[WIP] Add 'admin' option to create role (zalando#425)

sdudoladov · web-flow · commit c0b0b9a83282 · 2018-12-27T10:14:33.000+01:00
* Add 'admin' option to create role

* Fix run_locally_script
diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
@@ -373,6 +373,9 @@ key.
   role name to grant to team members created from the Teams API. The default is
   `admin`, that role is created by Spilo as a `NOLOGIN` role.
 
+* **enable_admin_role_for_users**
+   if `true`, the `team_admin_role` will have the rights to grant roles coming from PG manifests. Such roles will be created as in "CREATE ROLE 'role_from_manifest' ... ADMIN 'team_admin_role'". The default is `true`.
+
 * **pam_role_name**
   when set, the operator will add all team member roles to this group and add a
   `pg_hba` line to authenticate members of that role via `pam`. The default is
diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml
@@ -19,6 +19,7 @@ data:
   # postgres_superuser_teams: "postgres_superusers"
   # enable_team_superuser: "false"
   # team_admin_role: "admin"
+  # enable_admin_role_for_users: "true"
   # teams_api_url: http://fake-teams-api.default.svc.cluster.local
   # team_api_role_configuration: "log_statement:all"
   # infrastructure_roles_secret_name: postgresql-infrastructure-roles
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
@@ -709,11 +709,16 @@ func (c *Cluster) initRobotUsers() error {
 		if err != nil {
 			return fmt.Errorf("invalid flags for user %q: %v", username, err)
 		}
+		adminRole := ""
+		if c.OpConfig.EnableAdminRoleForUsers {
+			adminRole = c.OpConfig.TeamAdminRole
+		}
 		newRole := spec.PgUser{
-			Origin:   spec.RoleOriginManifest,
-			Name:     username,
-			Password: util.RandomPassword(constants.PasswordLength),
-			Flags:    flags,
+			Origin:    spec.RoleOriginManifest,
+			Name:      username,
+			Password:  util.RandomPassword(constants.PasswordLength),
+			Flags:     flags,
+			AdminRole: adminRole,
 		}
 		if currentRole, present := c.pgUsers[username]; present {
 			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
diff --git a/pkg/spec/types.go b/pkg/spec/types.go
@@ -49,6 +49,7 @@ type PgUser struct {
 	Flags      []string          `yaml:"user_flags"`
 	MemberOf   []string          `yaml:"inrole"`
 	Parameters map[string]string `yaml:"db_parameters"`
+	AdminRole  string            `yaml:"admin_role"`
 }
 
 // PgUserMap maps user names to the definitions.
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
@@ -90,6 +90,7 @@ type Config struct {
 	EnableTeamsAPI                         bool   `name:"enable_teams_api" default:"true"`
 	EnableTeamSuperuser                    bool   `name:"enable_team_superuser" default:"false"`
 	TeamAdminRole                          string `name:"team_admin_role" default:"admin"`
+	EnableAdminRoleForUsers                bool   `name:"enable_admin_role_for_users" default:"true"`
 	EnableMasterLoadBalancer               bool   `name:"enable_master_load_balancer" default:"true"`
 	EnableReplicaLoadBalancer              bool   `name:"enable_replica_load_balancer" default:"false"`
 	// deprecated and kept for backward compatibility
diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go
@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"strings"
 
+	"reflect"
+
 	"github.com/zalando-incubator/postgres-operator/pkg/spec"
 	"github.com/zalando-incubator/postgres-operator/pkg/util"
-	"reflect"
 )
 
 const (
@@ -19,6 +20,7 @@ const (
 	doBlockStmt          = `SET LOCAL synchronous_commit = 'local'; DO $$ BEGIN %s; END;$$;`
 	passwordTemplate     = "ENCRYPTED PASSWORD '%s'"
 	inRoleTemplate       = `IN ROLE %s`
+	adminTemplate        = `ADMIN %s`
 )
 
 // DefaultUserSyncStrategy implements a user sync strategy that merges already existing database users
@@ -113,6 +115,9 @@ func (strategy DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.D
 	if len(user.MemberOf) > 0 {
 		userFlags = append(userFlags, fmt.Sprintf(inRoleTemplate, quoteMemberList(user)))
 	}
+	if user.AdminRole != "" {
+		userFlags = append(userFlags, fmt.Sprintf(adminTemplate, user.AdminRole))
+	}
 
 	if user.Password == "" {
 		userPassword = "PASSWORD NULL"
diff --git a/run_operator_locally.sh b/run_operator_locally.sh
@@ -121,7 +121,7 @@ function deploy_self_built_image() {
     # update the tag in the postgres operator conf
     # since the image with this tag already exists on the machine,
     # docker should not attempt to fetch it from the registry due to imagePullPolicy
-    sed --expression "s/\(image\:.*\:\).*$/\1$TAG/" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST"
+    sed --expression "s/\(image\:.*\:\).*$/\1$TAG/; s/smoke-tested-//" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST"
 
     retry "kubectl create -f \"$PATH_TO_LOCAL_OPERATOR_MANIFEST\"" "attempt to create $PATH_TO_LOCAL_OPERATOR_MANIFEST resource"
 }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ type PgUser struct {`
`49`	`49`	Flags []string `yaml:"user_flags"`
`50`	`50`	MemberOf []string `yaml:"inrole"`
`51`	`51`	Parameters map[string]string `yaml:"db_parameters"`
	`52`	+ AdminRole string `yaml:"admin_role"`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`// PgUserMap maps user names to the definitions.`
Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ function deploy_self_built_image() {`
`121`	`121`	`# update the tag in the postgres operator conf`
`122`	`122`	`# since the image with this tag already exists on the machine,`
`123`	`123`	`# docker should not attempt to fetch it from the registry due to imagePullPolicy`
`124`		`- sed --expression "s/\(image\:.\:\).$/\1$TAG/" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST"`
	`124`	`+ sed --expression "s/\(image\:.\:\).$/\1$TAG/; s/smoke-tested-//" manifests/postgres-operator.yaml > "$PATH_TO_LOCAL_OPERATOR_MANIFEST"`
`125`	`125`
`126`	`126`	`retry "kubectl create -f \"$PATH_TO_LOCAL_OPERATOR_MANIFEST\"" "attempt to create $PATH_TO_LOCAL_OPERATOR_MANIFEST resource"`
`127`	`127`	`}`