
@@ -566,11 +566,6 @@ func (s *legacySQLStore) CreateTeamMember(ctx context.Context, ns claims.Namespa
 	now := time.Now().UTC().Truncate(time.Second)
 	cmd.Created = NewDBTime(now)
 	cmd.Updated = NewDBTime(now)
-	cmd.OrgID = ns.OrgID
-
-	if cmd.OrgID == 0 {
-		return nil, fmt.Errorf("expected non zero org id")
-	}
 
 	sql, err := s.sql(ctx)
 	if err != nil {
@@ -594,10 +589,7 @@ func (s *legacySQLStore) CreateTeamMember(ctx context.Context, ns claims.Namespa
 		createdTeamMember = TeamMember{
 			ID:         teamMemberID,
 			TeamID:     cmd.TeamID,
-			TeamUID:    cmd.TeamUID,
 			UserID:     cmd.UserID,
-			UserUID:    cmd.UserUID,
-			OrgID:      cmd.OrgID,
 			Created:    cmd.Created.Time,
 			Updated:    cmd.Updated.Time,
 			External:   cmd.External,

pkg/registry/apis/iam/legacy/team_bindings_query.sql

@@ -1,14 +1,11 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM {{ .Ident .TeamMemberTable }} tm
 INNER JOIN {{ .Ident .TeamTable }} t ON tm.team_id = t.id
 INNER JOIN {{ .Ident .UserTable }} u ON tm.user_id  = u.id
 WHERE
   tm.org_id = {{ .Arg .Query.OrgID}}
-  {{ if .Query.TeamID }}
+  {{ if .Query.UID }}
-    AND tm.team_id = {{ .Arg .Query.TeamID }}
+    AND t.uid = {{ .Arg .Query.UID }}
-  {{ end }}
-  {{ if .Query.UserID }}
-    AND tm.user_id = {{ .Arg .Query.UserID }}
   {{ end }}
   {{- if .Query.Pagination.Continue }}
     AND tm.id >= {{ .Arg .Query.Pagination.Continue }}

pkg/registry/apis/iam/legacy/testdata/mysql--create_team_member_query-create_team_member.sql

@@ -1,5 +1,5 @@
 INSERT INTO `grafana`.`team_member`
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Member')

pkg/registry/apis/iam/legacy/testdata/mysql--create_team_member_query-create_team_member_admin.sql

@@ -1,5 +1,5 @@
 INSERT INTO `grafana`.`team_member`
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Admin')

pkg/registry/apis/iam/legacy/testdata/mysql--team_bindings_query-team_1_bindings.sql

@@ -1,11 +1,10 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM `grafana`.`team_member` tm
 INNER JOIN `grafana`.`team` t ON tm.team_id = t.id
 INNER JOIN `grafana`.`user` u ON tm.user_id  = u.id
 WHERE
   tm.org_id = 1
-    AND tm.team_id = 1
+    AND t.uid = 'team-1'
-    AND tm.user_id = 1
 AND NOT tm.external
 ORDER BY t.id ASC
 LIMIT 1;

pkg/registry/apis/iam/legacy/testdata/mysql--team_bindings_query-team_bindings_page_1.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM `grafana`.`team_member` tm
 INNER JOIN `grafana`.`team` t ON tm.team_id = t.id
 INNER JOIN `grafana`.`user` u ON tm.user_id  = u.id

pkg/registry/apis/iam/legacy/testdata/mysql--team_bindings_query-team_bindings_page_2.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM `grafana`.`team_member` tm
 INNER JOIN `grafana`.`team` t ON tm.team_id = t.id
 INNER JOIN `grafana`.`user` u ON tm.user_id  = u.id

pkg/registry/apis/iam/legacy/testdata/postgres--create_team_member_query-create_team_member.sql

@@ -1,5 +1,5 @@
 INSERT INTO "grafana"."team_member"
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Member')

pkg/registry/apis/iam/legacy/testdata/postgres--create_team_member_query-create_team_member_admin.sql

@@ -1,5 +1,5 @@
 INSERT INTO "grafana"."team_member"
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Admin')

pkg/registry/apis/iam/legacy/testdata/postgres--team_bindings_query-team_1_bindings.sql

@@ -1,11 +1,10 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id
 WHERE
   tm.org_id = 1
-    AND tm.team_id = 1
+    AND t.uid = 'team-1'
-    AND tm.user_id = 1
 AND NOT tm.external
 ORDER BY t.id ASC
 LIMIT 1;

pkg/registry/apis/iam/legacy/testdata/postgres--team_bindings_query-team_bindings_page_1.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id

pkg/registry/apis/iam/legacy/testdata/postgres--team_bindings_query-team_bindings_page_2.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id

pkg/registry/apis/iam/legacy/testdata/sqlite--create_team_member_query-create_team_member.sql

@@ -1,5 +1,5 @@
 INSERT INTO "grafana"."team_member"
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Member')

pkg/registry/apis/iam/legacy/testdata/sqlite--create_team_member_query-create_team_member_admin.sql

@@ -1,5 +1,5 @@
 INSERT INTO "grafana"."team_member"
-  (team_id, user_id, org_id, created, updated, external, permission)
+  (team_id, user_id, created, updated, external, permission)
 VALUES
-  (1, 1, 0, '2023-01-01 12:00:00',
+  (1, 1, '2023-01-01 12:00:00',
   '2023-01-01 12:00:00', FALSE, 'Admin')

pkg/registry/apis/iam/legacy/testdata/sqlite--team_bindings_query-team_1_bindings.sql

@@ -1,11 +1,10 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id
 WHERE
   tm.org_id = 1
-    AND tm.team_id = 1
+    AND t.uid = 'team-1'
-    AND tm.user_id = 1
 AND NOT tm.external
 ORDER BY t.id ASC
 LIMIT 1;

pkg/registry/apis/iam/legacy/testdata/sqlite--team_bindings_query-team_bindings_page_1.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id

pkg/registry/apis/iam/legacy/testdata/sqlite--team_bindings_query-team_bindings_page_2.sql

@@ -1,4 +1,4 @@
-SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, u.id as user_id, tm.created, tm.updated, tm.permission
+SELECT tm.id as id, t.uid as team_uid, t.id as team_id, u.uid as user_uid, tm.created, tm.updated, tm.permission
 FROM "grafana"."team_member" tm
 INNER JOIN "grafana"."team" t ON tm.team_id = t.id
 INNER JOIN "grafana"."user" u ON tm.user_id  = u.id

pkg/registry/apis/iam/team/store_binding.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -100,12 +99,6 @@ func (l *LegacyBindingStore) Create(ctx context.Context, obj runtime.Object, cre
 		return nil, fmt.Errorf("expected TeamBinding object, got %T", obj)
 	}
 
-	if createValidation != nil {
-		if err := createValidation(ctx, teamMemberObj); err != nil {
-			return nil, err
-		}
-	}
-
 	// Fetch the user by ID
 	userObj, err := l.store.GetUserInternalID(ctx, ns, legacy.GetUserInternalIDQuery{
 		UID: teamMemberObj.Spec.Subject.Name,
@@ -122,6 +115,12 @@ func (l *LegacyBindingStore) Create(ctx context.Context, obj runtime.Object, cre
 		return nil, fmt.Errorf("failed to fetch team by id %s: %w", teamMemberObj.Spec.TeamRef.Name, err)
 	}
 
