public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update feature documentation

This commit is contained in:
Felix Kunde 2021-05-14 09:32:43 +02:00
parent cc27740be1
commit 044e92a609
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/reference/operator_parameters.md
View File

@ -706,9 +706,9 @@ key.
* **role_deprecation_suffix**
defines a suffix that will be appended to database role names of team members
that were removed from either PostgresTeam CRDs (additionalMembers) or from
the team in the teams API. When readded to the manifest, the operator will
rename roles with the defined suffix back to the original role name.
that were removed from either the team in the Teams API or a `PostgresTeam`
custom resource (additionalMembers). When re-added, the operator will rename
roles with the defined suffix back to the original role name.
The default is `_delete_me`.
* **enable_postgres_team_crd**

18
docs/user.md
View File

@ -410,13 +410,17 @@ spec:
#### Removed members
The Postgres Operator does not delete database roles when users are removed
from manifests. But, when using the PostgresTeam CRD or Teams API it is very
easy to (accidently) add roles to many clusters. Manually reverting such a
change is cumbersome. Therefore, if members are removed from the team CRD or
teams API the operator will rename roles appending a configured suffix to the
name (see `role_deprecation_suffix` option) so that old members cannot login
anymore. When a role is readded to the manifest the operator will check for
roles with the configured suffix and rename the role back to the original name.
from manifests. But, using the `PostgresTeam` custom resource or Teams API it
is very easy to add roles to many clusters. Manually reverting such a change
is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the
Teams API the operator will rename roles appending a configured suffix to the
name (see `role_deprecation_suffix` option) and revoke the `LOGIN` privilege.
The suffix makes it easy then for a cleanup script to remove those deprecated
roles completely.
When a role is re-added to a PostgresTeam manifest (or to the source behind
the Teams API) the operator will check for roles with the configured suffix
and if found, rename the role back to the original name and grant LOGIN again.
## Prepared databases with roles and default privileges