Add methods to create user role for elasticsearch

elasticsearch/api.go

@@ -24,12 +24,51 @@ import (
 	core "k8s.io/api/core/v1"
 )
 
-var (
+const (
 	writeRequestIndex = "kubedb-system"
 	writeRequestID    = "info"
 	writeRequestType  = "_doc"
+	CustomRoleName    = "readWriteAnyDatabase"
+	ApplicationKibana = "kibana-.kibana"
 )
 
+const (
+	PrivilegeCreateSnapshot = "create_snapshot"
+	PrivilegeManage         = "manage"
+	PrivilegeManageILM      = "manage_ilm"
+	PrivilegeManageRoleup   = "manage_rollup"
+	PrivilegeMonitor        = "monitor"
+	PrivilegeManageCCR      = "manage_ccr"
+	PrivilegeRead           = "read"
+	PrivilegeWrite          = "write"
+	PrivilegeCreateIndex    = "create_index"
+	PrivilegeIndexAny       = "*"
+)
+
+type DBPrivileges struct {
+	Names                  []string `json:"names"`
+	Privileges             []string `json:"privileges"`
+	AllowRestrictedIndices bool     `json:"allow_restricted_indices"`
+}
+
+type ApplicationPrivileges struct {
+	Application string   `json:"application"`
+	Privileges  []string `json:"privileges"`
+	Resources   []string `json:"resources"`
+}
+
+type TransientMetaPrivileges struct {
+	Enabled bool `json:"enabled"`
+}
+
+type UserRoleReq struct {
+	Cluster           []string                `json:"cluster"`
+	Indices           []DBPrivileges          `json:"indices"`
+	Applications      []ApplicationPrivileges `json:"applications"`
+	RunAs             []string                `json:"run_as"`
+	TransientMetaData TransientMetaPrivileges `json:"transient_metadata"`
+}
+
 type WriteRequestIndex struct {
 	Index WriteRequestIndexBody `json:"index"`
 }
@@ -41,11 +80,13 @@ type WriteRequestIndexBody struct {
 
 type ESClient interface {
 	ClusterHealthInfo() (map[string]interface{}, error)
-	NodesStats() (map[string]interface{}, error)
-	GetIndicesInfo() ([]interface{}, error)
+	CreateDBUserRole(ctx context.Context) error
 	ClusterStatus() (string, error)
-	SyncCredentialFromSecret(secret *core.Secret) error
+	GetIndicesInfo() ([]interface{}, error)
 	GetClusterWriteStatus(ctx context.Context, db *api.Elasticsearch) error
 	GetClusterReadStatus(ctx context.Context, db *api.Elasticsearch) error
 	GetTotalDiskUsage(ctx context.Context) (string, error)
+	GetDBUserRole(ctx context.Context) (error, bool)
+	NodesStats() (map[string]interface{}, error)
+	SyncCredentialFromSecret(secret *core.Secret) error
 }

elasticsearch/es_client_v5.go

@@ -88,3 +88,11 @@ func (es *ESClientV5) GetClusterReadStatus(ctx context.Context, db *api.Elastics
 func (es *ESClientV5) GetTotalDiskUsage(ctx context.Context) (string, error) {
 	return "", nil
 }
+
+func (es *ESClientV5) GetDBUserRole(ctx context.Context) (error, bool) {
+	return errors.New("not supported in es version 5"), false
+}
+
+func (es *ESClientV5) CreateDBUserRole(ctx context.Context) error {
+	return errors.New("not supported in es version 5")
+}

elasticsearch/es_client_v6.go

@@ -212,3 +212,11 @@ func (es *ESClientV6) GetClusterReadStatus(ctx context.Context, db *api.Elastics
 func (es *ESClientV6) GetTotalDiskUsage(ctx context.Context) (string, error) {
 	return "", nil
 }
+
+func (es *ESClientV6) GetDBUserRole(ctx context.Context) (error, bool) {
+	return errors.New("not supported in es version 6"), false
+}
+
+func (es *ESClientV6) CreateDBUserRole(ctx context.Context) error {
+	return errors.New("not supported in es version 6")
+}

elasticsearch/es_client_v7.go

@@ -17,6 +17,7 @@ limitations under the License.
 package elasticsearch
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -301,3 +302,82 @@ func (es *ESClientV7) GetTotalDiskUsage(ctx context.Context) (string, error) {
 
