From 3e7e99039b1f7b1069b6bdd6922820ec9e77bb10 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Tue, 20 Oct 2020 15:37:39 +0200 Subject: [PATCH] add documentation and update rbac --- .../postgres-operator/crds/postgresteams.yaml | 4 +- .../templates/clusterrole.yaml | 10 ++- docs/user.md | 61 +++++++++++++++++++ manifests/operator-service-account-rbac.yaml | 10 ++- manifests/postgresteam.crd.yaml | 4 +- 5 files changed, 83 insertions(+), 6 deletions(-) diff --git a/charts/postgres-operator/crds/postgresteams.yaml b/charts/postgres-operator/crds/postgresteams.yaml index 9038625b4..5b9518576 100644 --- a/charts/postgres-operator/crds/postgresteams.yaml +++ b/charts/postgres-operator/crds/postgresteams.yaml @@ -40,11 +40,11 @@ spec: properties: additionalSuperuserTeams: type: object - description: "Map for teamId and associted additional admin teams" + description: "Map for teamId and associted additional superuser teams" additionalProperties: type: array nullable: true - description: "List of teams to become Postgres admins" + description: "List of teams to become Postgres superusers" items: type: string additionalTeams: diff --git a/charts/postgres-operator/templates/clusterrole.yaml b/charts/postgres-operator/templates/clusterrole.yaml index a8a50ac08..84da313d9 100644 --- a/charts/postgres-operator/templates/clusterrole.yaml +++ b/charts/postgres-operator/templates/clusterrole.yaml @@ -15,7 +15,6 @@ rules: resources: - postgresqls - postgresqls/status - - postgresteams - operatorconfigurations verbs: - create @@ -26,6 +25,15 @@ rules: - patch - update - watch +# operator only reads PostgresTeams +- apiGroups: + - acid.zalan.do + resources: + - postgresteams + verbs: + - get + - list + - watch # to create or get/update CRDs when starting up - apiGroups: - apiextensions.k8s.io diff --git a/docs/user.md b/docs/user.md index a4b1424b8..c71b644df 100644 --- a/docs/user.md +++ b/docs/user.md @@ -269,6 +269,67 @@ to choose superusers, group roles, [PAM configuration](https://github.com/CyberD etc. An OAuth2 token can be passed to the Teams API via a secret. The name for this secret is configurable with the `oauth_token_secret_name` parameter. +### Additional teams and members per cluster + +Postgres clusters are associated with one team by providing the `teamID` in +the manifest. Additional superuser teams can be configured as mentioned in +the previous paragraph. However, this is a global setting. To assign +additional teams, superuser teams and single users to clusters of a given +team, use the [PostgresTeam CRD](../manifests/postgresteam.yaml). It provides +a simple mapping structure. + + +```yaml +apiVersion: "acid.zalan.do/v1" +kind: PostgresTeam +metadata: + name: custom-team-membership +spec: + additionalSuperuserTeams: + acid: + - "postgres_superusers" + additionalTeams: + acid: [] + additionalMembers: + acid: + - "elephant" +``` + +One `PostgresTeam` resource could contain mappings of multiple teams but you +can choose to create separate CRDs, alternatively. On each CRD creation or +update the operator will gather all mappings to create additional human users +in databases the next time they are synced. Additional teams are resolved +transitively, meaning you will also add users for their `additionalTeams` +or (not and) `additionalSuperuserTeams`. + +For each additional team the Teams API would be queried. Additional members +will be added either way. There can be "virtual teams" that do not exists in +your Teams API but users of associated teams as well as members will get +created. With `PostgresTeams` it's also easy to cover team name changes. Just +add the mapping between old and new team name and the rest can stay the same. + +```yaml +apiVersion: "acid.zalan.do/v1" +kind: PostgresTeam +metadata: + name: virtualteam-membership +spec: + additionalSuperuserTeams: + acid: + - "virtual_superusers" + virtual_superusers: + - "real_teamA" + - "real_teamB" + real_teamA: + - "real_teamA_renamed" + additionalTeams: + real_teamA: + - "real_teamA_renamed" + additionalMembers: + virtual_superusers: + - "foo" +``` + ## Prepared databases with roles and default privileges The `users` section in the manifests only allows for creating database roles diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml index 32e8969fa..15ed7f53b 100644 --- a/manifests/operator-service-account-rbac.yaml +++ b/manifests/operator-service-account-rbac.yaml @@ -16,7 +16,6 @@ rules: resources: - postgresqls - postgresqls/status - - postgresteams - operatorconfigurations verbs: - create @@ -27,6 +26,15 @@ rules: - patch - update - watch +# operator only reads PostgresTeams +- apiGroups: + - acid.zalan.do + resources: + - postgresteams + verbs: + - get + - list + - watch # to create or get/update CRDs when starting up - apiGroups: - apiextensions.k8s.io diff --git a/manifests/postgresteam.crd.yaml b/manifests/postgresteam.crd.yaml index d586a1006..012fc2fea 100644 --- a/manifests/postgresteam.crd.yaml +++ b/manifests/postgresteam.crd.yaml @@ -36,11 +36,11 @@ spec: properties: additionalSuperuserTeams: type: object - description: "Map for teamId and associted additional admin teams" + description: "Map for teamId and associted additional superuser teams" additionalProperties: type: array nullable: true - description: "List of teams to become Postgres admins" + description: "List of teams to become Postgres superusers" items: type: string additionalTeams: