From 8d58ceb339e562c06b6afef0b0140febc09b9ed7 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Mon, 17 May 2021 12:11:36 +0200 Subject: [PATCH] rename suffix and pgUser field --- .../crds/operatorconfigurations.yaml | 4 ++-- charts/postgres-operator/values-crd.yaml | 2 +- charts/postgres-operator/values.yaml | 2 +- docs/reference/operator_parameters.md | 4 ++-- docs/user.md | 7 ++++--- e2e/tests/test_e2e.py | 4 ++-- manifests/configmap.yaml | 2 +- manifests/operatorconfiguration.crd.yaml | 4 ++-- ...ostgresql-operator-default-configuration.yaml | 2 +- pkg/apis/acid.zalan.do/v1/crds.go | 2 +- .../v1/operator_configuration_type.go | 2 +- pkg/cluster/cluster.go | 4 ++-- pkg/cluster/database.go | 8 ++++---- pkg/cluster/sync.go | 14 +++++++------- pkg/controller/operator_config.go | 2 +- pkg/spec/types.go | 2 +- pkg/util/config/config.go | 2 +- pkg/util/users/users.go | 16 ++++++++-------- 18 files changed, 42 insertions(+), 41 deletions(-) diff --git a/charts/postgres-operator/crds/operatorconfigurations.yaml b/charts/postgres-operator/crds/operatorconfigurations.yaml index d9923c1b5..b2129854c 100644 --- a/charts/postgres-operator/crds/operatorconfigurations.yaml +++ b/charts/postgres-operator/crds/operatorconfigurations.yaml @@ -465,9 +465,9 @@ spec: type: string default: - admin - role_deprecation_suffix: + role_deletion_suffix: type: string - default: "_delete_me" + default: "_deleted" team_admin_role: type: string default: "admin" diff --git a/charts/postgres-operator/values-crd.yaml b/charts/postgres-operator/values-crd.yaml index 44f9166a9..61be1ad93 100644 --- a/charts/postgres-operator/values-crd.yaml +++ b/charts/postgres-operator/values-crd.yaml @@ -314,7 +314,7 @@ configTeamsApi: - admin # Suffix to add if members are removed from TeamsAPI or PostgresTeam CRD - # role_deprecation_suffix: "_delete_me" + # role_deletion_suffix: "_deleted" # role name to grant to team members created from the Teams API team_admin_role: admin diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index 90d5dca47..a3c9f76c9 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -305,7 +305,7 @@ configTeamsApi: # protected_role_names: "admin" # Suffix to add if members are removed from TeamsAPI or PostgresTeam CRD - # role_deprecation_suffix: "_delete_me" + # role_deletion_suffix: "_deleted" # role name to grant to team members created from the Teams API # team_admin_role: "admin" diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index 7dbbf5fa7..029d6e173 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -704,12 +704,12 @@ key. cluster to administer Postgres and maintain infrastructure built around it. The default is empty. -* **role_deprecation_suffix** +* **role_deletion_suffix** defines a suffix that will be appended to database role names of team members that were removed from either the team in the Teams API or a `PostgresTeam` custom resource (additionalMembers). When re-added, the operator will rename roles with the defined suffix back to the original role name. - The default is `_delete_me`. + The default is `_deleted`. * **enable_postgres_team_crd** toggle to make the operator watch for created or updated `PostgresTeam` CRDs diff --git a/docs/user.md b/docs/user.md index 4bfc94488..33930167b 100644 --- a/docs/user.md +++ b/docs/user.md @@ -414,13 +414,14 @@ from manifests. But, using the `PostgresTeam` custom resource or Teams API it is very easy to add roles to many clusters. Manually reverting such a change is cumbersome. Therefore, if members are removed from a `PostgresTeam` or the Teams API the operator will rename roles appending a configured suffix to the -name (see `role_deprecation_suffix` option) and revoke the `LOGIN` privilege. +name (see `role_deletion_suffix` option) and