Avoid overwriting critical users. (#172)

* Avoid overwriting critical users. Disallow defining new users either in the cluster manifest, teams API or infrastructure roles with the names mentioned in the new protected_role_names parameter (list of comma-separated names) Additionally, forbid defining a user with the name matching either super_username or replication_username, so that we don't overwrite system roles required for correct working of the operator itself. Also, clear PostgreSQL roles on each sync first in order to avoid using the old definitions that are no longer present in the current manifest, infrastructure roles secret or the teams API.
zalando · Dec 5, 2017 · 1fb8cf7 · 1fb8cf7
1 parent 022ce29
commit 1fb8cf7
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -208,6 +208,8 @@ The following steps will get you the docker image built and deployed.
 of configuration parameters applied to the roles fetched from the API.
 For instance, `team_api_role_configuration: log_statement:all,search_path:'public,"$user"'`.
 By default is set to *"log_statement:all"*. See [PostgreSQL documentation on ALTER ROLE .. SET](https://www.postgresql.org/docs/current/static/sql-alterrole.html) for to learn about the available options.
+* protected_role_names - a list of role names that should be forbidden as the manifest, infrastructure and teams API roles.
+The default value is `admin`. Operator will also disallow superuser and replication roles to be redefined.
 
 
 ### Debugging the operator itself

diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
@@ -168,6 +168,11 @@ func (c *Cluster) setStatus(status spec.PostgresStatus) {
 // initUsers populates c.systemUsers and c.pgUsers maps.
 func (c *Cluster) initUsers() error {
 	c.setProcessName("initializing users")
+
+	// clear our the previous state of the cluster users (in case we are running a sync).
+	c.systemUsers = map[string]spec.PgUser{}
+	c.pgUsers = map[string]spec.PgUser{}
+
 	c.initSystemUsers()
 
 	if err := c.initInfrastructureRoles(); err != nil {
@@ -615,6 +620,9 @@ func (c *Cluster) initRobotUsers() error {
 			return fmt.Errorf("invalid username: %q", username)
 		}
 
+		if c.shouldAvoidProtectedOrSystemRole(username, "manifest robot role") {
+			continue
+		}
 		flags, err := normalizeUserFlags(userFlags)
 		if err != nil {
 			return fmt.Errorf("invalid flags for user %q: %v", username, err)
@@ -648,6 +656,9 @@ func (c *Cluster) initHumanUsers() error {
 		flags := []string{constants.RoleFlagLogin}
 		memberOf := []string{c.OpConfig.PamRoleName}
 
+		if c.shouldAvoidProtectedOrSystemRole(username, "API role") {
+			continue
+		}
 		if c.OpConfig.EnableTeamSuperuser {
 			flags = append(flags, constants.RoleFlagSuperuser)
 		} else {
@@ -677,6 +688,9 @@ func (c *Cluster) initInfrastructureRoles() error {
 		if !isValidUsername(username) {
 			return fmt.Errorf("invalid username: '%v'", username)
 		}
+		if c.shouldAvoidProtectedOrSystemRole(username, "infrastructure role") {
+			continue
+		}
 		flags, err := normalizeUserFlags(data.Flags)
 		if err != nil {
 			return fmt.Errorf("invalid flags for user '%v': %v", username, err)
@@ -687,6 +701,18 @@ func (c *Cluster) initInfrastructureRoles() error {
 	return nil
 }
 
+func (c *Cluster) shouldAvoidProtectedOrSystemRole(username, purpose string) bool {
+	if c.isProtectedUsername(username) {
+		c.logger.Warnf("cannot initialize a new %s with the name of the protected user %q", purpose, username)
+		return true
+	}
+	if c.isSystemUsername(username) {
+		c.logger.Warnf("cannot initialize a new %s with the name of the system user %q", purpose, username)
+		return true
+	}
+	return false
+}
+
 // GetCurrentProcess provides name of the last process of the cluster
 func (c *Cluster) GetCurrentProcess() spec.Process {
 	c.processMu.RLock()

diff --git a/pkg/cluster/cluster_test.go b/pkg/cluster/cluster_test.go
@@ -4,14 +4,18 @@ import (
 	"fmt"
 	"github.com/Sirupsen/logrus"
 	"github.com/zalando-incubator/postgres-operator/pkg/spec"
+	"github.com/zalando-incubator/postgres-operator/pkg/util/config"
 	"github.com/zalando-incubator/postgres-operator/pkg/util/k8sutil"
 	"github.com/zalando-incubator/postgres-operator/pkg/util/teams"
 	"reflect"
 	"testing"
 )
 
 var logger = logrus.New().WithField("test", "cluster")
-var cl = New(Config{}, k8sutil.KubernetesClient{}, spec.Postgresql{}, logger)
+var cl = New(Config{OpConfig: config.Config{ProtectedRoles: []string{"admin"},
+	Auth: config.Auth{SuperUsername: "postgres",
+		ReplicationUsername: "standby"}}},
+	k8sutil.KubernetesClient{}, spec.Postgresql{}, logger)
 
 func TestInitRobotUsers(t *testing.T) {
 	testName := "TestInitRobotUsers"
@@ -47,6 +51,12 @@ func TestInitRobotUsers(t *testing.T) {
 			err: fmt.Errorf(`invalid flags for user "foobar": ` +
 				`conflicting user flags: "NOINHERIT" and "INHERIT"`),
 		},
+		{
+			manifestUsers: map[string]spec.UserFlags{"admin": {"superuser"}, "postgres": {"createdb"}},
+			infraRoles:    map[string]spec.PgUser{},
+			result:        map[string]spec.PgUser{},
+			err:           nil,
+		},
 	}
 	for _, tt := range tests {
 		cl.Spec.Users = tt.manifestUsers
@@ -109,6 +119,11 @@ func TestInitHumanUsers(t *testing.T) {
 			result: map[string]spec.PgUser{"foo": {Name: "foo", MemberOf: []string{cl.OpConfig.PamRoleName}, Flags: []string{"LOGIN", "SUPERUSER"}},
 				"bar": {Name: "bar", Flags: []string{"NOLOGIN"}}},
 		},
+		{
+			existingRoles: map[string]spec.PgUser{},
+			teamRoles:     []string{"admin", "standby"},
+			result:        map[string]spec.PgUser{},
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/pkg/cluster/util.go b/pkg/cluster/util.go
@@ -60,6 +60,19 @@ func isValidUsername(username string) bool {
 	return userRegexp.MatchString(username)
 }
 
+func (c *Cluster) isProtectedUsername(username string) bool {
+	for _, protected := range c.OpConfig.ProtectedRoles {
+		if username == protected {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Cluster) isSystemUsername(username string) bool {
+	return (username == c.OpConfig.SuperUsername || username == c.OpConfig.ReplicationUsername)
+}
+
 func isValidFlag(flag string) bool {
 	for _, validFlag := range []string{constants.RoleFlagSuperuser, constants.RoleFlagLogin, constants.RoleFlagCreateDB,
 		constants.RoleFlagInherit, constants.RoleFlagReplication, constants.RoleFlagByPassRLS} {

diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
@@ -74,6 +74,7 @@ type Config struct {
 	ClusterHistoryEntries    int               `name:"cluster_history_entries" default:"1000"`
 	TeamAPIRoleConfiguration map[string]string `name:"team_api_role_configuration" default:"log_statement:all"`
 	PodTerminateGracePeriod  time.Duration     `name:"pod_terminate_grace_period" default:"5m"`
+	ProtectedRoles           []string          `name:"protected_role_names" default:"admin"`
 }
 
 // MustMarshal marshals the config or panics