Add 'admin' option to create role

2018-11-30 17:08:41 +01:00 · 2018-11-30 17:08:41 +01:00 · 83ef5ff5b6
parent ff5c63ddf1
commit 83ef5ff5b6
5 changed files with 20 additions and 5 deletions
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@ -365,6 +365,9 @@ key.
  role name to grant to team members created from the Teams API. The default is
  `admin`, that role is created by Spilo as a `NOLOGIN` role.

+* **add_admin_flag_to_robot_roles**
+   if `true`, the `team_admin_role` will have the rights to grant roles coming from PG manifests. Such roles will be created as in "CREATE ROLE 'role_from_manifest' ... ADMIN 'team_admin_role'". The default is `true`.
+
 * **pam_role_name**
  when set, the operator will add all team member roles to this group and add a
  `pg_hba` line to authenticate members of that role via `pam`. The default is
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -709,11 +709,16 @@ func (c *Cluster) initRobotUsers() error {
 		if err != nil {
 			return fmt.Errorf("invalid flags for user %q: %v", username, err)
 		}
+		adminRole := ""
+		if c.OpConfig.AddAdminFlagToRobotRoles {
+			adminRole = c.OpConfig.TeamAdminRole
+		}
 		newRole := spec.PgUser{
-			Origin:   spec.RoleOriginManifest,
-			Name:     username,
-			Password: util.RandomPassword(constants.PasswordLength),
-			Flags:    flags,
+			Origin:    spec.RoleOriginManifest,
+			Name:      username,
+			Password:  util.RandomPassword(constants.PasswordLength),
+			Flags:     flags,
+			AdminRole: adminRole,
 		}
 		if currentRole, present := c.pgUsers[username]; present {
 			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
--- a/pkg/spec/types.go
+++ b/pkg/spec/types.go
@ -49,6 +49,7 @@ type PgUser struct {
 	Flags      []string          `yaml:"user_flags"`
 	MemberOf   []string          `yaml:"inrole"`
 	Parameters map[string]string `yaml:"db_parameters"`
+	AdminRole  string            `yaml:"admin_role"`
 }

 // PgUserMap maps user names to the definitions.
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@ -89,6 +89,7 @@ type Config struct {
 	EnableTeamsAPI                         bool   `name:"enable_teams_api" default:"true"`
 	EnableTeamSuperuser                    bool   `name:"enable_team_superuser" default:"false"`
 	TeamAdminRole                          string `name:"team_admin_role" default:"admin"`
+	AddAdminFlagToRobotRoles               bool   `name:"add_admin_flag_to_robot_roles" default:"true"`
 	EnableMasterLoadBalancer               bool   `name:"enable_master_load_balancer" default:"true"`
 	EnableReplicaLoadBalancer              bool   `name:"enable_replica_load_balancer" default:"false"`
 	// deprecated and kept for backward compatibility
--- a/pkg/util/users/users.go
+++ b/pkg/util/users/users.go
@ -5,9 +5,10 @@ import (
 	"fmt"
 	"strings"

+	"reflect"
+
 	"github.com/zalando-incubator/postgres-operator/pkg/spec"
 	"github.com/zalando-incubator/postgres-operator/pkg/util"
-	"reflect"
 )

 const (
@ -19,6 +20,7 @@ const (
 	doBlockStmt          = `SET LOCAL synchronous_commit = 'local'; DO $$ BEGIN %s; END;$$;`
 	passwordTemplate     = "ENCRYPTED PASSWORD '%s'"
 	inRoleTemplate       = `IN ROLE %s`
+	adminTemplate        = `ADMIN %s`
 )

 // DefaultUserSyncStrategy implements a user sync strategy that merges already existing database users
@ -113,6 +115,9 @@ func (strategy DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.D
 	if len(user.MemberOf) > 0 {
 		userFlags = append(userFlags, fmt.Sprintf(inRoleTemplate, quoteMemberList(user)))
 	}
+	if user.AdminRole != "" {
+		userFlags = append(userFlags, fmt.Sprintf(adminTemplate, user))
+	}

 	if user.Password == "" {
 		userPassword = "PASSWORD NULL"