+	if createValidation != nil {
+		if err := createValidation(ctx, obj); err != nil {
+			return nil, err
+		}
+	}
+
 	var permission team.PermissionType
 	switch teamMemberObj.Spec.Permission {
 	case iamv0alpha1.TeamBindingTeamPermissionAdmin:
@@ -132,9 +131,7 @@ func (l *LegacyBindingStore) Create(ctx context.Context, obj runtime.Object, cre
 
 	createCmd := legacy.CreateTeamMemberCommand{
 		TeamID:     teamObj.ID,
-		TeamUID:    teamMemberObj.Spec.TeamRef.Name,
 		UserID:     userObj.ID,
-		UserUID:    teamMemberObj.Spec.Subject.Name,
 		Permission: permission,
 		External:   false,
 	}
@@ -155,11 +152,8 @@ func (l *LegacyBindingStore) Get(ctx context.Context, name string, options *meta
 		return nil, err
 	}
 
-	teamID, userID := mapFromBindingName(name)
-
 	res, err := l.store.ListTeamBindings(ctx, ns, legacy.ListTeamBindingsQuery{
-		TeamID:     teamID,
+		UID:        name,
-		UserID:     userID,
 		Pagination: common.Pagination{Limit: 1},
 	})
 	if err != nil {
@@ -216,7 +210,7 @@ func mapToBindingObject(ns claims.NamespaceInfo, tm legacy.TeamMember) iamv0alph
 
 	return iamv0alpha1.TeamBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:              mapToBindingName(tm.TeamID, tm.UserID),
+			Name:              tm.TeamUID,
 			Namespace:         ns.Value,
 			ResourceVersion:   strconv.FormatInt(rv.UnixMilli(), 10),
 			CreationTimestamp: metav1.NewTime(ct),
@@ -233,33 +227,6 @@ func mapToBindingObject(ns claims.NamespaceInfo, tm legacy.TeamMember) iamv0alph
 	}
 }
 
-func mapToBindingName(teamID int64, userID int64) string {
-	return fmt.Sprintf("binding-%d-%d", teamID, userID)
-}
-
-func mapFromBindingName(name string) (int64, int64) {
-	parts := strings.Split(name, "-")
-	if len(parts) != 3 {
-		return 0, 0
-	}
-
-	if parts[0] != "binding" {
-		return 0, 0
-	}
-
-	teamID, err := strconv.ParseInt(parts[1], 10, 64)
-	if err != nil {
-		return 0, 0
-	}
-
-	userID, err := strconv.ParseInt(parts[2], 10, 64)
-	if err != nil {
-		return 0, 0
-	}
-
-	return teamID, userID
-}
-
 func mapPermisson(p team.PermissionType) iamv0.TeamPermission {
 	if p == team.PermissionTypeAdmin {
 		return iamv0.TeamPermissionAdmin

pkg/registry/apis/iam/team/validate.go

@@ -57,22 +57,9 @@ func ValidateOnUpdate(ctx context.Context, obj, old *iamv0alpha1.Team) error {
 }
 
 func ValidateOnBindingCreate(ctx context.Context, obj *iamv0alpha1.TeamBinding) error {
-	_, err := identity.GetRequester(ctx)
-	if err != nil {
-		return apierrors.NewUnauthorized("no identity found")
-	}
-
 	if obj.Spec.Permission != iamv0alpha1.TeamBindingTeamPermissionAdmin && obj.Spec.Permission != iamv0alpha1.TeamBindingTeamPermissionMember {
 		return apierrors.NewBadRequest("invalid permission")
 	}
 
-	if obj.Spec.Subject.Name == "" {
-		return apierrors.NewBadRequest("subject is required")
-	}
-
-	if obj.Spec.TeamRef.Name == "" {
-		return apierrors.NewBadRequest("teamRef is required")
-	}
-
 	return nil
 }

