disable team member deprecation by default
This commit is contained in:
Felix Kunde
parent
fb38bf7aeb
commit
3fa3ab1ca9
|
|
@ -443,6 +443,9 @@ spec:
|
||||||
enable_postgres_team_crd_superusers:
|
enable_postgres_team_crd_superusers:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
enable_team_member_deprecation:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
enable_team_superuser:
|
enable_team_superuser:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
|
|
||||||
|
|
@ -294,8 +294,9 @@ configTeamsApi:
|
||||||
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
||||||
enable_postgres_team_crd: false
|
enable_postgres_team_crd: false
|
||||||
# toogle to create additional superuser teams from PostgresTeam CRs
|
# toogle to create additional superuser teams from PostgresTeam CRs
|
||||||
# enable_postgres_team_crd_superusers: false
|
enable_postgres_team_crd_superusers: false
|
||||||
|
# toggle to automatically rename roles of former team members and deny LOGIN
|
||||||
|
enable_team_member_deprecation: "false"
|
||||||
# toggle to grant superuser to team members created from the Teams API
|
# toggle to grant superuser to team members created from the Teams API
|
||||||
enable_team_superuser: false
|
enable_team_superuser: false
|
||||||
# toggles usage of the Teams API by the operator
|
# toggles usage of the Teams API by the operator
|
||||||
|
|
|
||||||
|
|
@ -285,11 +285,11 @@ configTeamsApi:
|
||||||
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
||||||
enable_postgres_team_crd: "false"
|
enable_postgres_team_crd: "false"
|
||||||
# toogle to create additional superuser teams from PostgresTeam CRs
|
# toogle to create additional superuser teams from PostgresTeam CRs
|
||||||
# enable_postgres_team_crd_superusers: "false"
|
enable_postgres_team_crd_superusers: "false"
|
||||||
|
# toggle to automatically rename roles of former team members and deny LOGIN
|
||||||
|
enable_team_member_deprecation: "false"
|
||||||
# toggle to grant superuser to team members created from the Teams API
|
# toggle to grant superuser to team members created from the Teams API
|
||||||
# enable_team_superuser: "false"
|
enable_team_superuser: "false"
|
||||||
|
|
||||||
# toggles usage of the Teams API by the operator
|
# toggles usage of the Teams API by the operator
|
||||||
enable_teams_api: "false"
|
enable_teams_api: "false"
|
||||||
# should contain a URL to use for authentication (username and token)
|
# should contain a URL to use for authentication (username and token)
|
||||||
|
|
|
||||||
|
|
@ -705,12 +705,18 @@ key.
|
||||||
The default is empty.
|
The default is empty.
|
||||||
|
|
||||||
* **role_deletion_suffix**
|
* **role_deletion_suffix**
|
||||||
defines a suffix that will be appended to database role names of team members
|
defines a suffix that - when `enable_team_member_deprecation` is set to
|
||||||
that were removed from either the team in the Teams API or a `PostgresTeam`
|
`true` - will be appended to database role names of team members that were
|
||||||
custom resource (additionalMembers). When re-added, the operator will rename
|
removed from either the team in the Teams API or a `PostgresTeam` custom
|
||||||
roles with the defined suffix back to the original role name.
|
resource (additionalMembers). When re-added, the operator will rename roles
|
||||||
|
with the defined suffix back to the original role name.
|
||||||
The default is `_deleted`.
|
The default is `_deleted`.
|
||||||
|
|
||||||
|
* **enable_team_member_deprecation**
|
||||||
|
if `true` database roles of former team members will be renamed by appending
|
||||||
|
the configured `role_deletion_suffix` and `LOGIN` privilege will be revoked.
|
||||||
|
The default is `false`.
|
||||||
|
|
||||||
* **enable_postgres_team_crd**
|
* **enable_postgres_team_crd**
|
||||||
toggle to make the operator watch for created or updated `PostgresTeam` CRDs
|
toggle to make the operator watch for created or updated `PostgresTeam` CRDs
|
||||||
and create roles for specified additional teams and members.
|
and create roles for specified additional teams and members.
|
||||||
|
|
|
||||||
|
|
@ -413,10 +413,11 @@ The Postgres Operator does not delete database roles when users are removed
|
||||||
from manifests. But, using the `PostgresTeam` custom resource or Teams API it
|
from manifests. But, using the `PostgresTeam` custom resource or Teams API it
|
||||||
is very easy to add roles to many clusters. Manually reverting such a change
|
is very easy to add roles to many clusters. Manually reverting such a change
|
||||||
is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the
|
is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the
|
||||||
Teams API the operator will rename roles appending a configured suffix to the
|
Teams API the operator can rename roles appending a configured suffix to the
|
||||||
name (see `role_deletion_suffix` option) and revoke the `LOGIN` privilege.
|
name (see `role_deletion_suffix` option) and revoke the `LOGIN` privilege.
|
||||||
The suffix makes it easy then for a cleanup script to remove those deprecated
|
The suffix makes it easy then for a cleanup script to remove those deprecated
|
||||||
roles completely.
