Skip to content

Commit

Permalink
fix(clickhousegrant): save state
Browse files Browse the repository at this point in the history
  • Loading branch information
byashimov committed Jul 12, 2024
1 parent d835e39 commit 0b3a39b
Show file tree
Hide file tree
Showing 7 changed files with 312 additions and 369 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
- Fix `ClickhouseGrant` invalid remote and local privileges comparison
- Fix `ClickhouseGrant`: doesn't escape role name to grant
- Fix `ClickhouseUser`: password was reset due to an incorrect processing cycle
- Fix `ClickhouseGrant`: grant privileges for an unknown table
- Fix `ClickhouseGrant`: track the state to revoke privileges

## v0.22.0 - 2024-07-02

Expand Down
46 changes: 20 additions & 26 deletions api/v1alpha1/clickhousegrant_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,19 +59,35 @@ type RoleGrant struct {
WithAdminOption bool `json:"withAdminOption,omitempty"`
}

// ClickhouseGrantSpec defines the desired state of ClickhouseGrant
type ClickhouseGrantSpec struct {
ServiceDependant `json:",inline,omitempty"`

type Grants struct {
// Configuration to grant a privilege. Privileges not in the manifest are revoked. Existing privileges are retained; new ones are granted.
PrivilegeGrants []PrivilegeGrant `json:"privilegeGrants,omitempty"`
// Configuration to grant a role. Role grants not in the manifest are revoked. Existing role grants are retained; new ones are granted.
RoleGrants []RoleGrant `json:"roleGrants,omitempty"`
}

func (in *Grants) BuildStatements(statementType chUtils.StatementType) []string {
stmts := make([]string, 0, len(in.PrivilegeGrants)+len(in.RoleGrants))
for _, g := range in.PrivilegeGrants {
stmts = append(stmts, buildStatement(statementType, g))
}
for _, g := range in.RoleGrants {
stmts = append(stmts, buildStatement(statementType, g))
}
return stmts
}

// ClickhouseGrantSpec defines the desired state of ClickhouseGrant
type ClickhouseGrantSpec struct {
ServiceDependant `json:",inline,omitempty"`
Grants `json:",inline,omitempty"`
}

// ClickhouseGrantStatus defines the observed state of ClickhouseGrant
type ClickhouseGrantStatus struct {
Conditions []metav1.Condition `json:"conditions"`
// Stores previous (before update) and current state (after update)
State Grants `json:"state,omitempty"`
}

//+kubebuilder:object:root=true
Expand All @@ -89,28 +105,6 @@ type ClickhouseGrant struct {
Status ClickhouseGrantStatus `json:"status,omitempty"`
}

func (in ClickhouseGrantSpec) buildStatements(statementType chUtils.StatementType) []string {
stmts := make([]string, 0, len(in.PrivilegeGrants)+len(in.RoleGrants))
for _, g := range in.PrivilegeGrants {
stmts = append(stmts, buildStatement(statementType, g))
}
for _, g := range in.RoleGrants {
stmts = append(stmts, buildStatement(statementType, g))
}
return stmts
}

func (in ClickhouseGrantSpec) ExecuteStatements(ctx context.Context, avnGen avngen.Client, statementType chUtils.StatementType) (bool, error) {
statements := in.buildStatements(statementType)
for _, stmt := range statements {
_, err := chUtils.ExecuteClickHouseQuery(ctx, avnGen, in.Project, in.ServiceName, stmt)
if err != nil {
return false, err
}
}
return true, nil
}

func (in ClickhouseGrantSpec) CollectGrantees() []string {
allGrantees := []string{}
processGrantee := func(grantees []Grantee) {
Expand Down
45 changes: 31 additions & 14 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

