[DK-2071] Support assigning roles to mongodb users (#12)

* Support assigning roles to db users

* Update README

* Default mongodb readWrite role via kubebuilder

* Remove roles abstraction from postgres, it should be replaced with permissions settings

Author: Ivan Ivic

README.md

@@ -77,6 +77,8 @@ spec:
     name: my-app-mongodb-credentials
   credentials:
     name: my-app-mongodb
+  roles:
+    - name: readWrite
 ---
 apiVersion: v1
 kind: Secret

api/v1beta1/database_types.go

@@ -72,6 +72,10 @@ type SecretReference struct {
 	PasswordField string `json:"passwordField"`
 }
 
+type Role struct {
+	Name string `json:"name"`
+}
+
 // Extension is a resource representing database extension
 type Extension struct {
 	Name string `json:"name"`

api/v1beta1/mongodbuser_type.go

@@ -28,22 +28,15 @@ type MongoDBUserSpec struct {
 	// +required
 	Credentials *SecretReference `json:"credentials"`
 
-	// Roles is not yet suppported
 	// +optional
-	//Roles []*MongoDBRole `json:"roles"`
+	// +kubebuilder:default:={{name: readWrite}}
+	Roles *[]Role `json:"roles"`
 
 	// CustomData is not yet supported
 	// +optional
 	//CustomData map[string]string `json:"customData"`
 }
 
-// MongoDBRole see https://docs.mongodb.com/manual/reference/method/db.createUser/#create-user-with-roles
-type MongoDBRole struct {
-	// +optional
-	// +kubebuilder:default:=readWrite
-	Role string `json:"role"`
-}
-
 // GetStatusConditions returns a pointer to the Status.Conditions slice
 func (in *MongoDBUser) GetStatusConditions() *[]metav1.Condition {
 	return &in.Status.Conditions
@@ -83,6 +76,10 @@ func (in *MongoDBUser) GetCredentials() *SecretReference {
 	return in.Spec.Credentials
 }
 
+func (in *MongoDBUser) GetRoles() *[]Role {
+	return in.Spec.Roles
+}
+
 // +kubebuilder:object:root=true
 
 // MongoDBUserList contains a list of MongoDBUser

api/v1beta1/postgresqluser_type.go

@@ -22,8 +22,11 @@ import (
 )
 
 type PostgreSQLUserSpec struct {
-	Database    *DatabaseReference `json:"database"`
-	Credentials *SecretReference   `json:"credentials"`
+	// +required
+	Database *DatabaseReference `json:"database"`
+
+	// +required
+	Credentials *SecretReference `json:"credentials"`
 }
 
 // GetStatusConditions returns a pointer to the Status.Conditions slice
@@ -65,6 +68,11 @@ func (in *PostgreSQLUser) GetCredentials() *SecretReference {
 	return in.Spec.Credentials
 }
 
+func (in *PostgreSQLUser) GetRoles() *[]Role {
+	// NOOP
+	return nil
+}
+
 // +kubebuilder:object:root=true
 
 // PostgreSQLUserList contains a list of PostgreSQLUser

api/v1beta1/zz_generated.deepcopy.go

@@ -10,7 +10,7 @@ type Invoke func(ctx context.Context, uri, database, username, password string)
 // Handler is a wrapper arround a certain database client
 type Handler interface {
 	Close() error
-	SetupUser(database string, username string, password string) error
+	SetupUser(database string, username string, password string, roles []string) error
 	DropUser(database string, username string) error
 	CreateDatabaseIfNotExists(database string) error
 	EnableExtension(name string) error

common/db/handler.go

@@ -61,20 +61,20 @@ func (m *MongoDBRepository) Close() error {
 	return m.client.Disconnect(ctx)
 }
 
-// CreateDatabaseIfNotExists is a dummy to apply to fullfill the contract,
+// CreateDatabaseIfNotExists is a dummy to apply to fulfill the contract,
 // we don't need to create the database on MongoDB
 func (m *MongoDBRepository) CreateDatabaseIfNotExists(database string) error {
 	return nil
 }
 
-func (m *MongoDBRepository) SetupUser(database string, username string, password string) error {
+func (m *MongoDBRepository) SetupUser(database string, username string, password string, roles []string) error {
 	doesUserExist, err := m.doesUserExist(database, username)
 	if err != nil {
 		return err
 	}
 
 	if !doesUserExist {
-		if err := m.createUser(database, username, password); err != nil {
+		if err := m.createUser(database, username, password, roles); err != nil {
 			return err
 		}
 		if doesUserExistNow, err := m.doesUserExist(database, username); err != nil {
@@ -83,7 +83,7 @@ func (m *MongoDBRepository) SetupUser(database string, username string, password
 			return errors.New("user doesn't exist after create")
 		}
 	} else {
-		if err := m.updateUserPasswordAndRoles(database, username, password); err != nil {
+		if err := m.updateUserPasswordAndRoles(database, username, password, roles); err != nil {
 			return err
 		}
 	}
@@ -138,19 +138,37 @@ func (m *MongoDBRepository) getAllUsers(database string, username string) (Users
 	return users, nil
 }
 