|
roles completely. Switch `enable_team_member_deprecation` to `true` to enable
|
||||||
|
this behavior.
|
||||||
|
|
||||||
When a role is re-added to a `PostgresTeam` manifest (or to the source behind
|
When a role is re-added to a `PostgresTeam` manifest (or to the source behind
|
||||||
the Teams API) the operator will check for roles with the configured suffix
|
the Teams API) the operator will check for roles with the configured suffix
|
||||||
|
|
|
||||||
|
|
@ -197,6 +197,7 @@ class EndToEndTestCase(unittest.TestCase):
|
||||||
enable_postgres_team_crd = {
|
enable_postgres_team_crd = {
|
||||||
"data": {
|
"data": {
|
||||||
"enable_postgres_team_crd": "true",
|
"enable_postgres_team_crd": "true",
|
||||||
|
"enable_team_member_deprecation": "true",
|
||||||
"resync_period": "15s",
|
"resync_period": "15s",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -439,6 +439,9 @@ spec:
|
||||||
enable_postgres_team_crd_superusers:
|
enable_postgres_team_crd_superusers:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
enable_team_member_deprecation:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
enable_team_superuser:
|
enable_team_superuser:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
|
|
||||||
|
|
@ -1377,6 +1377,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
|
||||||
"enable_postgres_team_crd_superusers": {
|
"enable_postgres_team_crd_superusers": {
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
},
|
},
|
||||||
|
"enable_team_member_deprecation": {
|
||||||
|
Type: "boolean",
|
||||||
|
},
|
||||||
"enable_team_superuser": {
|
"enable_team_superuser": {
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -159,6 +159,7 @@ type TeamsAPIConfiguration struct {
|
||||||
PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"`
|
PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"`
|
||||||
EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"`
|
EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"`
|
||||||
EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"`
|
EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"`
|
||||||
|
EnableTeamMemberDeprecation bool `json:"enable_postgres_team_crd_superusers,omitempty"`
|
||||||
RoleDeletionSuffix string `json:"role_deletion_suffix,omitempty"`
|
RoleDeletionSuffix string `json:"role_deletion_suffix,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -193,11 +193,14 @@ func (c *Cluster) isNewCluster() bool {
|
||||||
func (c *Cluster) initUsers() error {
|
func (c *Cluster) initUsers() error {
|
||||||
c.setProcessName("initializing users")
|
c.setProcessName("initializing users")
|
||||||
|
|
||||||
// save current state of pgUsers to check for deleted roles later
|
// if team member deprecation is enabled save current state of pgUsers
|
||||||
|
// to check for deleted roles
|
||||||
c.pgUsersCache = map[string]spec.PgUser{}
|
c.pgUsersCache = map[string]spec.PgUser{}
|
||||||
for k, v := range c.pgUsers {
|
if c.OpConfig.EnableTeamMemberDeprecation {
|
||||||
if v.Origin == spec.RoleOriginTeamsAPI {
|
for k, v := range c.pgUsers {
|
||||||
c.pgUsersCache[k] = v
|
if v.Origin == spec.RoleOriginTeamsAPI {
|
||||||
|
c.pgUsersCache[k] = v
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -558,7 +558,7 @@ func (c *Cluster) syncRoles() (err error) {
|
||||||
for _, u := range c.pgUsers {
|
for _, u := range c.pgUsers {
|
||||||
userNames = append(userNames, u.Name)
|
userNames = append(userNames, u.Name)
|
||||||
// add team member role name with rename suffix in case we need to rename it back
|
// add team member role name with rename suffix in case we need to rename it back
|
||||||
if u.Origin == spec.RoleOriginTeamsAPI {
|
if u.Origin == spec.RoleOriginTeamsAPI && c.OpConfig.EnableTeamMemberDeprecation {
|
||||||
deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name
|
deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name
|
||||||
userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix)
|
userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -180,6 +180,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
|
||||||
result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
|
result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
|
||||||
result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD
|
result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD
|
||||||
result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
|
result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
|
||||||
|
result.EnableTeamMemberDeprecation = fromCRD.TeamsAPI.EnableTeamMemberDeprecation
|
||||||
result.RoleDeletionSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeletionSuffix, "_deleted")
|
result.RoleDeletionSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeletionSuffix, "_deleted")
|
||||||
|
|
||||||
// logging REST API config
|
// logging REST API config
|
||||||
|
|
|
||||||
|
|
@ -177,6 +177,7 @@ type Config struct {
|
||||||
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
|
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
|
||||||
TeamAdminRole string `name:"team_admin_role" default:"admin"`
|
TeamAdminRole string `name:"team_admin_role" default:"admin"`
|
||||||
RoleDeletionSuffix string `name:"role_deletion_suffix,omitempty" default:"_deleted"`
|
RoleDeletionSuffix string `name:"role_deletion_suffix,omitempty" default:"_deleted"`
|
||||||
|
EnableTeamMemberDeprecation bool `name:"enable_team_member_deprecation,omitempty" default:"false"`
|
||||||
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
|
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
|
||||||
EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"`
|
EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"`
|
||||||
EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`
|
EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue