From 4cd82220d2a0d4b894c37d48aef878797d061676 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Thu, 15 Oct 2020 13:40:41 +0200 Subject: [PATCH] superusers instead of admin --- manifests/postgresteam.crd.yaml | 2 +- .../acid.zalan.do/v1/postgres_team_type.go | 6 +-- .../acid.zalan.do/v1/zz_generated.deepcopy.go | 4 +- pkg/cluster/cluster.go | 23 +++++------ pkg/teams/postgres_team.go | 40 ++++++++----------- pkg/teams/postgres_team_test.go | 14 +++---- 6 files changed, 39 insertions(+), 50 deletions(-) diff --git a/manifests/postgresteam.crd.yaml b/manifests/postgresteam.crd.yaml index 17c7d6620..153acda9d 100644 --- a/manifests/postgresteam.crd.yaml +++ b/manifests/postgresteam.crd.yaml @@ -34,7 +34,7 @@ spec: spec: type: object properties: - additionalAdminTeams: + additionalSuperuserTeams: type: object description: "Map for teamId and associted additional admin teams" additionalProperties: diff --git a/pkg/apis/acid.zalan.do/v1/postgres_team_type.go b/pkg/apis/acid.zalan.do/v1/postgres_team_type.go index 163c046be..5697c193e 100644 --- a/pkg/apis/acid.zalan.do/v1/postgres_team_type.go +++ b/pkg/apis/acid.zalan.do/v1/postgres_team_type.go @@ -17,9 +17,9 @@ type PostgresTeam struct { // PostgresTeamSpec defines the specification for the PostgresTeam TPR. type PostgresTeamSpec struct { - AdditionalAdminTeams map[string][]string `json:"additionalAdminTeams,omitempty"` - AdditionalTeams map[string][]string `json:"additionalTeams,omitempty"` - AdditionalMembers map[string][]string `json:"additionalMembers,omitempty"` + AdditionalSuperuserTeams map[string][]string `json:"additionalSuperuserTeams,omitempty"` + AdditionalTeams map[string][]string `json:"additionalTeams,omitempty"` + AdditionalMembers map[string][]string `json:"additionalMembers,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go index 8571ca405..364b3e161 100644 --- a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go +++ b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go @@ -774,8 +774,8 @@ func (in *PostgresTeamList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PostgresTeamSpec) DeepCopyInto(out *PostgresTeamSpec) { *out = *in - if in.AdditionalAdminTeams != nil { - in, out := &in.AdditionalAdminTeams, &out.AdditionalAdminTeams + if in.AdditionalSuperuserTeams != nil { + in, out := &in.AdditionalSuperuserTeams, &out.AdditionalSuperuserTeams *out = make(map[string][]string, len(*in)) for key, val := range *in { var outVal []string diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 779860fe2..3d17633f5 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -1130,27 +1130,24 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e func (c *Cluster) initHumanUsers() error { - adminTeams := c.PgTeamMap.GetAdditionalTeams(c.Spec.TeamID, true) + superuserTeams := c.PgTeamMap.GetAdditionalSuperuserTeams(c.Spec.TeamID, true) var clusterIsOwnedBySuperuserTeam bool for _, postgresSuperuserTeam := range c.OpConfig.PostgresSuperuserTeams { - isAdditionalAdminTeam := false - for _, adminTeam := range adminTeams { - if postgresSuperuserTeam == adminTeam { - isAdditionalAdminTeam = true + isAdditionalSuperuserTeam := false + for _, superuserTeam := range superuserTeams { + if postgresSuperuserTeam == superuserTeam { + isAdditionalSuperuserTeam = true } } - if !(isAdditionalAdminTeam) { - adminTeams = append(adminTeams, postgresSuperuserTeam) - } - if postgresSuperuserTeam == c.Spec.TeamID { - clusterIsOwnedBySuperuserTeam = true - } } - for _, adminTeam := range adminTeams { + for _, superuserTeam := range superuserTeams { err := c.initTeamMembers(adminTeam, true) if err != nil { - return fmt.Errorf("Cannot create team %q of Postgres superusers: %v", adminTeam, err) + return fmt.Errorf("Cannot create team %q of Postgres superusers: %v", superuserTeam, err) + } + if superuserTeam == c.Spec.TeamID { + clusterIsOwnedBySuperuserTeam = true } } diff --git a/pkg/teams/postgres_team.go b/pkg/teams/postgres_team.go index f950aaa39..0b577a1af 100644 --- a/pkg/teams/postgres_team.go +++ b/pkg/teams/postgres_team.go @@ -8,9 +8,9 @@ import ( type PostgresTeamMap map[string]postgresTeamMembership type postgresTeamMembership struct { - AdditionalAdminTeams []string - AdditionalTeams []string - AdditionalMembers []string + AdditionalSuperuserTeams []string + AdditionalTeams []string + AdditionalMembers []string } type teamHashSet map[string]map[string]struct{} @@ -55,26 +55,18 @@ func fetchTeams(teamset *map[string]struct{}, set teamHashSet) { } } -func (ptm *PostgresTeamMap) fetchAdditionalTeams(team string, adminTeams bool, transitive bool, exclude *[]string) []string { +func (ptm *PostgresTeamMap) fetchAdditionalTeams(team string, superuserTeams bool, transitive bool, exclude *[]string) []string { - var teams, allTeams []string + var teams []string - if adminTeams { - teams = (*ptm)[team].AdditionalAdminTeams - allTeams = teams - for _, otherPrivilegedTeam := range (*ptm)[team].AdditionalTeams { - allTeams = append(allTeams, otherPrivilegedTeam) - } + if superuserTeams { + teams = (*ptm)[team].AdditionalSuperuserTeams } else { teams = (*ptm)[team].AdditionalTeams - allTeams = teams - for _, otherPrivilegedTeam := range (*ptm)[team].AdditionalAdminTeams { - allTeams = append(allTeams, otherPrivilegedTeam) - } } if transitive { *exclude = append(*exclude, team) - for _, additionalTeam := range allTeams { + for _, additionalTeam := range teams { getTransitiveTeams := true for _, excludedTeam := range *exclude { if additionalTeam == excludedTeam { @@ -82,7 +74,7 @@ func (ptm *PostgresTeamMap) fetchAdditionalTeams(team string, adminTeams bool, t } } if getTransitiveTeams { - transitiveTeams := (*ptm).fetchAdditionalTeams(additionalTeam, adminTeams, transitive, exclude) + transitiveTeams := (*ptm).fetchAdditionalTeams(additionalTeam, superuserTeams, transitive, exclude) if len(transitiveTeams) > 0 { for _, transitiveTeam := range transitiveTeams { @@ -102,31 +94,31 @@ func (ptm *PostgresTeamMap) GetAdditionalTeams(team string, transitive bool) []s } // GetAdditionalTeams function to retrieve list of additional teams -func (ptm *PostgresTeamMap) GetAdditionalAdminTeams(team string, transitive bool) []string { +func (ptm *PostgresTeamMap) GetAdditionalSuperuserTeams(team string, transitive bool) []string { return ptm.fetchAdditionalTeams(team, true, transitive, &[]string{}) } // Load function to import data from PostgresTeam CRD func (ptm *PostgresTeamMap) Load(pgTeams *acidv1.PostgresTeamList) { - adminTeamSet := teamHashSet{} + superuserTeamSet := teamHashSet{} teamSet := teamHashSet{} teamMemberSet := teamHashSet{} teamIDs := make(map[string]struct{}) for _, pgTeam := range pgTeams.Items { - adminTeamSet.mergeCrdMap(pgTeam.Spec.AdditionalAdminTeams) + superuserTeamSet.mergeCrdMap(pgTeam.Spec.AdditionalSuperuserTeams) teamSet.mergeCrdMap(pgTeam.Spec.AdditionalTeams) teamMemberSet.mergeCrdMap(pgTeam.Spec.AdditionalMembers) } - fetchTeams(&teamIDs, adminTeamSet) + fetchTeams(&teamIDs, superuserTeamSet) fetchTeams(&teamIDs, teamSet) fetchTeams(&teamIDs, teamMemberSet) for teamID := range teamIDs { (*ptm)[teamID] = postgresTeamMembership{ - AdditionalAdminTeams: adminTeamSet.toMap()[teamID], - AdditionalTeams: teamSet.toMap()[teamID], - AdditionalMembers: teamMemberSet.toMap()[teamID], + AdditionalSuperuserTeams: superuserTeamSet.toMap()[teamID], + AdditionalTeams: teamSet.toMap()[teamID], + AdditionalMembers: teamMemberSet.toMap()[teamID], } } } diff --git a/pkg/teams/postgres_team_test.go b/pkg/teams/postgres_team_test.go index b9c70fec9..5516affb0 100644 --- a/pkg/teams/postgres_team_test.go +++ b/pkg/teams/postgres_team_test.go @@ -38,7 +38,7 @@ func TestLoadingPostgresTeamCRD(t *testing.T) { Name: "teamAB", }, Spec: acidv1.PostgresTeamSpec{ - AdditionalAdminTeams: map[string][]string{"teamA": []string{"teamB", "team24/7"}, "teamB": []string{"teamA", "team24/7"}}, + AdditionalSuperuserTeams: map[string][]string{"teamA": []string{"teamB", "team24/7"}, "teamB": []string{"teamA", "team24/7"}}, AdditionalTeams: map[string][]string{"teamA": []string{"teamC"}, "teamB": []string{}}, AdditionalMembers: map[string][]string{"team24/7": []string{"optimusprime"}, "teamB": []string{"drno"}}, }, @@ -51,7 +51,7 @@ func TestLoadingPostgresTeamCRD(t *testing.T) { Name: "teamC", }, Spec: acidv1.PostgresTeamSpec{ - AdditionalAdminTeams: map[string][]string{"teamC": []string{"team24/7"}}, + AdditionalSuperuserTeams: map[string][]string{"teamC": []string{"team24/7"}}, AdditionalTeams: map[string][]string{"teamA": []string{"teamC"}, "teamC": []string{"teamA", "teamB"}}, AdditionalMembers: map[string][]string{"acid": []string{"batman"}}, }, @@ -60,27 +60,27 @@ func TestLoadingPostgresTeamCRD(t *testing.T) { }, PostgresTeamMap{ "teamA": { - AdditionalAdminTeams: []string{"teamB", "team24/7"}, + AdditionalSuperuserTeams: []string{"teamB", "team24/7"}, AdditionalTeams: []string{"teamC"}, AdditionalMembers: nil, }, "teamB": { - AdditionalAdminTeams: []string{"teamA", "team24/7"}, + AdditionalSuperuserTeams: []string{"teamA", "team24/7"}, AdditionalTeams: []string{}, AdditionalMembers: []string{"drno"}, }, "teamC": { - AdditionalAdminTeams: []string{"team24/7"}, + AdditionalSuperuserTeams: []string{"team24/7"}, AdditionalTeams: []string{"teamA", "teamB"}, AdditionalMembers: nil, }, "team24/7": { - AdditionalAdminTeams: nil, + AdditionalSuperuserTeams: nil, AdditionalTeams: nil, AdditionalMembers: []string{"optimusprime"}, }, "acid": { - AdditionalAdminTeams: nil, + AdditionalSuperuserTeams: nil, AdditionalTeams: nil, AdditionalMembers: []string{"batman"}, },