From 3fa3ab1ca9a5dfccd6a2dc398d96c34f50c7f0dc Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Thu, 20 May 2021 15:40:47 +0200 Subject: [PATCH] disable team member deprecation by default --- .../crds/operatorconfigurations.yaml | 3 +++ charts/postgres-operator/values-crd.yaml | 5 +++-- charts/postgres-operator/values.yaml | 8 ++++---- docs/reference/operator_parameters.md | 14 ++++++++++---- docs/user.md | 5 +++-- e2e/tests/test_e2e.py | 1 + manifests/operatorconfiguration.crd.yaml | 3 +++ pkg/apis/acid.zalan.do/v1/crds.go | 3 +++ .../v1/operator_configuration_type.go | 1 + pkg/cluster/cluster.go | 11 +++++++---- pkg/cluster/sync.go | 2 +- pkg/controller/operator_config.go | 1 + pkg/util/config/config.go | 1 + 13 files changed, 41 insertions(+), 17 deletions(-) diff --git a/charts/postgres-operator/crds/operatorconfigurations.yaml b/charts/postgres-operator/crds/operatorconfigurations.yaml index b2129854c..0f036c299 100644 --- a/charts/postgres-operator/crds/operatorconfigurations.yaml +++ b/charts/postgres-operator/crds/operatorconfigurations.yaml @@ -443,6 +443,9 @@ spec: enable_postgres_team_crd_superusers: type: boolean default: false + enable_team_member_deprecation: + type: boolean + default: false enable_team_superuser: type: boolean default: false diff --git a/charts/postgres-operator/values-crd.yaml b/charts/postgres-operator/values-crd.yaml index 61be1ad93..a51c63b4c 100644 --- a/charts/postgres-operator/values-crd.yaml +++ b/charts/postgres-operator/values-crd.yaml @@ -294,8 +294,9 @@ configTeamsApi: # operator watches for PostgresTeam CRs to assign additional teams and members to clusters enable_postgres_team_crd: false # toogle to create additional superuser teams from PostgresTeam CRs - # enable_postgres_team_crd_superusers: false - + enable_postgres_team_crd_superusers: false + # toggle to automatically rename roles of former team members and deny LOGIN + enable_team_member_deprecation: "false" # toggle to grant superuser to team members created from the Teams API enable_team_superuser: false # toggles usage of the Teams API by the operator diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index a3c9f76c9..87bae96fc 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -285,11 +285,11 @@ configTeamsApi: # operator watches for PostgresTeam CRs to assign additional teams and members to clusters enable_postgres_team_crd: "false" # toogle to create additional superuser teams from PostgresTeam CRs - # enable_postgres_team_crd_superusers: "false" - + enable_postgres_team_crd_superusers: "false" + # toggle to automatically rename roles of former team members and deny LOGIN + enable_team_member_deprecation: "false" # toggle to grant superuser to team members created from the Teams API - # enable_team_superuser: "false" - + enable_team_superuser: "false" # toggles usage of the Teams API by the operator enable_teams_api: "false" # should contain a URL to use for authentication (username and token) diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index 029d6e173..b0d982943 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -705,12 +705,18 @@ key. The default is empty. * **role_deletion_suffix** - defines a suffix that will be appended to database role names of team members - that were removed from either the team in the Teams API or a `PostgresTeam` - custom resource (additionalMembers). When re-added, the operator will rename - roles with the defined suffix back to the original role name. + defines a suffix that - when `enable_team_member_deprecation` is set to + `true` - will be appended to database role names of team members that were + removed from either the team in the Teams API or a `PostgresTeam` custom + resource (additionalMembers). When re-added, the operator will rename roles + with the defined suffix back to the original role name. The default is `_deleted`. +* **enable_team_member_deprecation** + if `true` database roles of former team members will be renamed by appending + the configured `role_deletion_suffix` and `LOGIN` privilege will be revoked. + The default is `false`. + * **enable_postgres_team_crd** toggle to make the operator watch for created or updated `PostgresTeam` CRDs and create roles for specified additional teams and members. diff --git a/docs/user.md b/docs/user.md index 33930167b..8e406ec00 100644 --- a/docs/user.md +++ b/docs/user.md @@ -413,10 +413,11 @@ The Postgres Operator does not delete database roles when users are removed from manifests. But, using the `PostgresTeam` custom resource or Teams API it is very easy to add roles to many clusters. Manually reverting such a change is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the -Teams API the operator will rename roles appending a configured suffix to the +Teams API the operator can rename roles appending a configured suffix to the name (see `role_deletion_suffix` option) and revoke the `LOGIN` privilege. The suffix makes it easy then for a cleanup script to remove those deprecated -roles completely. +roles completely. Switch `enable_team_member_deprecation` to `true` to enable +this behavior. When a role is re-added to a `PostgresTeam` manifest (or to the source behind the Teams API) the operator will check for roles with the configured suffix diff --git a/e2e/tests/test_e2e.py b/e2e/tests/test_e2e.py index a86e42a39..01f4992a3 100644 --- a/e2e/tests/test_e2e.py +++ b/e2e/tests/test_e2e.py @@ -197,6 +197,7 @@ class EndToEndTestCase(unittest.TestCase): enable_postgres_team_crd = { "data": { "enable_postgres_team_crd": "true", + "enable_team_member_deprecation": "true", "resync_period": "15s", }, } diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml index b48dd9e33..fbed0bea1 100644 --- a/manifests/operatorconfiguration.crd.yaml +++ b/manifests/operatorconfiguration.crd.yaml @@ -439,6 +439,9 @@ spec: enable_postgres_team_crd_superusers: type: boolean default: false + enable_team_member_deprecation: + type: boolean + default: false enable_team_superuser: type: boolean default: false diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go index 4cc162a54..83e7273e4 100644 --- a/pkg/apis/acid.zalan.do/v1/crds.go +++ b/pkg/apis/acid.zalan.do/v1/crds.go @@ -1377,6 +1377,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{ "enable_postgres_team_crd_superusers": { Type: "boolean", }, + "enable_team_member_deprecation": { + Type: "boolean", + }, "enable_team_superuser": { Type: "boolean", }, diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go index c988257b2..eec3c97ee 100644 --- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go +++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go @@ -159,6 +159,7 @@ type TeamsAPIConfiguration struct { PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"` EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"` EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"` + EnableTeamMemberDeprecation bool `json:"enable_postgres_team_crd_superusers,omitempty"` RoleDeletionSuffix string `json:"role_deletion_suffix,omitempty"` } diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 97036dabf..5b4d15ba5 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -193,11 +193,14 @@ func (c *Cluster) isNewCluster() bool { func (c *Cluster) initUsers() error { c.setProcessName("initializing users") - // save current state of pgUsers to check for deleted roles later + // if team member deprecation is enabled save current state of pgUsers + // to check for deleted roles c.pgUsersCache = map[string]spec.PgUser{} - for k, v := range c.pgUsers { - if v.Origin == spec.RoleOriginTeamsAPI { - c.pgUsersCache[k] = v + if c.OpConfig.EnableTeamMemberDeprecation { + for k, v := range c.pgUsers { + if v.Origin == spec.RoleOriginTeamsAPI { + c.pgUsersCache[k] = v + } } } diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go index d5bf35e1f..e987e744b 100644 --- a/pkg/cluster/sync.go +++ b/pkg/cluster/sync.go @@ -558,7 +558,7 @@ func (c *Cluster) syncRoles() (err error) { for _, u := range c.pgUsers { userNames = append(userNames, u.Name) // add team member role name with rename suffix in case we need to rename it back - if u.Origin == spec.RoleOriginTeamsAPI { + if u.Origin == spec.RoleOriginTeamsAPI && c.OpConfig.EnableTeamMemberDeprecation { deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix) } diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go index 75ce10520..fbec7a462 100644 --- a/pkg/controller/operator_config.go +++ b/pkg/controller/operator_config.go @@ -180,6 +180,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers + result.EnableTeamMemberDeprecation = fromCRD.TeamsAPI.EnableTeamMemberDeprecation result.RoleDeletionSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeletionSuffix, "_deleted") // logging REST API config diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index ea40df157..42c9ff20d 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -177,6 +177,7 @@ type Config struct { EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"` TeamAdminRole string `name:"team_admin_role" default:"admin"` RoleDeletionSuffix string `name:"role_deletion_suffix,omitempty" default:"_deleted"` + EnableTeamMemberDeprecation bool `name:"enable_team_member_deprecation,omitempty" default:"false"` EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"` EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"` EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`