revoke the `LOGIN` privilege. The suffix makes it easy then for a cleanup script to remove those deprecated roles completely. -When a role is re-added to a PostgresTeam manifest (or to the source behind +When a role is re-added to a `PostgresTeam` manifest (or to the source behind the Teams API) the operator will check for roles with the configured suffix -and if found, rename the role back to the original name and grant LOGIN again. +and if found, rename the role back to the original name and grant `LOGIN` +again. ## Prepared databases with roles and default privileges diff --git a/e2e/tests/test_e2e.py b/e2e/tests/test_e2e.py index a44d7c4ce..f4d16c7e3 100644 --- a/e2e/tests/test_e2e.py +++ b/e2e/tests/test_e2e.py @@ -249,7 +249,7 @@ class EndToEndTestCase(unittest.TestCase): SELECT rolname FROM pg_catalog.pg_roles WHERE (rolname = 'tester' AND rolcanlogin) - OR (rolname = 'kind_delete_me' AND NOT rolcanlogin); + OR (rolname = 'kind_deleted' AND NOT rolcanlogin); """ self.eventuallyEqual(lambda: len(self.query_database(leader.metadata.name, "postgres", user_query)), 2, "PostgresTeam change not reflected in database", 10, 5) @@ -272,7 +272,7 @@ class EndToEndTestCase(unittest.TestCase): SELECT rolname FROM pg_catalog.pg_roles WHERE (rolname = 'kind' AND rolcanlogin) - OR (rolname = 'tester_delete_me' AND NOT rolcanlogin); + OR (rolname = 'tester_deleted' AND NOT rolcanlogin); """ self.eventuallyEqual(lambda: len(self.query_database(leader.metadata.name, "postgres", user_query)), 2, "PostgresTeam change not reflected in database", 10, 5) diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml index 4b95a96b1..fea8b19cc 100644 --- a/manifests/configmap.yaml +++ b/manifests/configmap.yaml @@ -111,7 +111,7 @@ data: resource_check_timeout: 10m resync_period: 30m ring_log_lines: "100" - # role_deprecation_suffix: "_delete_me" + # role_deletion_suffix: "_deleted" secret_name_template: "{username}.{cluster}.credentials" # sidecar_docker_images: "" # set_memory_request_to_limit: "false" diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml index fc708674e..b48dd9e33 100644 --- a/manifests/operatorconfiguration.crd.yaml +++ b/manifests/operatorconfiguration.crd.yaml @@ -461,9 +461,9 @@ spec: type: string default: - admin - role_deprecation_suffix: + role_deletion_suffix: type: string - default: "_delete_me" + default: "_deleted" team_admin_role: type: string default: "admin" diff --git a/manifests/postgresql-operator-default-configuration.yaml b/manifests/postgresql-operator-default-configuration.yaml index a3d120ce4..c05843f7a 100644 --- a/manifests/postgresql-operator-default-configuration.yaml +++ b/manifests/postgresql-operator-default-configuration.yaml @@ -149,7 +149,7 @@ configuration: # - postgres_superusers protected_role_names: - admin - # role_deprecation_suffix: "_delete_me" + # role_deletion_suffix: "_deleted" team_admin_role: admin team_api_role_configuration: log_statement: all diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go index f3090c370..4cc162a54 100644 --- a/pkg/apis/acid.zalan.do/v1/crds.go +++ b/pkg/apis/acid.zalan.do/v1/crds.go @@ -1405,7 +1405,7 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{ }, }, }, - "role_deprecation_suffix": { + "role_deletion_suffix": { Type: "string", }, "team_admin_role": { diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go index ddcac1c45..c988257b2 100644 --- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go +++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go @@ -159,7 +159,7 @@ type TeamsAPIConfiguration struct { PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"` EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"` EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"` - RoleDeprecationSuffix