Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8SPSMDB-1124: User roles #376

Merged
merged 2 commits into from
Sep 25, 2024
Merged

K8SPSMDB-1124: User roles #376

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7862977
Add spec.roles
inelpandzic Sep 18, 2024
c050068
Fix readme and update crds.
inelpandzic Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions charts/psmdb-db/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,16 @@ The chart can be customized using the following configurable parameters:
| `users.roles.role.name` | Name of the MongoDB role assigned to the user. As [built-in roles](https://www.mongodb.com/docs/manual/reference/built-in-roles/#built-in-roles), so [custom roles](https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/deploy-configure.md#define-a-custom-database-role) are supported | `""` |
| `users.roles.role.db` | Database that the MongoDB role applies to | `""` |
| |
| `roles.role` | Name of the custom role. | `""` |
| `roles.db` | Database in which you want to store the user-defined role. | `"admin"` |
| `roles.authenticationRestrictions.clientSource` | Array of IP addresses or CIDR blocks from which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array. | `""` |
| `roles.authenticationRestrictions.serverAddress` | Array of IP addresses or CIDR blocks to which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array. | `""` |
| `roles.privileges.actions` | Name of the role. Valid values are built-in roles. | `[]` |
| `spec.roles.privileges.resource.db` | Database for which the privilege `spec.security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all databases. | `""` |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the "spec." prefix in the parameters and descriptions.

Also, just a tip to format the table, try turning word wrap off in your code editor(if you are not doing it yet). The lines are huge, but I hope this will make the table more readable to edit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c050068

| `spec.roles.privileges.resource.collection` | Collection for which the privilege `spec.security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all of the database's collections. | `""` |
| `spec.roles.privileges.resource.cluster` | Flag that indicates that the privilege `spec.security.roles.privileges.actions` apply to all databases and collections in the MongoDB deployment. If omitted, defaults to false.If set to true, do not provide values for `spec.security.roles.privileges.resource.database` and `spec.security.roles.privileges.resource.collection`. | `""` |
| `spec.roles.roles.role` | Name of the role to inherit from. | `""` |
| `spec.roles.roles.db` | Name of database that contains the role to inherit from. | `""` |
| `backup.enabled` | Enable backup PBM agent | `true` |
| `backup.annotations` | Backup job annotations | `{}` |
| `backup.podSecurityContext` | Set the security context for a Pod | `{}` |
Expand Down
5 changes: 5 additions & 0 deletions charts/psmdb-db/templates/cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -578,6 +578,11 @@ spec:
{{ .Values.users | toYaml | indent 2 }}
{{- end }}

{{- if .Values.roles }}
roles:
{{ .Values.roles | toYaml | indent 2 }}
{{- end }}

backup:
enabled: {{ .Values.backup.enabled }}
{{- if .Values.backup.annotations }}
Expand Down
34 changes: 34 additions & 0 deletions charts/psmdb-db/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,40 @@ sharding:
# - name: dbOwner
# db: sometest

# roles:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, add the corresponding crd under psmdb-operator/crds

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c050068

# - role: myClusterwideAdmin
# db: admin
# privileges:
# - resource:
# cluster: true
# actions:
# - addShard
# - resource:
# db: config
# collection: ''
# actions:
# - find
# - update
# - insert
# - remove
# roles:
# - role: read
# db: admin
# - role: my-role
# db: myDb
# privileges:
# - resource:
# db: ''
# collection: ''
# actions:
# - find
# authenticationRestrictions:
# - clientSource:
# - 127.0.0.1
# serverAddress:
# - 127.0.0.1


backup:
enabled: true
image:
Expand Down
Loading