search

planetscale / vitess-operator

Kubernetes Operator for Vitess
Apache License 2.0
293 stars 69 forks source link

Ability to set database's user authorization for allowing access to specific tables #171

Open maZahaca opened 3 years ago

maZahaca commented 3 years ago

Vitess topic described in here: https://vitess.io/docs/user-guides/configuration-advanced/authorization/

I was unable to find a description for vitess-operator to do that.

prime-minister-of-fun commented 3 years ago

Because there isn't one. AFAICT, there are two keys, EXTRAVOLUMES and EXTRAVOLUMEMOUNTS to mount a flat file that stores the permissions. But, this doesn't seem to work and not sure if it's logging the failed key/value action somewhere.

In pkg/apis/planetscale/v2/vitessshard_types.go it reads like extravolumes and extravolumemounts can appear at the same indentation as datavolumeclaimtemplate.

In theory, this should work?

            extraVolumes:
             - name: acl-config
                configMapKeyRef:
                   name: acl-json
                   key: acl.json
            extraVolumeMounts:
             - name: acl-config
                mountPath: /conf

None of the pods end up having a /conf directory with the configmap in it. the configMap's name is acl-json with key acl.json.

Maybe I am missing it because I am new to Kubernetes.

prime-minister-of-fun commented 3 years ago

I finally figured this out because the answer was in the vitess slack channel. You should probably subscribe to it if you want to speed up figuring this system out.

This works for a configMap with a single key:

            extraVolumes:
            - name: acl-config
              configMap:
                name: "acl"

            extraVolumeMounts:
            - name: acl-config
              mountPath: /conf

There are options for selecting specific keys that are documented on the Kubernettes side. I spent enough time on it, already.

Here's an example using secrets. The indents might be wrong.

            extraVolumes:
            - name: acl-config
               secret:
                items:
                - path: acl.json
                  key: acl.json
                secretName: vitess-configs

            extraVolumeMounts:
            - name: acl-config
              mountPath: /conf

The next part is to add the options to the vttablet section of the deployment.yaml file so vttablet reads the file.