Add support for the "*" permission for a pgorole

The RBAC permission list for a pgorole became quite large, and with new endpoints and, in turn, new permissions being added, this was becoming unwieldly. Coupled with the new installation and distribution methods, this became fraught with peril that we may accidentally block out a feature from being used. This adds the new "*" permissions that allows a pgorole to access any API server resource. This also sets it to be the default rule in all of the installation methods. Issue: [ch6742]

Author: Jonathan S. Katz

ansible/inventory

@@ -61,7 +61,7 @@ pgo_admin_password=''
 
 # PGO Admin Role & Permissions
 pgo_admin_role_name='pgoadmin'
-pgo_admin_perms='DeleteNamespace,CreateNamespace,UpdatePgorole,ShowPgorole,DeletePgorole,CreatePgorole,UpdatePgouser,ShowPgouser,DeletePgouser,CreatePgouser,Cat,Ls,ShowNamespace,CreateDump,RestoreDump,ScaleCluster,CreateSchedule,DeleteSchedule,ShowSchedule,DeletePgbouncer,CreatePgbouncer,Restore,RestorePgbasebackup,ShowSecrets,Reload,ShowConfig,Status,DfCluster,DeleteCluster,ShowCluster,CreateCluster,TestCluster,ShowBackup,DeleteBackup,CreateBackup,Label,Load,CreatePolicy,DeletePolicy,ShowPolicy,ApplyPolicy,ShowWorkflow,ShowPVC,CreateUpgrade,CreateUser,DeleteUser,UpdateUser,ShowUser,Version,CreateFailover,UpdateCluster,CreateBenchmark,ShowBenchmark,DeleteBenchmark,UpdateNamespace,Clone'
+pgo_admin_perms='*'
 
 # Namespace where operator will be deployed
 # NOTE: Ansible will create namespaces that don't exist

ansible/roles/pgo-operator/templates/pgorole-pgoadmin.yaml.j2

@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
- permissions: {{ pgo_admin_perms | b64encode }}
+ permissions: "{{ pgo_admin_perms | b64encode }}"
  rolename: {{ pgo_admin_role_name | b64encode }}
 kind: Secret
 metadata:
@@ -12,4 +12,3 @@ metadata:
  name: pgorole-{{ pgo_admin_role_name }}
  namespace: {{ pgo_operator_namespace }}
 type: Opaque
-

apiserver/root.go

@@ -267,7 +267,16 @@ func BasicAuthzCheck(username, perm string) bool {
 return false
 }
 
-permsString := string(rolesecret.Data["permissions"])
+permsString := strings.TrimSpace(string(rolesecret.Data["permissions"]))
+
+// first a special case. If this is a solitary "*" indicating that this
+// encompasses every permission, then we can exit here as true
+if permsString == "*" {
+return true
+}
+
+// otherwise, blow up the permission string and see if the user has explicit
+// permission (i.e. is authorized) to access this resource
 perms := strings.Split(permsString, ",")
 
 for _, p := range perms {

deploy/install-bootstrap-creds.sh

@@ -20,7 +20,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export PGOADMIN_USERNAME=pgoadmin
 export PGOADMIN_PASSWORD=examplepassword
 export PGOADMIN_ROLENAME=pgoadmin
-export PGOADMIN_PERMS="DeleteNamespace,CreateNamespace,UpdatePgorole,ShowPgorole,DeletePgorole,CreatePgorole,UpdatePgouser,ShowPgouser,DeletePgouser,CreatePgouser,Cat,Ls,ShowNamespace,CreateDump,RestoreDump,ScaleCluster,CreateSchedule,DeleteSchedule,ShowSchedule,DeletePgbouncer,CreatePgbouncer,Restore,RestorePgbasebackup,ShowSecrets,Reload,ShowConfig,Status,DfCluster,DeleteCluster,ShowCluster,CreateCluster,TestCluster,ShowBackup,DeleteBackup,CreateBackup,Label,Load,CreatePolicy,DeletePolicy,ShowPolicy,ApplyPolicy,ShowWorkflow,ShowPVC,CreateUpgrade,CreateUser,DeleteUser,UpdateUser,ShowUser,Version,CreateFailover,UpdateCluster,CreateBenchmark,ShowBenchmark,DeleteBenchmark,UpdateNamespace,Clone"
+export PGOADMIN_PERMS="*"
 
 # see if the bootstrap pgorole Secret exists or not, deleting it if found
 $PGO_CMD get secret pgorole-$PGOADMIN_ROLENAME -n $PGO_OPERATOR_NAMESPACE 2> /dev/null > /dev/null

deploy/pgorole-pgoadmin.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 stringData:
- permissions: $PGOADMIN_PERMS
+ permissions: "$PGOADMIN_PERMS"
  rolename: $PGOADMIN_ROLENAME
 kind: Secret
 metadata:
@@ -12,4 +12,3 @@ metadata:
  name: pgorole-$PGOADMIN_ROLENAME
  namespace: $PGO_OPERATOR_NAMESPACE
 type: Opaque
-