pkg/registry/apis/iam/team/validate_test.go

@@ -371,60 +371,6 @@ func TestValidateOnBindingCreate(t *testing.T) {
 			},
 			want: apierrors.NewBadRequest("invalid permission"),
 		},
-		{
-			name: "invalid team binding - no subject",
-			requester: &identity.StaticRequester{
-				Type:    types.TypeUser,
-				OrgRole: identity.RoleAdmin,
-			},
-			obj: &iamv0alpha1.TeamBinding{
-				Spec: iamv0alpha1.TeamBindingSpec{
-					Subject: iamv0alpha1.TeamBindingspecSubject{
-						Name: "",
-					},
-					TeamRef: iamv0alpha1.TeamBindingTeamRef{
-						Name: "test-team",
-					},
-					Permission: iamv0alpha1.TeamBindingTeamPermissionAdmin,
-				},
-			},
-			want: apierrors.NewBadRequest("subject is required"),
-		},
-		{
-			name: "invalid team binding - no teamRef",
-			requester: &identity.StaticRequester{
-				Type:    types.TypeUser,
-				OrgRole: identity.RoleAdmin,
-			},
-			obj: &iamv0alpha1.TeamBinding{
-				Spec: iamv0alpha1.TeamBindingSpec{
-					Subject: iamv0alpha1.TeamBindingspecSubject{
-						Name: "test-user",
-					},
-					TeamRef: iamv0alpha1.TeamBindingTeamRef{
-						Name: "",
-					},
-					Permission: iamv0alpha1.TeamBindingTeamPermissionAdmin,
-				},
-			},
-			want: apierrors.NewBadRequest("teamRef is required"),
-		},
-		{
-			name:      "invalid team binding - no requester in context",
-			requester: nil,
-			obj: &iamv0alpha1.TeamBinding{
-				Spec: iamv0alpha1.TeamBindingSpec{
-					Subject: iamv0alpha1.TeamBindingspecSubject{
-						Name: "test-user",
-					},
-					TeamRef: iamv0alpha1.TeamBindingTeamRef{
-						Name: "test-team",
-					},
-					Permission: iamv0alpha1.TeamBindingTeamPermissionAdmin,
-				},
-			},
-			want: apierrors.NewUnauthorized("no identity found"),
-		},
 	}
 
 	for _, test := range tests {

pkg/tests/apis/iam/iam_test.go

@@ -27,12 +27,6 @@ var gvrUsers = schema.GroupVersionResource{
 	Resource: "users",
 }
 
-var gvrTeamBindings = schema.GroupVersionResource{
-	Group:    "iam.grafana.app",
-	Version:  "v0alpha1",
-	Resource: "teambindings",
-}
-
 func TestMain(m *testing.M) {
 	testsuite.Run(m)
 }

