make additional owner roles part of the sync user strategy
This commit is contained in:
Felix Kunde
parent
50340d7478
commit
6e5210f404
|
|
@ -133,8 +133,10 @@ func New(cfg Config, kubeClient k8sutil.KubernetesClient, pgSpec acidv1.Postgres
|
||||||
Services: make(map[PostgresRole]*v1.Service),
|
Services: make(map[PostgresRole]*v1.Service),
|
||||||
Endpoints: make(map[PostgresRole]*v1.Endpoints)},
|
Endpoints: make(map[PostgresRole]*v1.Endpoints)},
|
||||||
userSyncStrategy: users.DefaultUserSyncStrategy{
|
userSyncStrategy: users.DefaultUserSyncStrategy{
|
||||||
PasswordEncryption: passwordEncryption,
|
PasswordEncryption: passwordEncryption,
|
||||||
RoleDeletionSuffix: cfg.OpConfig.RoleDeletionSuffix},
|
RoleDeletionSuffix: cfg.OpConfig.RoleDeletionSuffix,
|
||||||
|
AdditionalOwnerRoles: cfg.OpConfig.AdditionalOwnerRoles,
|
||||||
|
},
|
||||||
deleteOptions: metav1.DeleteOptions{PropagationPolicy: &deletePropagationPolicy},
|
deleteOptions: metav1.DeleteOptions{PropagationPolicy: &deletePropagationPolicy},
|
||||||
podEventsQueue: podEventsQueue,
|
podEventsQueue: podEventsQueue,
|
||||||
KubeClient: kubeClient,
|
KubeClient: kubeClient,
|
||||||
|
|
|
||||||
|
|
@ -657,7 +657,7 @@ func (c *Cluster) syncSecrets() error {
|
||||||
return fmt.Errorf("could not init db connection: %v", err)
|
return fmt.Errorf("could not init db connection: %v", err)
|
||||||
}
|
}
|
||||||
pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(spec.PgUserMap{}, rotationUsers)
|
pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(spec.PgUserMap{}, rotationUsers)
|
||||||
if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb, c.OpConfig.AdditionalOwnerRoles); err != nil {
|
if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb); err != nil {
|
||||||
return fmt.Errorf("error creating database roles for password rotation: %v", err)
|
return fmt.Errorf("error creating database roles for password rotation: %v", err)
|
||||||
}
|
}
|
||||||
if err := c.closeDbConn(); err != nil {
|
if err := c.closeDbConn(); err != nil {
|
||||||
|
|
@ -872,7 +872,7 @@ func (c *Cluster) syncRoles() (err error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(dbUsers, c.pgUsers)
|
pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(dbUsers, c.pgUsers)
|
||||||
if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb, c.OpConfig.AdditionalOwnerRoles); err != nil {
|
if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb); err != nil {
|
||||||
return fmt.Errorf("error executing sync statements: %v", err)
|
return fmt.Errorf("error executing sync statements: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -75,7 +75,7 @@ type PgSyncUserRequest struct {
|
||||||
// UserSyncer defines an interface for the implementations to sync users from the manifest to the DB.
|
// UserSyncer defines an interface for the implementations to sync users from the manifest to the DB.
|
||||||
type UserSyncer interface {
|
type UserSyncer interface {
|
||||||
ProduceSyncRequests(dbUsers PgUserMap, newUsers PgUserMap) (req []PgSyncUserRequest)
|
ProduceSyncRequests(dbUsers PgUserMap, newUsers PgUserMap) (req []PgSyncUserRequest)
|
||||||
ExecuteSyncRequests(req []PgSyncUserRequest, db *sql.DB, additionalOwners []string) error
|
ExecuteSyncRequests(req []PgSyncUserRequest, db *sql.DB) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// LogEntry describes log entry in the RingLogger
|
// LogEntry describes log entry in the RingLogger
|
||||||
|
|
|
||||||
|
|
@ -32,8 +32,9 @@ const (
|
||||||
// an existing roles of another role membership, nor it removes the already assigned flag
|
// an existing roles of another role membership, nor it removes the already assigned flag
|
||||||
// (except for the NOLOGIN). TODO: process other NOflags, i.e. NOSUPERUSER correctly.
|
// (except for the NOLOGIN). TODO: process other NOflags, i.e. NOSUPERUSER correctly.
|
||||||
type DefaultUserSyncStrategy struct {
|
type DefaultUserSyncStrategy struct {
|
||||||
PasswordEncryption string
|
PasswordEncryption string
|
||||||
RoleDeletionSuffix string
|
RoleDeletionSuffix string
|
||||||
|
AdditionalOwnerRoles []string
|
||||||
}
|
}
|
||||||
|
|
||||||
// ProduceSyncRequests figures out the types of changes that need to happen with the given users.
|
// ProduceSyncRequests figures out the types of changes that need to happen with the given users.
|
||||||
|
|
@ -104,7 +105,7 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExecuteSyncRequests makes actual database changes from the requests passed in its arguments.
|
// ExecuteSyncRequests makes actual database changes from the requests passed in its arguments.
|
||||||
func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSyncUserRequest, db *sql.DB, additionalOwnerRoles []string) error {
|
func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSyncUserRequest, db *sql.DB) error {
|
||||||
var reqretries []spec.PgSyncUserRequest
|
var reqretries []spec.PgSyncUserRequest
|
||||||
errors := make([]string, 0)
|
errors := make([]string, 0)
|
||||||
for _, request := range requests {
|
for _, request := range requests {
|
||||||
|
|
@ -120,8 +121,8 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
|
||||||
errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err))
|
errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err))
|
||||||
// check if additional owners are misconfigured as members to a database owner
|
// check if additional owners are misconfigured as members to a database owner
|
||||||
// resolve it by revoking the database owner from the additional owner role
|
// resolve it by revoking the database owner from the additional owner role
|
||||||
if request.User.IsDbOwner && len(additionalOwnerRoles) > 0 {
|
if request.User.IsDbOwner && len(strategy.AdditionalOwnerRoles) > 0 {
|
||||||
if err := resolveOwnerMembership(request.User, additionalOwnerRoles, db); err != nil {
|
if err := resolveOwnerMembership(request.User, strategy.AdditionalOwnerRoles, db); err != nil {
|
||||||
errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err))
|
errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -146,7 +147,7 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
|
||||||
// retry adding roles as long as the number of failed attempts is shrinking
|
// retry adding roles as long as the number of failed attempts is shrinking
|
||||||
if len(reqretries) > 0 {
|
if len(reqretries) > 0 {
|
||||||
if len(reqretries) < len(requests) {
|
if len(reqretries) < len(requests) {
|
||||||
if err := strategy.ExecuteSyncRequests(reqretries, db, additionalOwnerRoles); err != nil {
|
if err := strategy.ExecuteSyncRequests(reqretries, db); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue