public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[WIP] Add 'admin' option to create role (#425) 

* Add 'admin' option to create role

* Fix run_locally_script
This commit is contained in:
zerg-junior 2018-12-27 10:14:33 +01:00 committed by GitHub
parent 26670408c4
commit c0b0b9a832
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/reference/operator_parameters.md
View File

@ -373,6 +373,9 @@ key.
role name to grant to team members created from the Teams API. The default is role name to grant to team members created from the Teams API. The default is
`admin`, that role is created by Spilo as a `NOLOGIN` role. `admin`, that role is created by Spilo as a `NOLOGIN` role.
* **enable_admin_role_for_users**
if `true`, the `team_admin_role` will have the rights to grant roles coming from PG manifests. Such roles will be created as in "CREATE ROLE 'role_from_manifest' ... ADMIN 'team_admin_role'". The default is `true`.
* **pam_role_name** * **pam_role_name**
when set, the operator will add all team member roles to this group and add a when set, the operator will add all team member roles to this group and add a
`pg_hba` line to authenticate members of that role via `pam`. The default is `pg_hba` line to authenticate members of that role via `pam`. The default is

1
manifests/configmap.yaml
View File

@ -19,6 +19,7 @@ data:
# postgres_superuser_teams: "postgres_superusers" # postgres_superuser_teams: "postgres_superusers"
# enable_team_superuser: "false" # enable_team_superuser: "false"
# team_admin_role: "admin" # team_admin_role: "admin"
# enable_admin_role_for_users: "true"
# teams_api_url: http://fake-teams-api.default.svc.cluster.local # teams_api_url: http://fake-teams-api.default.svc.cluster.local
# team_api_role_configuration: "log_statement:all" # team_api_role_configuration: "log_statement:all"
# infrastructure_roles_secret_name: postgresql-infrastructure-roles # infrastructure_roles_secret_name: postgresql-infrastructure-roles

13
pkg/cluster/cluster.go
View File

@ -709,11 +709,16 @@ func (c *Cluster) initRobotUsers() error {
if err != nil { if err != nil {
return fmt.Errorf("invalid flags for user %q: %v", username, err) return fmt.Errorf("invalid flags for user %q: %v", username, err)
} }
adminRole := ""
if c.OpConfig.EnableAdminRoleForUsers {
adminRole = c.OpConfig.TeamAdminRole
}
newRole := spec.PgUser{ newRole := spec.PgUser{
Origin: spec.RoleOriginManifest, Origin: spec.RoleOriginManifest,
Name: username, Name: username,
Password: util.RandomPassword(constants.PasswordLength), Password: util.RandomPassword(constants.PasswordLength),
Flags: flags, Flags: flags,
AdminRole: adminRole,
} }
if currentRole, present := c.pgUsers[username]; present { if currentRole, present := c.pgUsers[username]; present {
c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole) c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)

1
pkg/spec/types.go
View File

@ -49,6 +49,7 @@ type PgUser struct {
Flags []string `yaml:"user_flags"` Flags []string `yaml:"user_flags"`
MemberOf []string `yaml:"inrole"` MemberOf []string `yaml:"inrole"`
Parameters map[string]string `yaml:"db_parameters"` Parameters map[string]string `yaml:"db_parameters"`
AdminRole string `yaml:"admin_role"`
} }
// PgUserMap maps user names to the definitions. // PgUserMap maps user names to the definitions.

1
pkg/util/config/config.go
View File

@ -90,6 +90,7 @@ type Config struct {
EnableTeamsAPI bool `name:"enable_teams_api" default:"true"` EnableTeamsAPI bool `name:"enable_teams_api" default:"true"`
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"` EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
TeamAdminRole string `name:"team_admin_role" default:"admin"` TeamAdminRole string `name:"team_admin_role" default:"admin"`
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
EnableMasterLoadBalancer bool `name:"enable_master_load_balancer" default:"true"` EnableMasterLoadBalancer bool `name:"enable_master_load_balancer" default:"true"`
EnableReplicaLoadBalancer bool `name:"enable_replica_load_balancer" default:"false"` EnableReplicaLoadBalancer bool `name:"enable_replica_load_balancer" default:"false"`
// deprecated and kept for backward compatibility // deprecated and kept for backward compatibility

7
pkg/util/users/users.go
View File

@ -5,9 +5,10 @@ import (
"fmt" "fmt"
"strings" "strings"
"reflect"
"github.com/zalando-incubator/postgres-operator/pkg/spec" "github.com/zalando-incubator/postgres-operator/pkg/spec"
"github.com/zalando-incubator/postgres-operator/pkg/util" "github.com/zalando-incubator/postgres-operator/pkg/util"
"reflect"
) )
const ( const (
@ -19,6 +20,7 @@ const (
doBlockStmt = `SET LOCAL synchronous_commit = 'local'; DO $$ BEGIN %s; END;$$;` doBlockStmt = `SET LOCAL synchronous_commit = 'local'; DO $$ BEGIN %s; END;$$;`
passwordTemplate = "ENCRYPTED PASSWORD '%s'" passwordTemplate = "ENCRYPTED PASSWORD '%s'"
inRoleTemplate = `IN ROLE %s` inRoleTemplate = `IN ROLE %s`
adminTemplate = `ADMIN %s`
) )
// DefaultUserSyncStrategy implements a user sync strategy that merges already existing database users // DefaultUserSyncStrategy implements a user sync strategy that merges already existing database users
@ -113,6 +115,9 @@ func (strategy DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.D
if len(user.MemberOf) > 0 { if len(user.MemberOf) > 0 {
userFlags = append(userFlags, fmt.Sprintf(inRoleTemplate, quoteMemberList(user))) userFlags = append(userFlags, fmt.Sprintf(inRoleTemplate, quoteMemberList(user)))
} }
if user.AdminRole != "" {
userFlags = append(userFlags, fmt.Sprintf(adminTemplate, user.AdminRole))
}
if user.Password == "" { if user.Password == "" {
userPassword = "PASSWORD NULL" userPassword = "PASSWORD NULL"

2
run_operator_locally.sh
View File

@ -121,7 +121,7 @@ function deploy_self_built_image() {
# update the tag in the postgres operator conf # update the tag in the postgres operator conf
# since the image with this tag already exists on the machine, # since the image with this tag already exists on the machine,
# docker should not attempt to fetch it from the registry due to imagePullPolicy # docker should not attempt to fetch it from the registry due to imagePullPolicy
sed --expression "s/\(image\:.*\:\).*$/\1$TAG/" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST" sed --expression "s/\(image\:.*\:\).*$/\1$TAG/; s/smoke-tested-//" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST"
retry "kubectl create -f \"$PATH_TO_LOCAL_OPERATOR_MANIFEST\"" "attempt to create $PATH_TO_LOCAL_OPERATOR_MANIFEST resource" retry "kubectl create -f \"$PATH_TO_LOCAL_OPERATOR_MANIFEST\"" "attempt to create $PATH_TO_LOCAL_OPERATOR_MANIFEST resource"
} }