 	return totalDiskUsage, nil
 }
+
+func (es *ESClientV7) GetDBUserRole(ctx context.Context) (error, bool) {
+	req := esapi.SecurityGetRoleRequest{
+		Name: []string{CustomRoleName},
+	}
+	res, err := req.Do(ctx, es.client.Transport)
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			klog.Errorf("failed to close response body from GetDBUserRole", err)
+		}
+	}(res.Body)
+
+	if err != nil {
+		klog.Errorf("failed to get existing DB user role", err)
+		return err, false
+	}
+	if res.IsError() {
+		err = errors.New(fmt.Sprintf("fetching DB user role failed with error status code %d", res.StatusCode))
+		klog.Errorf("Failed to fetch DB user role", err)
+		return nil, false
+	}
+
+	return nil, true
+}
+
+func (es *ESClientV7) CreateDBUserRole(ctx context.Context) error {
+	userRoleReqStruct := UserRoleReq{
+		[]string{PrivilegeCreateSnapshot, PrivilegeManage, PrivilegeManageILM, PrivilegeManageRoleup, PrivilegeMonitor, PrivilegeManageCCR},
+		[]DBPrivileges{
+			{
+				[]string{PrivilegeIndexAny},
+				[]string{PrivilegeRead, PrivilegeWrite, PrivilegeCreateIndex},
+				false,
+			},
+		},
+		[]ApplicationPrivileges{
+			{
+				ApplicationKibana,
+				[]string{PrivilegeRead, PrivilegeWrite},
+				[]string{PrivilegeIndexAny},
+			},
+		},
+		[]string{},
+		TransientMetaPrivileges{
+			true,
+		},
+	}
+
+	userRoleReqJSON, err := json.Marshal(userRoleReqStruct)
+	if err != nil {
+		klog.Errorf("Failed to parse rollRequest body to JSOn", err)
+		return err
+	}
+	body := bytes.NewReader(userRoleReqJSON)
+	req := esapi.SecurityPutRoleRequest{
+		Name: CustomRoleName,
+		Body: body,
+	}
+
+	res, err := req.Do(ctx, es.client.Transport)
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			klog.Errorf("failed to close response body from EnsureDBUserRole function", err)
+		}
+	}(res.Body)
+	if err != nil {
+		klog.Errorf("Failed to perform request to create DB user role", err)
+		return err
+	}
+
+	if res.IsError() {
+		err = errors.New(fmt.Sprintf("DB user role creation failed with error status code %d", res.StatusCode))
+		klog.Errorf("Failed to create DB user role", err)
+		return err
+	}
+	return nil
+}

elasticsearch/es_client_v8.go

@@ -17,6 +17,7 @@ limitations under the License.
 package elasticsearch
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -300,3 +301,82 @@ func (es *ESClientV8) GetTotalDiskUsage(ctx context.Context) (string, error) {
 
 	return totalDiskUsage, nil
 }
+
+func (es *ESClientV8) GetDBUserRole(ctx context.Context) (error, bool) {
+	req := esapi.SecurityGetRoleRequest{
+		Name: []string{CustomRoleName},
+	}
+	res, err := req.Do(ctx, es.client.Transport)
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			klog.Errorf("failed to close response body from GetDBUserRole", err)
+		}
+	}(res.Body)
+
+	if err != nil {
+		klog.Errorf("failed to get existing DB user role", err)
+		return err, false
+	}
+	if res.IsError() {
+		err = errors.New(fmt.Sprintf("fetching DB user role failed with error status code %d", res.StatusCode))
+		klog.Errorf("Failed to fetch DB user role", err)
+		return nil, false
+	}
+
+	return nil, true
+}
+
+func (es *ESClientV8) CreateDBUserRole(ctx context.Context) error {
+	userRoleReqStruct := UserRoleReq{
+		[]string{PrivilegeCreateSnapshot, PrivilegeManage, PrivilegeManageILM, PrivilegeManageRoleup, PrivilegeMonitor, PrivilegeManageCCR},
+		[]DBPrivileges{
+			{
+				[]string{PrivilegeIndexAny},
+				[]string{PrivilegeRead, PrivilegeWrite, PrivilegeCreateIndex},
+				false,
+			},
+		},
+		[]ApplicationPrivileges{
+			{
+				ApplicationKibana,
+				[]string{PrivilegeRead, PrivilegeWrite},
+				[]string{PrivilegeIndexAny},
+			},
+		},
+		[]string{},
+		TransientMetaPrivileges{
+			true,
+		},
+	}
+
+	userRoleReqJSON, err := json.Marshal(userRoleReqStruct)
+	if err != nil {
+		klog.Errorf("Failed to parse rollRequest body to JSOn", err)
+		return err
+	}
+	body := bytes.NewReader(userRoleReqJSON)
+	req := esapi.SecurityPutRoleRequest{
+		Name: CustomRoleName,
+		Body: body,
+	}
+
+	res, err := req.Do(ctx, es.client.Transport)
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			klog.Errorf("failed to close response body from EnsureDBUserRole function", err)
+		}
+	}(res.Body)
+	if err != nil {
+		klog.Errorf("Failed to perform request to create DB user role", err)
+		return err
+	}
+
+	if res.IsError() {
+		err = errors.New(fmt.Sprintf("DB user role creation failed with error status code %d", res.StatusCode))
+		klog.Errorf("Failed to create DB user role", err)
+		return err
+	}
+	return nil
+}

