From 044e92a609c753b40a3a9b0caaabf075bd817137 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Fri, 14 May 2021 09:32:43 +0200 Subject: [PATCH] update feature documentation --- docs/reference/operator_parameters.md | 6 +++--- docs/user.md | 18 +++++++++++------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index a6e89640a..7dbbf5fa7 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -706,9 +706,9 @@ key. * **role_deprecation_suffix** defines a suffix that will be appended to database role names of team members - that were removed from either PostgresTeam CRDs (additionalMembers) or from - the team in the teams API. When readded to the manifest, the operator will - rename roles with the defined suffix back to the original role name. + that were removed from either the team in the Teams API or a `PostgresTeam` + custom resource (additionalMembers). When re-added, the operator will rename + roles with the defined suffix back to the original role name. The default is `_delete_me`. * **enable_postgres_team_crd** diff --git a/docs/user.md b/docs/user.md index 89d180071..4bfc94488 100644 --- a/docs/user.md +++ b/docs/user.md @@ -410,13 +410,17 @@ spec: #### Removed members The Postgres Operator does not delete database roles when users are removed -from manifests. But, when using the PostgresTeam CRD or Teams API it is very -easy to (accidently) add roles to many clusters. Manually reverting such a -change is cumbersome. Therefore, if members are removed from the team CRD or -teams API the operator will rename roles appending a configured suffix to the -name (see `role_deprecation_suffix` option) so that old members cannot login -anymore. When a role is readded to the manifest the operator will check for -roles with the configured suffix and rename the role back to the original name. +from manifests. But, using the `PostgresTeam` custom resource or Teams API it +is very easy to add roles to many clusters. Manually reverting such a change +is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the +Teams API the operator will rename roles appending a configured suffix to the +name (see `role_deprecation_suffix` option) and revoke the `LOGIN` privilege. +The suffix makes it easy then for a cleanup script to remove those deprecated +roles completely. + +When a role is re-added to a PostgresTeam manifest (or to the source behind +the Teams API) the operator will check for roles with the configured suffix +and if found, rename the role back to the original name and grant LOGIN again. ## Prepared databases with roles and default privileges