pkg/tests/apis/iam/team_bindings_integration_test.go

@@ -1,295 +0,0 @@
-package identity
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
-	"github.com/grafana/grafana/pkg/apiserver/rest"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	"github.com/grafana/grafana/pkg/setting"
-	"github.com/grafana/grafana/pkg/tests/apis"
-	"github.com/grafana/grafana/pkg/tests/testinfra"
-	"github.com/grafana/grafana/pkg/util/testutil"
-)
-
-func TestIntegrationTeamBindings(t *testing.T) {
-	testutil.SkipIntegrationTestInShortMode(t)
-
-	// TODO: Add rest.Mode4 when it's supported
-	modes := []rest.DualWriterMode{rest.Mode0, rest.Mode1, rest.Mode2, rest.Mode3}
-	for _, mode := range modes {
-		t.Run(fmt.Sprintf("Team binding CRUD operations with dual writer mode %d", mode), func(t *testing.T) {
-			helper := apis.NewK8sTestHelper(t, testinfra.GrafanaOpts{
-				AppModeProduction:    false,
-				DisableAnonymous:     true,
-				APIServerStorageType: "unified",
-				UnifiedStorageConfig: map[string]setting.UnifiedStorageConfig{
-					"teambindings.iam.grafana.app": {
-						DualWriterMode: mode,
-					},
-				},
-				EnableFeatureToggles: []string{
-					featuremgmt.FlagGrafanaAPIServerWithExperimentalAPIs,
-					featuremgmt.FlagKubernetesAuthnMutation,
-				},
-			})
-
-			ctx := context.Background()
-
-			// Create a team
-			teamClient := helper.GetResourceClient(apis.ResourceClientArgs{
-				User:      helper.Org1.Admin,
-				Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-				GVR:       gvrTeams,
-			})
-
-			team, err := teamClient.Resource.Create(ctx, helper.LoadYAMLOrJSONFile("testdata/team-test-create-v0.yaml"), metav1.CreateOptions{})
-			require.NoError(t, err)
-			require.NotNil(t, team)
-
-			// Create a user
-			userClient := helper.GetResourceClient(apis.ResourceClientArgs{
-				User:      helper.Org1.Admin,
-				Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-				GVR:       gvrUsers,
-			})
-
-			user, err := userClient.Resource.Create(ctx, helper.LoadYAMLOrJSONFile("testdata/user-test-create-v0.yaml"), metav1.CreateOptions{})
-			require.NoError(t, err)
-			require.NotNil(t, user)
-
-			doTeamBindingCRUDTestsUsingTheNewAPIs(t, helper, team, user)
-
-			if mode < 3 {
-				doTeamBindingCRUDTestsUsingTheLegacyAPIs(t, helper, mode)
-			}
-		})
-	}
-}
-
-func doTeamBindingCRUDTestsUsingTheNewAPIs(t *testing.T, helper *apis.K8sTestHelper, team *unstructured.Unstructured, user *unstructured.Unstructured) {
-	t.Run("should create/get team binding using the new APIs", func(t *testing.T) {
-		ctx := context.Background()
-
-		teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User:      helper.Org1.Admin,
-			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-			GVR:       gvrTeamBindings,
-		})
-
-		// Create the team binding
-		toCreate := helper.LoadYAMLOrJSONFile("testdata/teambinding-test-create-v0.yaml")
-		toCreate.Object["spec"].(map[string]interface{})["subject"].(map[string]interface{})["name"] = user.GetName()
-		toCreate.Object["spec"].(map[string]interface{})["teamRef"].(map[string]interface{})["name"] = team.GetName()
-		created, err := teamBindingClient.Resource.Create(ctx, toCreate, metav1.CreateOptions{})
-		require.NoError(t, err)
-		require.NotNil(t, created)
-
-		createdSpec := created.Object["spec"].(map[string]interface{})
-		require.Equal(t, user.GetName(), createdSpec["subject"].(map[string]interface{})["name"])
-		require.Equal(t, team.GetName(), createdSpec["teamRef"].(map[string]interface{})["name"])
-		require.Equal(t, "admin", createdSpec["permission"])
-
-		createdUID := created.GetName()
-		require.NotEmpty(t, createdUID)
-
-		// Get the team binding
-		fetched, err := teamBindingClient.Resource.Get(ctx, createdUID, metav1.GetOptions{})
-		require.NoError(t, err)
-		require.NotNil(t, fetched)
-
-		fetchedSpec := fetched.Object["spec"].(map[string]interface{})
