public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

disable team member deprecation by default

This commit is contained in:
Felix Kunde 2021-05-20 15:40:47 +02:00
parent fb38bf7aeb
commit 3fa3ab1ca9
13 changed files with 41 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/postgres-operator/crds/operatorconfigurations.yaml
View File

@ -443,6 +443,9 @@ spec:
enable_postgres_team_crd_superusers:
type: boolean
default: false
enable_team_member_deprecation:
type: boolean
default: false
enable_team_superuser:
type: boolean
default: false

5
charts/postgres-operator/values-crd.yaml
View File

@ -294,8 +294,9 @@ configTeamsApi:
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
enable_postgres_team_crd: false
# toogle to create additional superuser teams from PostgresTeam CRs
# enable_postgres_team_crd_superusers: false
enable_postgres_team_crd_superusers: false
# toggle to automatically rename roles of former team members and deny LOGIN
enable_team_member_deprecation: "false"
# toggle to grant superuser to team members created from the Teams API
enable_team_superuser: false
# toggles usage of the Teams API by the operator

8
charts/postgres-operator/values.yaml
View File

@ -285,11 +285,11 @@ configTeamsApi:
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
enable_postgres_team_crd: "false"
# toogle to create additional superuser teams from PostgresTeam CRs
# enable_postgres_team_crd_superusers: "false"
enable_postgres_team_crd_superusers: "false"
# toggle to automatically rename roles of former team members and deny LOGIN
enable_team_member_deprecation: "false"
# toggle to grant superuser to team members created from the Teams API
# enable_team_superuser: "false"
enable_team_superuser: "false"
# toggles usage of the Teams API by the operator
enable_teams_api: "false"
# should contain a URL to use for authentication (username and token)

14
docs/reference/operator_parameters.md
View File

@ -705,12 +705,18 @@ key.
The default is empty.
* **role_deletion_suffix**
defines a suffix that will be appended to database role names of team members
that were removed from either the team in the Teams API or a `PostgresTeam`
custom resource (additionalMembers). When re-added, the operator will rename
roles with the defined suffix back to the original role name.
defines a suffix that - when `enable_team_member_deprecation` is set to
`true` - will be appended to database role names of team members that were
removed from either the team in the Teams API or a `PostgresTeam` custom
resource (additionalMembers). When re-added, the operator will rename roles
with the defined suffix back to the original role name.
The default is `_deleted`.
* **enable_team_member_deprecation**
if `true` database roles of former team members will be renamed by appending
the configured `role_deletion_suffix` and `LOGIN` privilege will be revoked.
The default is `false`.
* **enable_postgres_team_crd**
toggle to make the operator watch for created or updated `PostgresTeam` CRDs
and create roles for specified additional teams and members.

5
docs/user.md
View File

@ -413,10 +413,11 @@ The Postgres Operator does not delete database roles when users are removed
from manifests. But, using the `PostgresTeam` custom resource or Teams API it
is very easy to add roles to many clusters. Manually reverting such a change
is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the
Teams API the operator will rename roles appending a configured suffix to the
Teams API the operator can rename roles appending a configured suffix to the
name (see `role_deletion_suffix` option) and revoke the `LOGIN` privilege.
The suffix makes it easy then for a cleanup script to remove those deprecated
roles completely.
roles completely. Switch `enable_team_member_deprecation` to `true` to enable
this behavior.
When a role is re-added to a `PostgresTeam` manifest (or to the source behind
the Teams API) the operator will check for roles with the configured suffix

1
e2e/tests/test_e2e.py
View File

@ -197,6 +197,7 @@ class EndToEndTestCase(unittest.TestCase):
enable_postgres_team_crd = {
"data": {
"enable_postgres_team_crd": "true",
"enable_team_member_deprecation": "true",
"resync_period": "15s",
},
}

3
manifests/operatorconfiguration.crd.yaml
View File

@ -439,6 +439,9 @@ spec:
enable_postgres_team_crd_superusers:
type: boolean
default: false
enable_team_member_deprecation:
type: boolean
default: false
enable_team_superuser:
type: boolean
default: false

3
pkg/apis/acid.zalan.do/v1/crds.go
View File

@ -1377,6 +1377,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
"enable_postgres_team_crd_superusers": {
Type: "boolean",
},
"enable_team_member_deprecation": {
Type: "boolean",
},
"enable_team_superuser": {
Type: "boolean",
},

1
pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
View File

@ -159,6 +159,7 @@ type TeamsAPIConfiguration struct {
PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"`
EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"`
EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"`
EnableTeamMemberDeprecation bool `json:"enable_postgres_team_crd_superusers,omitempty"`
RoleDeletionSuffix string `json:"role_deletion_suffix,omitempty"`
}

5
pkg/cluster/cluster.go
View File

@ -193,13 +193,16 @@ func (c *Cluster) isNewCluster() bool {
func (c *Cluster) initUsers() error {
c.setProcessName("initializing users")
// save current state of pgUsers to check for deleted roles later
// if team member deprecation is enabled save current state of pgUsers
// to check for deleted roles
c.pgUsersCache = map[string]spec.PgUser{}
if c.OpConfig.EnableTeamMemberDeprecation {
for k, v := range c.pgUsers {
if v.Origin == spec.RoleOriginTeamsAPI {
c.pgUsersCache[k] = v
}
}
}
// clear our the previous state of the cluster users (in case we are
// running a sync).

2
pkg/cluster/sync.go
View File

@ -558,7 +558,7 @@ func (c *Cluster) syncRoles() (err error) {
for _, u := range c.pgUsers {
userNames = append(userNames, u.Name)
// add team member role name with rename suffix in case we need to rename it back
if u.Origin == spec.RoleOriginTeamsAPI {
if u.Origin == spec.RoleOriginTeamsAPI && c.OpConfig.EnableTeamMemberDeprecation {
deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name
userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix)
}

1
pkg/controller/operator_config.go
View File

@ -180,6 +180,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD
result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
result.EnableTeamMemberDeprecation = fromCRD.TeamsAPI.EnableTeamMemberDeprecation
result.RoleDeletionSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeletionSuffix, "_deleted")
// logging REST API config

1
pkg/util/config/config.go
View File

@ -177,6 +177,7 @@ type Config struct {
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
TeamAdminRole string `name:"team_admin_role" default:"admin"`
RoleDeletionSuffix string `name:"role_deletion_suffix,omitempty" default:"_deleted"`
EnableTeamMemberDeprecation bool `name:"enable_team_member_deprecation,omitempty" default:"false"`
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"`
EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`