Skip to content
This repository was archived by the owner on Dec 12, 2025. It is now read-only.

Refactor custom roles in crd #293

Merged
alyacb merged 3 commits into from
Jan 25, 2021
Merged

Refactor custom roles in crd #293

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7bb811f
Refactor Roles from Spec.Security.Authentication to Spec.Security
alyacb Jan 22, 2021
ed32f48
Add missing crd field
alyacb Jan 22, 2021
52ae1b6
Fix yaml whitespace
alyacb Jan 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 85 additions & 86 deletions deploy/crds/mongodb.com_mongodb_crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,96 +75,95 @@ spec:
- SCRAM
type: string
type: array
roles:
description: User-specified custom MongoDB roles that should
be configured in the deployment.
items:
description: CustomRole defines a custom MongoDB role.
properties:
authenticationRestrictions:
description: The authentication restrictions the server
enforces on the role.
items:
description: AuthenticationRestriction specifies a list
of IP addresses and CIDR ranges users are allowed
to connect to or from.
properties:
clientSource:
items:
type: string
type: array
serverAddress:
items:
type: string
type: array
required:
- clientSource
- serverAddress
type: object
type: array
db:
description: The database of the role.
type: string
privileges:
description: The privileges to grant the role.
items:
description: Privilege defines the actions a role is
allowed to perform on a given resource.
properties:
actions:
items:
type: string
type: array
resource:
description: Resource specifies specifies the resources
upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
for more.
properties:
anyResource:
type: boolean
cluster:
type: boolean
collection:
type: string
db:
type: string
type: object
required:
- actions
- resource
type: object
type: array
role:
description: The name of the role.
type: string
roles:
description: An array of roles from which this role inherits
privileges.
items:
description: Role is the database role this user should
have
required:
- modes
type: object
roles:
description: User-specified custom MongoDB roles that should be
configured in the deployment.
items:
description: CustomRole defines a custom MongoDB role.
properties:
authenticationRestrictions:
description: The authentication restrictions the server enforces
on the role.
items:
description: AuthenticationRestriction specifies a list
of IP addresses and CIDR ranges users are allowed to connect
to or from.
properties:
clientSource:
items:
type: string
type: array
serverAddress:
items:
type: string
type: array
required:
- clientSource
- serverAddress
type: object
type: array
db:
description: The database of the role.
type: string
privileges:
description: The privileges to grant the role.
items:
description: Privilege defines the actions a role is allowed
to perform on a given resource.
properties:
actions:
items:
type: string
type: array
resource:
description: Resource specifies specifies the resources
upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
for more.
properties:
db:
description: DB is the database the role can act
on
anyResource:
type: boolean
cluster:
type: boolean
collection:
type: string
name:
description: Name is the name of the role
db:
type: string
required:
- db
- name
type: object
type: array
required:
- db
- privileges
- role
type: object
type: array
required:
- modes
type: object
required:
- actions
- resource
type: object
type: array
role:
description: The name of the role.
type: string
roles:
description: An array of roles from which this role inherits
privileges.
items:
description: Role is the database role this user should
have
properties:
db:
description: DB is the database the role can act on
type: string
name:
description: Name is the name of the role
type: string
required:
- db
- name
type: object
type: array
required:
- db
- privileges
- role
type: object
type: array
tls:
description: TLS configuration for both client-server and server-server
communication
Expand Down
20 changes: 10 additions & 10 deletions deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ spec:
security:
authentication:
modes: ["SCRAM"]
roles: # custom roles are defined here
- role: testRole
db: admin
privileges:
- resource:
db: "test"
collection: "" # an empty string indicates any collection
actions:
- find
roles: []
roles: # custom roles are defined here
- role: testRole
db: admin
privileges:
- resource:
db: "test"
collection: "" # an empty string indicates any collection
actions:
- find
roles: []
users:
- name: my-user
db: admin
Expand Down
7 changes: 3 additions & 4 deletions pkg/apis/mongodb/v1/mongodb_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,9 @@ type Security struct {
// TLS configuration for both client-server and server-server communication
// +optional
TLS TLS `json:"tls"`
// User-specified custom MongoDB roles that should be configured in the deployment.
// +optional
Roles []CustomRole `json:"roles,omitempty"`
}

// TLS is the configuration used to set up TLS encryption
Expand Down Expand Up @@ -306,10 +309,6 @@ type LocalObjectReference struct {
type Authentication struct {
// Modes is an array specifying which authentication methods should be enabled
Modes []AuthMode `json:"modes"`

// User-specified custom MongoDB roles that should be configured in the deployment.
// +optional
Roles []CustomRole `json:"roles,omitempty"`
}

// +kubebuilder:validation:Enum=SCRAM
Expand Down
14 changes: 7 additions & 7 deletions pkg/apis/mongodb/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/controller/mongodb/replica_set_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -552,7 +552,7 @@ func (r ReplicaSetReconciler) validateUpdate(mdb mdbv1.MongoDB) error {
}

func getCustomRolesModification(mdb mdbv1.MongoDB) (automationconfig.Modification, error) {
roles := mdb.Spec.Security.Authentication.Roles
roles := mdb.Spec.Security.Roles
if roles == nil {
return automationconfig.NOOP(), nil
}
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/replica_set_custom_role/replica_set_custom_role_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func TestReplicaSetCustomRole(t *testing.T) {
anyCollection := ""

mdb, user := e2eutil.NewTestMongoDB("mdb0", "")
mdb.Spec.Security.Authentication.Roles = []mdbv1.CustomRole{
mdb.Spec.Security.Roles = []mdbv1.CustomRole{
{
Role: "testRole",
DB: "admin",
Expand Down Expand Up @@ -87,7 +87,7 @@ func TestReplicaSetCustomRole(t *testing.T) {
t.Run("AutomationConfig has the correct version", mongodbtests.AutomationConfigVersionHasTheExpectedVersion(&mdb, 1))

// Verify automation config roles and roles created in admin database.
roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Authentication.Roles)
roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Roles)
t.Run("AutomationConfig has the correct custom role", mongodbtests.AutomationConfigHasTheExpectedCustomRoles(&mdb, roles))
t.Run("Custom Role was created ", tester.VerifyRoles(roles, 1))

Expand Down