Documentation ¶
Overview ¶
Package roles contains the code needed to reconcile roles with PostgreSQL
Index ¶
- func Reconcile(ctx context.Context, instance *postgres.Instance, cluster *apiv1.Cluster, ...) (reconcile.Result, error)
- type DatabaseRole
- type PostgresRoleManager
- func (sm PostgresRoleManager) Create(ctx context.Context, role DatabaseRole) error
- func (sm PostgresRoleManager) Delete(ctx context.Context, role DatabaseRole) error
- func (sm PostgresRoleManager) GetLastTransactionID(ctx context.Context, role DatabaseRole) (int64, error)
- func (sm PostgresRoleManager) GetParentRoles(ctx context.Context, role DatabaseRole) ([]string, error)
- func (sm PostgresRoleManager) List(ctx context.Context) ([]DatabaseRole, error)
- func (sm PostgresRoleManager) Update(ctx context.Context, role DatabaseRole) error
- func (sm PostgresRoleManager) UpdateComment(ctx context.Context, role DatabaseRole) error
- func (sm PostgresRoleManager) UpdateMembership(ctx context.Context, role DatabaseRole, rolesToGrant []string, ...) error
- type RoleError
- type RoleManager
- type RoleSynchronizer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type DatabaseRole ¶
type DatabaseRole struct { Name string `json:"name"` Comment string `json:"comment,omitempty"` Superuser bool `json:"superuser,omitempty"` CreateDB bool `json:"createdb,omitempty"` CreateRole bool `json:"createrole,omitempty"` Inherit bool `json:"inherit,omitempty"` // defaults to true Login bool `json:"login,omitempty"` Replication bool `json:"replication,omitempty"` BypassRLS bool `json:"bypassrls,omitempty"` // Row-Level Security ConnectionLimit int64 `json:"connectionLimit,omitempty"` // default is -1 ValidUntil pgtype.Timestamp `json:"validUntil,omitempty"` InRoles []string `json:"inRoles,omitempty"` // contains filtered or unexported fields }
DatabaseRole represents the role information read from / written to the Database The password management in the apiv1.RoleConfiguration assumes the use of Secrets, so cannot cleanly be mapped to Postgres
type PostgresRoleManager ¶
type PostgresRoleManager struct {
// contains filtered or unexported fields
}
PostgresRoleManager is a RoleManager for a database instance
func (PostgresRoleManager) Create ¶
func (sm PostgresRoleManager) Create(ctx context.Context, role DatabaseRole) error
Create the role TODO: do we give the role any database-level permissions?
func (PostgresRoleManager) Delete ¶
func (sm PostgresRoleManager) Delete(ctx context.Context, role DatabaseRole) error
Delete the role
func (PostgresRoleManager) GetLastTransactionID ¶
func (sm PostgresRoleManager) GetLastTransactionID(ctx context.Context, role DatabaseRole) (int64, error)
GetLastTransactionID get the last xmin for the role, to help keep track of whether the role has been changed in on the Database since last reconciliation
func (PostgresRoleManager) GetParentRoles ¶
func (sm PostgresRoleManager) GetParentRoles( ctx context.Context, role DatabaseRole, ) ([]string, error)
GetParentRoles get the in roles of this role
func (PostgresRoleManager) List ¶
func (sm PostgresRoleManager) List( ctx context.Context, ) ([]DatabaseRole, error)
List the available roles excluding all the roles that start with `pg_`
func (PostgresRoleManager) Update ¶
func (sm PostgresRoleManager) Update(ctx context.Context, role DatabaseRole) error
Update the role
func (PostgresRoleManager) UpdateComment ¶
func (sm PostgresRoleManager) UpdateComment(ctx context.Context, role DatabaseRole) error
UpdateComment of the role
func (PostgresRoleManager) UpdateMembership ¶
func (sm PostgresRoleManager) UpdateMembership( ctx context.Context, role DatabaseRole, rolesToGrant []string, rolesToRevoke []string, ) error
UpdateMembership of the role
IMPORTANT: the various REVOKE and GRANT commands that may be required to reconcile the role will be done in a single transaction. So, if any one of them fails, the role will not get updated
type RoleError ¶
RoleError is an EXPECTABLE error when performing role-related actions on the database. For example, we might try to drop a role that owns objects.
RoleError is NOT meant to represent unexpected errors such as a panic or a connection interruption
type RoleManager ¶
type RoleManager interface { // List the roles in the database List(ctx context.Context) ([]DatabaseRole, error) // Update the role in the database Update(ctx context.Context, role DatabaseRole) error // Create the role in the database Create(ctx context.Context, role DatabaseRole) error // Delete the role in the database Delete(ctx context.Context, role DatabaseRole) error // GetLastTransactionID returns the last TransactionID as the `xmin` // from the database // See https://www.postgresql.org/docs/current/datatype-oid.html for reference GetLastTransactionID(ctx context.Context, role DatabaseRole) (int64, error) // UpdateComment Update the comment of role in the database UpdateComment(ctx context.Context, role DatabaseRole) error // UpdateMembership Update the In Role membership of role in the database UpdateMembership(ctx context.Context, role DatabaseRole, rolesToGrant []string, rolesToRevoke []string) error // GetParentRoles returns the roles the given role is a member of GetParentRoles(ctx context.Context, role DatabaseRole) ([]string, error) }
RoleManager abstracts the functionality of reconciling with PostgreSQL roles
func NewPostgresRoleManager ¶
func NewPostgresRoleManager(superDB *sql.DB) RoleManager
NewPostgresRoleManager returns an implementation of RoleManager for postgres
type RoleSynchronizer ¶
type RoleSynchronizer struct {
// contains filtered or unexported fields
}
A RoleSynchronizer is a Kubernetes manager.Runnable that makes sure the Roles in the PostgreSQL databases are in sync with the spec
c.f. https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/manager#Runnable
func NewRoleSynchronizer ¶
func NewRoleSynchronizer(instance *postgres.Instance, client client.Client) *RoleSynchronizer
NewRoleSynchronizer creates a new RoleSynchronizer