110 changes: 110 additions & 0 deletions charts/aiven-operator-crds/templates/aiven.io_clickhousegrants.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,116 @@ spec:
- type
type: object
type: array
state:
description:
Stores previous (before update) and current state (after
update)
properties:
privilegeGrants:
description:
Configuration to grant a privilege. Privileges not
in the manifest are revoked. Existing privileges are retained;
new ones are granted.
items:
description: |-
PrivilegeGrant represents the privileges to be granted to users or roles.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#granting-privilege-syntax.
properties:
columns:
description: The column that the grant refers to.
items:
type: string
type: array
database:
description: The database that the grant refers to.
type: string
grantees:
description:
List of grantees (users or roles) to grant
the privilege to.
items:
description:
Grantee represents a user or a role to which
privileges or roles are granted.
properties:
role:
type: string
user:
type: string
type: object
minItems: 1
type: array
privileges:
description: |-
The privileges to grant, i.e. `INSERT`, `SELECT`.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#assigning-role-syntax.
items:
type: string
type: array
table:
description:
'The tables that the grant refers to. To grant
a privilege on all tables in a database, omit this field
instead of writing `table: "*"`.'
type: string
withGrantOption:
description: |-
If true, then the grantee (user or role) get the permission to execute the `GRANT` query.
Users can grant privileges of the same scope they have and less.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#granting-privilege-syntax
type: boolean
required:
- database
- grantees
- privileges
type: object
x-kubernetes-validations:
- message: "`table` must be set if `columns` are set"
rule: "!has(self.columns) || (has(self.columns) && has(self.table))"
type: array
roleGrants:
description:
Configuration to grant a role. Role grants not in
the manifest are revoked. Existing role grants are retained;
new ones are granted.
items:
description: |-
RoleGrant represents the roles to be assigned to users or roles.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#assigning-role-syntax.
properties:
grantees:
description:
List of grantees (users or roles) to grant
the privilege to.
items:
description:
Grantee represents a user or a role to which
privileges or roles are granted.
properties:
role:
type: string
user:
type: string
type: object
minItems: 1
type: array
roles:
description: List of roles to grant to the grantees.
items:
type: string
minItems: 1
type: array
withAdminOption:
description: |-
If true, the grant is executed with `ADMIN OPTION` privilege.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#admin-option.
type: boolean
required:
- grantees
- roles
type: object
type: array
type: object
required:
- conditions
type: object
Expand Down
110 changes: 110 additions & 0 deletions config/crd/bases/aiven.io_clickhousegrants.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,116 @@ spec:
- type
type: object
type: array
state:
description:
Stores previous (before update) and current state (after
update)
properties:
privilegeGrants:
description:
Configuration to grant a privilege. Privileges not
in the manifest are revoked. Existing privileges are retained;
new ones are granted.
items:
description: |-
PrivilegeGrant represents the privileges to be granted to users or roles.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#granting-privilege-syntax.
properties:
columns:
description: The column that the grant refers to.
items:
type: string
type: array
database:
description: The database that the grant refers to.
type: string
grantees:
description:
List of grantees (users or roles) to grant
the privilege to.
items:
description:
Grantee represents a user or a role to which
privileges or roles are granted.
properties:
role:
type: string
user:
type: string
type: object
minItems: 1
type: array
privileges:
description: |-
The privileges to grant, i.e. `INSERT`, `SELECT`.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#assigning-role-syntax.
items:
type: string
type: array
table:
description:
'The tables that the grant refers to. To grant
a privilege on all tables in a database, omit this field
instead of writing `table: "*"`.'
type: string
withGrantOption:
description: |-
If true, then the grantee (user or role) get the permission to execute the `GRANT` query.
Users can grant privileges of the same scope they have and less.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#granting-privilege-syntax
type: boolean
required:
- database
- grantees
- privileges
type: object
x-kubernetes-validations:
- message: "`table` must be set if `columns` are set"
rule: "!has(self.columns) || (has(self.columns) && has(self.table))"
type: array
roleGrants:
description:
Configuration to grant a role. Role grants not in
the manifest are revoked. Existing role grants are retained;
new ones are granted.
items:
description: |-
RoleGrant represents the roles to be assigned to users or roles.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#assigning-role-syntax.
properties:
grantees:
description:
List of grantees (users or roles) to grant
the privilege to.
items:
description:
Grantee represents a user or a role to which
privileges or roles are granted.
properties:
role:
type: string
user:
type: string
type: object
minItems: 1
type: array
roles:
description: List of roles to grant to the grantees.
items:
type: string
minItems: 1
type: array
withAdminOption:
description: |-
If true, the grant is executed with `ADMIN OPTION` privilege.
See https://clickhouse.com/docs/en/sql-reference/statements/grant#admin-option.
type: boolean
required:
- grantees
- roles
type: object
type: array
type: object
required:
- conditions
type: object
Expand Down
Loading

0 comments on commit 0b3a39b

Please sign in to comment.