string `json:"role_deprecation_suffix,omitempty"` + RoleDeletionSuffix string `json:"role_deletion_suffix,omitempty"` } // LoggingRESTAPIConfiguration defines Logging API conf diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 9472d4c01..97036dabf 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -131,8 +131,8 @@ func New(cfg Config, kubeClient k8sutil.KubernetesClient, pgSpec acidv1.Postgres Services: make(map[PostgresRole]*v1.Service), Endpoints: make(map[PostgresRole]*v1.Endpoints)}, userSyncStrategy: users.DefaultUserSyncStrategy{ - PasswordEncryption: passwordEncryption, - RoleDeprecationSuffix: cfg.OpConfig.RoleDeprecationSuffix}, + PasswordEncryption: passwordEncryption, + RoleDeletionSuffix: cfg.OpConfig.RoleDeletionSuffix}, deleteOptions: metav1.DeleteOptions{PropagationPolicy: &deletePropagationPolicy}, podEventsQueue: podEventsQueue, KubeClient: kubeClient, diff --git a/pkg/cluster/database.go b/pkg/cluster/database.go index 6a5fa9bd4..829c2e5c7 100644 --- a/pkg/cluster/database.go +++ b/pkg/cluster/database.go @@ -198,7 +198,7 @@ func (c *Cluster) readPgUsersFromDatabase(userNames []string) (users spec.PgUser rolname, rolpassword string rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin bool roloptions, memberof []string - roldeprecated bool + roldeleted bool ) err := rows.Scan(&rolname, &rolpassword, &rolsuper, &rolinherit, &rolcreaterole, &rolcreatedb, &rolcanlogin, pq.Array(&roloptions), pq.Array(&memberof)) @@ -217,11 +217,11 @@ func (c *Cluster) readPgUsersFromDatabase(userNames []string) (users spec.PgUser parameters[fields[0]] = fields[1] } - if strings.HasSuffix(rolname, c.OpConfig.RoleDeprecationSuffix) { - roldeprecated = true + if strings.HasSuffix(rolname, c.OpConfig.RoleDeletionSuffix) { + roldeleted = true } - users[rolname] = spec.PgUser{Name: rolname, Password: rolpassword, Flags: flags, MemberOf: memberof, Parameters: parameters, Deprecated: roldeprecated} + users[rolname] = spec.PgUser{Name: rolname, Password: rolpassword, Flags: flags, MemberOf: memberof, Parameters: parameters, Deleted: roldeleted} } return users, nil diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go index 3d138f28b..d5bf35e1f 100644 --- a/pkg/cluster/sync.go +++ b/pkg/cluster/sync.go @@ -551,16 +551,16 @@ func (c *Cluster) syncRoles() (err error) { } }() - // mapping between deprecated and original role name - deprecatedUsers := map[string]string{} + // mapping between original role name and with deletion suffix + deletedUsers := map[string]string{} // create list of database roles to query for _, u := range c.pgUsers { userNames = append(userNames, u.Name) // add team member role name with rename suffix in case we need to rename it back if u.Origin == spec.RoleOriginTeamsAPI { - deprecatedUsers[u.Name+c.OpConfig.RoleDeprecationSuffix] = u.Name - userNames = append(userNames, u.Name+c.OpConfig.RoleDeprecationSuffix) + deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name + userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix) } } @@ -588,12 +588,12 @@ func (c *Cluster) syncRoles() (err error) { return fmt.Errorf("error getting users from the database: %v", err) } - // update pgUsers where a deprecated role was found + // update pgUsers where a deleted role was found // so that they are skipped in ProduceSyncRequests for _, dbUser := range dbUsers { - if originalUser, exists := deprecatedUsers[dbUser.Name]; exists { + if originalUser, exists := deletedUsers[dbUser.Name]; exists { recreatedUser := c.pgUsers[originalUser] - recreatedUser.Deprecated = true + recreatedUser.Deleted = true c.pgUsers[originalUser] = recreatedUser } } diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go index 1496e6572..75ce10520 100644 --- a/pkg/controller/operator_config.go +++ b/pkg/controller/operator_config.go @@ -180,7 +180,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers - result.RoleDeprecationSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeprecationSuffix, "_delete_me") + result.RoleDeletionSuffix = util.Coalesce(fromCRD.TeamsAPI.RoleDeletionSuffix, "_deleted") // logging REST API config result.APIPort = util.CoalesceInt(fromCRD.LoggingRESTAPI.APIPort, 8080) diff --git a/pkg/spec/types.go b/pkg/spec/types.go index db73cc896..5d7794b42 100644 --- a/pkg/spec/types.go +++ b/pkg/spec/types.go @@ -54,7 +54,7 @@ type PgUser struct { MemberOf []string `yaml:"inrole"` Parameters map[string]string `yaml:"db_parameters"` AdminRole string `yaml:"admin_role"` - Deprecated bool `yaml:"deprecated"` + Deleted bool `yaml:"deleted"` } func (user *PgUser) Valid() bool { diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index 30d5fb2ca..ea40df157 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -176,7 +176,7 @@ type Config struct { EnableTeamsAPI bool `name:"enable_teams_api" default:"true"` EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"` TeamAdminRole string `name:"team_admin_role" default:"admin"` - RoleDeprecationSuffix string `name:"role_deprecation_suffix,omitempty" default:"_delete_me"` + RoleDeletionSuffix string `name:"role_deletion_suffix,omitempty" default:"_deleted"` EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"` EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"` EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"` diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go index 7fa94d464..d0d503b61 100644 --- a/pkg/util/users/users.go +++ b/pkg/util/users/users.go @@ -30,8 +30,8 @@ const ( // an existing roles of another role membership, nor it removes the already assigned flag // (except for the NOLOGIN). TODO: process other NOflags, i.e. NOSUPERUSER correctly. type DefaultUserSyncStrategy struct { - PasswordEncryption string - RoleDeprecationSuffix string + PasswordEncryption string + RoleDeletionSuffix string } // ProduceSyncRequests figures out the types of changes that need to happen with the given users. @@ -40,7 +40,7 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM var reqs []spec.PgSyncUserRequest for name, newUser := range newUsers { - if newUser.Deprecated { + if newUser.Deleted { continue } dbUser, exists := dbUsers[name] @@ -79,10 +79,10 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM // but team roles will be renamed and denied from LOGIN for name, dbUser := range dbUsers { if _, exists := newUsers[name]; !exists { - // toggle LOGIN flag based on role deprecation + // toggle LOGIN flag based on role deletion userFlags := make([]string, len(dbUser.Flags)) userFlags = append(userFlags, dbUser.Flags...) - if dbUser.Deprecated { + if dbUser.Deleted { dbUser.Flags = util.StringSliceReplaceElement(dbUser.Flags, constants.RoleFlagNoLogin, constants.RoleFlagLogin) } else { dbUser.Flags = util.StringSliceReplaceElement(dbUser.Flags, constants.RoleFlagLogin, constants.RoleFlagNoLogin) @@ -156,11 +156,11 @@ func (strategy DefaultUserSyncStrategy) alterPgUserSet(user spec.PgUser, db *sql func (strategy DefaultUserSyncStrategy) alterPgUserRename(user spec.PgUser, db *sql.DB) error { var query string - if user.Deprecated { - newName := strings.TrimSuffix(user.Name, strategy.RoleDeprecationSuffix) + if user.Deleted { + newName := strings.TrimSuffix(user.Name, strategy.RoleDeletionSuffix) query = fmt.Sprintf(alterUserRenameSQL, user.Name, newName, "") } else { - query = fmt.Sprintf(alterUserRenameSQL, user.Name, user.Name, strategy.RoleDeprecationSuffix) + query = fmt.Sprintf(alterUserRenameSQL, user.Name, user.Name, strategy.RoleDeletionSuffix) } if _, err := db.Exec(query); err != nil {