hugo/content/Installation/install-with-ansible/prerequisites.md

@@ -203,7 +203,7 @@ sets of variables cannot be used at the same time.
 | `pgo_add_os_ca_store` | false | | When true, includes system default certificate authorities |
 | `pgo_admin_username` | admin | **Required** | Configures the pgo administrator username. |
 | `pgo_admin_password` | | **Required** | Configures the pgo administrator password. |
-| `pgo_admin_perms` | DeleteNamespace,CreateNamespace,UpdatePgorole,ShowPgorole,DeletePgorole,CreatePgorole,UpdatePgouser,ShowPgouser,DeletePgouser,CreatePgouser,Cat,Ls,ShowNamespace,CreateDump,RestoreDump,ScaleCluster,CreateSchedule,DeleteSchedule,ShowSchedule,DeletePgbouncer,CreatePgbouncer,Restore,RestorePgbasebackup,ShowSecrets,Reload,ShowConfig,Status,DfCluster,DeleteCluster,ShowCluster,CreateCluster,TestCluster,ShowBackup,DeleteBackup,CreateBackup,Label,Load,CreatePolicy,DeletePolicy,ShowPolicy,ApplyPolicy,ShowWorkflow,ShowPVC,CreateUpgrade,CreateUser,DeleteUser,UpdateUser,ShowUser,Version,CreateFailover,UpdateCluster,CreateBenchmark,ShowBenchmark,DeleteBenchmark,UpdateNamespace,Clone | **Required** | Sets the access control rules provided by the PostgreSQL Operator RBAC resources for the PostgreSQL Operator administrative account that is created by this installer. |
+| `pgo_admin_perms` | `*` | **Required** | Sets the access control rules provided by the PostgreSQL Operator RBAC resources for the PostgreSQL Operator administrative account that is created by this installer. Defaults to allowing all of the permissions, which is represented with the `*` |
 | `pgo_admin_role_name` | pgoadmin | **Required** | Sets the name of the PostgreSQL Operator role that is utilized for administrative operations performed by the PostgreSQL Operator. |
 | `pgo_apiserver_port` | 8443 | | Set to configure the port used by the Crunchy PostgreSQL Operator apiserver. |
 | `pgo_client_install` | true | | Configures the playbooks to install the `pgo` client if set to true. |
@@ -219,7 +219,7 @@ sets of variables cannot be used at the same time.
 | `pgo_tls_no_verify` | false | | Set to configure Operator to verify TLS certificates. |
 | `pgo_client_container_install` | false | | Installs the pgo-client deployment along with ansible isnstall |
 | `pgo_apiserver_url` | `https://postgres-operator` | | Sets the `pgo_apiserver_url` in the pgo-client deployment |
-| `pgo_client_cert_secret` | `pgo.tls` | | Sets the secret that the pgo-client will use when connecting to the operator. Secret should hold the TLS certs | 
+| `pgo_client_cert_secret` | `pgo.tls` | | Sets the secret that the pgo-client will use when connecting to the operator. Secret should hold the TLS certs |
 | `primary_storage` | storageos | **Required** | Set to configure which storage definition to use when creating volumes used by PostgreSQL primaries on all newly created clusters. |
 | `prometheus_install` | true | | Set to true to install Crunchy Prometheus timeseries database. |
 | `prometheus_storage_access_mode` | | | Set to the access mode used by the configured storage class for Prometheus persistent volumes. |

hugo/content/Security/configure-postgres-operator-rbac.md

@@ -43,6 +43,8 @@ If the user tries to access a namespace that they are not configured for within
  Error: user [pgouser1] is not allowed access to namespace [pgouser2]
 
 
+If you wish to add all avaiable permissions to a *pgorole*, you can specify it by using a single `*` in your configuration. Note that if you are editing your YAML file directly, you will need to ensure to write it as `"*"` to ensure it is recognized as a string.
+
 The following list shows the current complete list of possible pgo permissions that you can specify within the *pgorole* file when creating roles:
 
 |Permission|Description |
@@ -93,7 +95,7 @@ The following list shows the current complete list of possible pgo permissions t
 
 If the user is unauthorized for a pgo command, the user will get back this response:
 
- Error: Authentication Failed: 401
+ Error: Authentication Failed: 403
 
 ## Making Security Changes
 

installers/gcp-marketplace/inventory.ini

@@ -9,7 +9,7 @@ pgo_admin_password='${OPERATOR_ADMIN_PASSWORD}'
 
 # PGO Admin Role & Permissions
 pgo_admin_role_name='pgoadmin'
-pgo_admin_perms='DeleteNamespace,CreateNamespace,UpdatePgorole,ShowPgorole,DeletePgorole,CreatePgorole,UpdatePgouser,ShowPgouser,DeletePgouser,CreatePgouser,Cat,Ls,ShowNamespace,CreateDump,RestoreDump,ScaleCluster,CreateSchedule,DeleteSchedule,ShowSchedule,DeletePgbouncer,CreatePgbouncer,Restore,RestorePgbasebackup,ShowSecrets,Reload,ShowConfig,Status,DfCluster,DeleteCluster,ShowCluster,CreateCluster,TestCluster,ShowBackup,DeleteBackup,CreateBackup,Label,Load,CreatePolicy,DeletePolicy,ShowPolicy,ApplyPolicy,ShowWorkflow,ShowPVC,CreateUpgrade,CreateUser,DeleteUser,UpdateUser,ShowUser,Version,CreateFailover,UpdateCluster,CreateBenchmark,ShowBenchmark,DeleteBenchmark,UpdateNamespace,Clone'
+pgo_admin_perms='*'
 
 pgo_installation_name='${OPERATOR_NAME}'
 pgo_operator_namespace='${OPERATOR_NAMESPACE}'