-func (m *MongoDBRepository) createUser(database string, username string, password string) error {
+func (m *MongoDBRepository) getRoles(database string, roles []string) []bson.M {
+	// by default, assign readWrite role (backward compatibility)
+	if roles == nil || len(roles) == 0 {
+		return []bson.M{{
+			"role": "readWrite",
+			"db":   database,
+		}}
+	}
+	rs := make([]bson.M, 0)
+	for _, r := range roles {
+		rs = append(rs, bson.M{
+			"role": r,
+			"db":   database,
+		})
+	}
+	return rs
+}
+
+func (m *MongoDBRepository) createUser(database string, username string, password string, roles []string) error {
 	command := &bson.D{primitive.E{Key: "createUser", Value: username}, primitive.E{Key: "pwd", Value: password},
-		primitive.E{Key: "roles", Value: []bson.M{{"role": "readWrite", "db": database}}}}
+		primitive.E{Key: "roles", Value: m.getRoles(database, roles)}}
 	r := m.runCommand(database, command)
 	if _, err := r.DecodeBytes(); err != nil {
 		return err
 	}
 	return nil
 }
 
-func (m *MongoDBRepository) updateUserPasswordAndRoles(database string, username string, password string) error {
+func (m *MongoDBRepository) updateUserPasswordAndRoles(database string, username string, password string, roles []string) error {
 	command := &bson.D{primitive.E{Key: "updateUser", Value: username}, primitive.E{Key: "pwd", Value: password},
-		primitive.E{Key: "roles", Value: []bson.M{{"role": "readWrite", "db": database}}}}
+		primitive.E{Key: "roles", Value: m.getRoles(database, roles)}}
 	r := m.runCommand(database, command)
 	if _, err := r.DecodeBytes(); err != nil {
 		return err

common/db/mongodb.go

@@ -14,6 +14,11 @@ type PostgreSQLRepository struct {
 	dbpool *pgxpool.Pool
 }
 
+const (
+	DefaultPostgreSQLReadRole      = "read"
+	DefaultPostgreSQLReadWriteRole = "readWrite"
+)
+
 func NewPostgreSQLRepository(ctx context.Context, uri, database, username, password string) (Handler, error) {
 	opt, err := url.Parse(uri)
 	if err != nil {
@@ -64,7 +69,7 @@ func (s *PostgreSQLRepository) CreateDatabaseIfNotExists(database string) error
 	}
 }
 
-func (s *PostgreSQLRepository) SetupUser(database string, user string, password string) error {
+func (s *PostgreSQLRepository) SetupUser(database string, user string, password string, roles []string) error {
 	if err := s.createUserIfNotExists(user); err != nil {
 		return err
 	}

common/db/postgresql.go

@@ -40,6 +40,7 @@ type user interface {
 	runtime.Object
 	GetStatusConditions() *[]metav1.Condition
 	GetCredentials() *infrav1beta1.SecretReference
+	GetRoles() *[]infrav1beta1.Role
 	GetDatabase() string
 }
 
@@ -72,6 +73,17 @@ func extractCredentials(credentials *infrav1beta1.SecretReference, secret *corev
 	return user, pw, nil
 }
 
+func extractRoles(roles *[]infrav1beta1.Role) []string {
+	if roles == nil || len(*roles) == 0 {
+		return nil
+	}
+	rolesToReturn := make([]string, 0)
+	for _, r := range *roles {
+		rolesToReturn = append(rolesToReturn, r.Name)
+	}
+	return rolesToReturn
+}
+
 func reconcileDatabase(c client.Client, pool *db.ClientPool, invoke db.Invoke, database database, recorder record.EventRecorder) (database, ctrl.Result) {
 	// Fetch referencing root secret
 	secret := &corev1.Secret{}
@@ -203,7 +215,7 @@ func reconcileUser(database database, c client.Client, pool *db.ClientPool, invo
 		return user, ctrl.Result{Requeue: true}
 	}
 
-	err = dbHandler.SetupUser(database.GetDatabaseName(), usr, pw)
+	err = dbHandler.SetupUser(database.GetDatabaseName(), usr, pw, extractRoles(user.GetRoles()))
 	if err != nil {
 		msg := fmt.Sprintf("Failed to provison user account: %s", err.Error())
 		recorder.Event(user, "Normal", "error", msg)