public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

set IsDbOwner in ProduceSyncRequests

This commit is contained in:
Felix Kunde 2022-04-22 18:14:46 +02:00
parent e6156dbcfa
commit f1fdb4077c
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
e2e/tests/test_e2e.py
View File

@ -164,9 +164,13 @@ class EndToEndTestCase(unittest.TestCase):
Test granting additional roles to existing database owners Test granting additional roles to existing database owners
''' '''
k8s = self.k8s k8s = self.k8s
# first test - wait for the operator to get in sync and set everything up
self.eventuallyEqual(lambda: k8s.get_operator_state(), {"0": "idle"},
"Operator does not get in sync")
leader = k8s.get_cluster_leader_pod() leader = k8s.get_cluster_leader_pod()
# produce wrong membership from v1.8.0 # produce wrong membership for cron_admin
grant_dbowner = """ grant_dbowner = """
GRANT bar_owner TO cron_admin; GRANT bar_owner TO cron_admin;
""" """

12
pkg/util/users/users.go
View File

@ -54,7 +54,6 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM
} }
} else { } else {
r := spec.PgSyncUserRequest{} r := spec.PgSyncUserRequest{}
r.User = dbUser
newMD5Password := util.NewEncryptor(strategy.PasswordEncryption).PGUserPassword(newUser) newMD5Password := util.NewEncryptor(strategy.PasswordEncryption).PGUserPassword(newUser)
// do not compare for roles coming from docker image // do not compare for roles coming from docker image
@ -62,12 +61,13 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM
r.User.Password = newMD5Password r.User.Password = newMD5Password
r.Kind = spec.PGsyncUserAlter r.Kind = spec.PGsyncUserAlter
} }
if addNewFlags, equal := util.SubstractStringSlices(newUser.Flags, dbUser.Flags); !equal {
r.User.Flags = addNewFlags
r.Kind = spec.PGsyncUserAlter
}
if addNewRoles, equal := util.SubstractStringSlices(newUser.MemberOf, dbUser.MemberOf); !equal { if addNewRoles, equal := util.SubstractStringSlices(newUser.MemberOf, dbUser.MemberOf); !equal {
r.User.MemberOf = addNewRoles r.User.MemberOf = addNewRoles
r.User.IsDbOwner = newUser.IsDbOwner
r.Kind = spec.PGsyncUserAlter
}
if addNewFlags, equal := util.SubstractStringSlices(newUser.Flags, dbUser.Flags); !equal {
r.User.Flags = addNewFlags
r.Kind = spec.PGsyncUserAlter r.Kind = spec.PGsyncUserAlter
} }
if r.Kind == spec.PGsyncUserAlter { if r.Kind == spec.PGsyncUserAlter {
@ -118,6 +118,8 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
if err := strategy.alterPgUser(request.User, db); err != nil { if err := strategy.alterPgUser(request.User, db); err != nil {
reqretries = append(reqretries, request) reqretries = append(reqretries, request)
errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err)) errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err))
// check if additional owners are misconfigured as members to a database owner
// resolve it by revoking the database owner from the additional owner role
if request.User.IsDbOwner && len(additionalOwnerRoles) > 0 { if request.User.IsDbOwner && len(additionalOwnerRoles) > 0 {
if err := resolveOwnerMembership(request.User, additionalOwnerRoles, db); err != nil { if err := resolveOwnerMembership(request.User, additionalOwnerRoles, db); err != nil {
errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err)) errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err))