From 2ad0cb2d568a915106cbcebec104e36fc23132c1 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Thu, 28 Apr 2022 10:53:51 +0200 Subject: [PATCH] add more context in the docs about additional_owner_roles --- docs/reference/operator_parameters.md | 17 +++++++++++------ pkg/util/users/users.go | 6 ++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index 1076733d1..fa5fb0f52 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -179,12 +179,17 @@ under the `users` key. * **additional_owner_roles** Specifies database roles that will be granted to all database owners. Owners - can then use `SET ROLE` to obtain privileges of these roles to e.g. - create/update functionality from extensions as part of a migration script. - Note, that roles listed here should be preconfigured in the docker image - and already exist in the database cluster on startup. One such role can be - `cron_admin` which is provided by the Spilo docker image to set up cron - jobs inside the `postgres` database. Default is `empty`. + can then use `SET ROLE` to obtain privileges of these roles to e.g. create + or update functionality from extensions as part of a migration script. One + such role can be `cron_admin` which is provided by the Spilo docker image to + set up cron jobs inside the `postgres` database. In general, roles listed + here should be preconfigured in the docker image and already exist in the + database cluster on startup. Otherwise, syncing roles will return an error + on each cluster sync process. Alternatively, you have to create the role and + do the GRANT manually. Note, the operator will not allow additional owner + roles to be members of database owners because it should be vice versa. If + the operator cannot set up the correct membership it tries to revoke all + additional owner roles from database owners. Default is `empty`. * **enable_password_rotation** For all `LOGIN` roles that are not database owners the operator can rotate diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go index 392eb5b68..e6364c39c 100644 --- a/pkg/util/users/users.go +++ b/pkg/util/users/users.go @@ -119,8 +119,10 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy if err := strategy.alterPgUser(request.User, db); err != nil { reqretries = append(reqretries, request) errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err)) - // check if additional owners are misconfigured as members to a database owner (check #1862 for details) - // resolve it by revoking the database owner from the additional owner role + // XXX: we do not allow additional owner roles to be members of database owners + // if ALTER fails it could be because of the wrong memberhip (check #1862 for details) + // so in any case try to revoke the database owner from the additional owner roles + // the initial ALTER statement will be retried once and should work then if request.User.IsDbOwner && len(strategy.AdditionalOwnerRoles) > 0 { if err := resolveOwnerMembership(request.User, strategy.AdditionalOwnerRoles, db); err != nil { errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err))