-		require.Equal(t, user.GetName(), fetchedSpec["subject"].(map[string]interface{})["name"])
-		require.Equal(t, team.GetName(), fetchedSpec["teamRef"].(map[string]interface{})["name"])
-		require.Equal(t, "admin", fetchedSpec["permission"])
-
-		require.Equal(t, createdUID, fetched.GetName())
-		require.Equal(t, "default", fetched.GetNamespace())
-	})
-
-	t.Run("should not be able to create team binding when using a user with insufficient permissions", func(t *testing.T) {
-		for _, u := range []apis.User{
-			helper.Org1.Editor,
-			helper.Org1.Viewer,
-		} {
-			t.Run(fmt.Sprintf("with basic role_%s", u.Identity.GetOrgRole()), func(t *testing.T) {
-				ctx := context.Background()
-				teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-					User:      u,
-					Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-					GVR:       gvrTeamBindings,
-				})
-
-				toCreate := helper.LoadYAMLOrJSONFile("testdata/teambinding-test-create-v0.yaml")
-				toCreate.Object["spec"].(map[string]interface{})["subject"].(map[string]interface{})["name"] = user.GetName()
-				toCreate.Object["spec"].(map[string]interface{})["teamRef"].(map[string]interface{})["name"] = team.GetName()
-				_, err := teamBindingClient.Resource.Create(ctx, toCreate, metav1.CreateOptions{})
-				require.Error(t, err)
-
-				var statusErr *errors.StatusError
-				require.ErrorAs(t, err, &statusErr)
-				require.Equal(t, int32(403), statusErr.ErrStatus.Code)
-			})
-		}
-	})
-
-	t.Run("should not be able to create team binding without a subject", func(t *testing.T) {
-		ctx := context.Background()
-		teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User:      helper.Org1.Admin,
-			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-			GVR:       gvrTeamBindings,
-		})
-
-		toCreate := helper.LoadYAMLOrJSONFile("testdata/teambinding-test-create-v0.yaml")
-		toCreate.Object["spec"].(map[string]interface{})["subject"].(map[string]interface{})["name"] = ""
-		toCreate.Object["spec"].(map[string]interface{})["teamRef"].(map[string]interface{})["name"] = team.GetName()
-
-		_, err := teamBindingClient.Resource.Create(ctx, toCreate, metav1.CreateOptions{})
-		require.Error(t, err)
-		var statusErr *errors.StatusError
-		require.ErrorAs(t, err, &statusErr)
-		require.Equal(t, int32(400), statusErr.ErrStatus.Code)
-		require.Contains(t, statusErr.ErrStatus.Message, "subject is required")
-	})
-
-	t.Run("should not be able to create team binding without a teamRef", func(t *testing.T) {
-		ctx := context.Background()
-		teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User:      helper.Org1.Admin,
-			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-			GVR:       gvrTeamBindings,
-		})
-
-		toCreate := helper.LoadYAMLOrJSONFile("testdata/teambinding-test-create-v0.yaml")
-		toCreate.Object["spec"].(map[string]interface{})["subject"].(map[string]interface{})["name"] = user.GetName()
-		toCreate.Object["spec"].(map[string]interface{})["teamRef"].(map[string]interface{})["name"] = ""
-
-		_, err := teamBindingClient.Resource.Create(ctx, toCreate, metav1.CreateOptions{})
-		require.Error(t, err)
-		var statusErr *errors.StatusError
-		require.ErrorAs(t, err, &statusErr)
-		require.Equal(t, int32(400), statusErr.ErrStatus.Code)
-		require.Contains(t, statusErr.ErrStatus.Message, "teamRef is required")
-	})
-
-	t.Run("should not be able to create team binding with invalid permission", func(t *testing.T) {
-		ctx := context.Background()
-		teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User:      helper.Org1.Admin,
-			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-			GVR:       gvrTeamBindings,
-		})
-
-		toCreate := helper.LoadYAMLOrJSONFile("testdata/teambinding-test-create-v0.yaml")
-		toCreate.Object["spec"].(map[string]interface{})["subject"].(map[string]interface{})["name"] = user.GetName()
