diff --git a/src/managers/quorum.py b/src/managers/quorum.py index a71dbe0..00fecd7 100644 --- a/src/managers/quorum.py +++ b/src/managers/quorum.py @@ -18,7 +18,7 @@ ) from kazoo.exceptions import BadArgumentsError, ConnectionClosedError from kazoo.handlers.threading import KazooTimeoutError -from kazoo.security import make_acl +from kazoo.security import make_acl, make_digest_acl_credential from ops.charm import RelationEvent from core.cluster import ClusterState @@ -198,18 +198,23 @@ def update_acls(self, event: RelationEvent | None = None) -> None: if not client.database: continue - generated_acl = make_acl( - scheme="sasl", - credential=client.username, - read="r" in client.extra_user_roles, - write="w" in client.extra_user_roles, - create="c" in client.extra_user_roles, - delete="d" in client.extra_user_roles, - admin="a" in client.extra_user_roles, + acls = { + "read": "r" in client.extra_user_roles, + "write": "w" in client.extra_user_roles, + "create": "c" in client.extra_user_roles, + "delete": "d" in client.extra_user_roles, + "admin": "a" in client.extra_user_roles, + } + + sasl_acl = make_acl(scheme="sasl", credential=client.username, **acls) + digest_acl = make_acl( + scheme="digest", + credential=make_digest_acl_credential(client.username, client.password), + **acls, ) - logger.info(f"{generated_acl=}") - requested_acls.add(generated_acl) + requested_acls.add(sasl_acl) + requested_acls.add(digest_acl) # FIXME: data-platform-libs should handle this when it's implemented if client.database: @@ -221,11 +226,11 @@ def update_acls(self, event: RelationEvent | None = None) -> None: # Looks for newly related applications not in config yet if client.database not in leader_chroots: logger.info(f"CREATE CHROOT - {client.database}") - self.client.create_znode_leader(path=client.database, acls=[generated_acl]) + self.client.create_znode_leader(path=client.database, acls=[sasl_acl, digest_acl]) # Looks for existing related applications logger.info(f"UPDATE CHROOT - {client.database}") - self.client.set_acls_znode_leader(path=client.database, acls=[generated_acl]) + self.client.set_acls_znode_leader(path=client.database, acls=[sasl_acl, digest_acl]) # Looks for applications no longer in the relation but still in config for chroot in sorted(leader_chroots - requested_chroots, reverse=True): diff --git a/tests/integration/test_tls.py b/tests/integration/test_tls.py index ebe1347..0d057e0 100644 --- a/tests/integration/test_tls.py +++ b/tests/integration/test_tls.py @@ -34,6 +34,7 @@ async def test_deploy_ssl_quorum(ops_test: OpsTest): num_units=1, config={"ca-common-name": "zookeeper"}, series=TLS_OPERATOR_SERIES, + revision=163, # FIXME: Unpin once the TLS is fixed on edge channel ), ) await ops_test.model.block_until(lambda: len(ops_test.model.applications[APP_NAME].units) == 3) diff --git a/tests/unit/test_quorum.py b/tests/unit/test_quorum.py index 3735535..4f37a9b 100644 --- a/tests/unit/test_quorum.py +++ b/tests/unit/test_quorum.py @@ -107,9 +107,17 @@ def test_update_acls_correctly_handles_relation_chroots(harness): for _, kwargs in patched_manager["create_znode_leader"].call_args_list: assert "/rohan" in kwargs["path"] + acls = kwargs["acls"] + assert len(acls) == 2 + assert len([acl for acl in acls if acl.perms == 31 and acl.id.scheme == "sasl"]) != 0 + assert len([acl for acl in acls if acl.perms == 31 and acl.id.scheme == "digest"]) != 0 for _, kwargs in patched_manager["set_acls_znode_leader"].call_args_list: assert "/rohan" in kwargs["path"] + acls = kwargs["acls"] + assert len(acls) == 2 + assert len([acl for acl in acls if acl.perms == 31 and acl.id.scheme == "sasl"]) != 0 + assert len([acl for acl in acls if acl.perms == 31 and acl.id.scheme == "digest"]) != 0 removed_men = False for counter, call in enumerate(patched_manager["delete_znode_leader"].call_args_list):