-		toCreate.Object["spec"].(map[string]interface{})["teamRef"].(map[string]interface{})["name"] = team.GetName()
-		toCreate.Object["spec"].(map[string]interface{})["permission"] = "invalid"
-
-		_, err := teamBindingClient.Resource.Create(ctx, toCreate, metav1.CreateOptions{})
-		require.Error(t, err)
-		var statusErr *errors.StatusError
-		require.ErrorAs(t, err, &statusErr)
-		require.Equal(t, int32(400), statusErr.ErrStatus.Code)
-		require.Contains(t, statusErr.ErrStatus.Message, "invalid permission")
-	})
-}
-
-func doTeamBindingCRUDTestsUsingTheLegacyAPIs(t *testing.T, helper *apis.K8sTestHelper, mode rest.DualWriterMode) {
-	t.Run("should create team binding using legacy APIs and get it using the new APIs", func(t *testing.T) {
-		ctx := context.Background()
-
-		// Create a team using legacy API
-		legacyTeamPayload := `{
-			"name": "Test Team Legacy",
-			"email": "testteamlegacy@example.com"
-		}`
-
-		type legacyTeamResponse struct {
-			UID string `json:"uid"`
-			ID  int64  `json:"teamId"`
-		}
-
-		teamRsp := apis.DoRequest(helper, apis.RequestParams{
-			User:   helper.Org1.Admin,
-			Method: "POST",
-			Path:   "/api/teams",
-			Body:   []byte(legacyTeamPayload),
-		}, &legacyTeamResponse{})
-
-		require.NotNil(t, teamRsp)
-		require.Equal(t, 200, teamRsp.Response.StatusCode)
-		require.NotEmpty(t, teamRsp.Result.UID)
-
-		// Create a user using legacy API
-		legacyUserPayload := `{
-			"name": "Test User 2",
-			"email": "testuser2@example.com",
-			"login": "testuser2",
-			"password": "password123"
-		}`
-
-		type legacyUserResponse struct {
-			UID string `json:"uid"`
-			ID  int64  `json:"id"`
-		}
-
-		userRsp := apis.DoRequest(helper, apis.RequestParams{
-			User:   helper.Org1.Admin,
-			Method: "POST",
-			Path:   "/api/admin/users",
-			Body:   []byte(legacyUserPayload),
-		}, &legacyUserResponse{})
-
-		require.NotNil(t, userRsp)
-		require.Equal(t, 200, userRsp.Response.StatusCode)
-		require.NotEmpty(t, userRsp.Result.UID)
-
-		// Create team binding using legacy API
-		legacyTeamBindingPayload := `{
-			"userId": ` + fmt.Sprintf("%d", userRsp.Result.ID) + `,
-			"teamId": ` + fmt.Sprintf("%d", teamRsp.Result.ID) + `,
-			"permission": "member"
-		}`
-
-		type legacyTeamBindingResponse struct {
-			UserID     int64  `json:"userId"`
-			TeamID     int64  `json:"teamId"`
-			Permission string `json:"permission"`
-		}
-
-		teamBindingRsp := apis.DoRequest(helper, apis.RequestParams{
-			User:   helper.Org1.Admin,
-			Method: "POST",
-			Path:   "/api/teams/" + teamRsp.Result.UID + "/members",
-			Body:   []byte(legacyTeamBindingPayload),
-		}, &legacyTeamBindingResponse{})
-
-		require.NotNil(t, teamBindingRsp)
-		require.Equal(t, 200, teamBindingRsp.Response.StatusCode)
-
-		// Get team binding using new API
-		teamBindingClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User:      helper.Org1.Admin,
-			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
-			GVR:       gvrTeamBindings,
-		})
-
-		teamBindingName := fmt.Sprintf("binding-%d-%d", teamRsp.Result.ID, userRsp.Result.ID)
-		teamBinding, err := teamBindingClient.Resource.Get(ctx, teamBindingName, metav1.GetOptions{})
-		require.NoError(t, err)
-		require.NotNil(t, teamBinding)
-
-		teamBindingSpec := teamBinding.Object["spec"].(map[string]interface{})
-		require.Equal(t, "member", teamBindingSpec["permission"])
-		require.Equal(t, userRsp.Result.UID, teamBindingSpec["subject"].(map[string]interface{})["name"])
-		require.Equal(t, teamRsp.Result.UID, teamBindingSpec["teamRef"].(map[string]interface{})["name"])
-		require.Equal(t, teamBindingName, teamBinding.GetName())
-	})
-}

pkg/tests/apis/iam/testdata/teambinding-test-create-v0.yaml

@@ -1,10 +0,0 @@
-apiVersion: iam.grafana.app/v0alpha1
-kind: TeamBinding
-metadata:
-  name: test-team-binding-1
-spec:
-  subject:
-    name: ""
-  teamRef:
-    name: ""
-  permission: "admin"