elasticsearch/os_client_v1.go

@@ -251,3 +251,11 @@ func (os *OSClientV1) GetTotalDiskUsage(ctx context.Context) (string, error) {
 func (os *OSClientV1) SyncCredentialFromSecret(secret *core.Secret) error {
 	return nil
 }
+
+func (os *OSClientV1) GetDBUserRole(ctx context.Context) (error, bool) {
+	return errors.New("not supported in os version 1"), false
+}
+
+func (os *OSClientV1) CreateDBUserRole(ctx context.Context) error {
+	return errors.New("not supported in os version 1")
+}

elasticsearch/os_client_v2.go

@@ -250,3 +250,11 @@ func (os *OSClientV2) GetTotalDiskUsage(ctx context.Context) (string, error) {
 func (os *OSClientV2) SyncCredentialFromSecret(secret *core.Secret) error {
 	return nil
 }
+
+func (os *OSClientV2) GetDBUserRole(ctx context.Context) (error, bool) {
+	return errors.New("not supported in os version 2"), false
+}
+
+func (os *OSClientV2) CreateDBUserRole(ctx context.Context) error {
+	return errors.New("not supported in os version 2")
+}

go.mod

@@ -17,8 +17,8 @@ require (
 	go.mongodb.org/mongo-driver v1.10.2
 	k8s.io/api v0.25.3
 	k8s.io/klog/v2 v2.80.1
-	kmodules.xyz/client-go v0.25.23
-	kubedb.dev/apimachinery v0.33.2-0.20230613082109-19397df99ef7
+	kmodules.xyz/client-go v0.25.27
+	kubedb.dev/apimachinery v0.34.1-0.20230724122802-eb1b7f2152cc
 	sigs.k8s.io/controller-runtime v0.13.1
 	xorm.io/xorm v1.3.2
 )

go.sum

@@ -1486,16 +1486,16 @@ k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 h1:cTdVh7LYu82xeClmfzGtgyspNh6UxpwLWGi8R4sspNo=
 k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-kmodules.xyz/client-go v0.25.23 h1:qz5XJYHLVZUowqfRXEJD7JQ4iaLLzQ1O1zPMmsdrkJw=
-kmodules.xyz/client-go v0.25.23/go.mod h1:wbdzLEoDYiCPI6dTW0mIAGNwkwFV4lC5BN1FJxiDsbw=
+kmodules.xyz/client-go v0.25.27 h1:Ivl054xbXSvMNMKAJtK7TkS0iZX0AHvVQzxtsrIk9ik=
+kmodules.xyz/client-go v0.25.27/go.mod h1:PYfJtJs+AhgfkJNIeUObU4SqAkY85ARTlXxC+2gAsgo=
 kmodules.xyz/custom-resources v0.25.2 h1:+PJgUZvbbSgyNT7EX9gUZ3PIzY2LAW03TDW8cevvXqo=
 kmodules.xyz/custom-resources v0.25.2/go.mod h1:b9XjjKQMZ6KrLHXKqQz7YwV3M3BK8Hwi4KEwu5RadCo=
 kmodules.xyz/monitoring-agent-api v0.25.1 h1:E1H8U/vMfYQ8wevmJv6Lcj0Z4DF7cH3hZ2xkFgG+xKk=
 kmodules.xyz/monitoring-agent-api v0.25.1/go.mod h1:IphGzRWbuV00B3TLalcBs6+IlchSZVTwKDty+J3LLz4=
 kmodules.xyz/offshoot-api v0.25.4 h1:IjJNvkphcdYUG8XO/pBwXpuP8W+jxAWJZ3yH8vgI/as=
 kmodules.xyz/offshoot-api v0.25.4/go.mod h1:PUk4EuJFhhyQykCflHj7EgXcljGIqs9vi0IN0RpxtY4=
-kubedb.dev/apimachinery v0.33.2-0.20230613082109-19397df99ef7 h1:uxx+5CIZWBckBql9Vb3E87qXudgQBxgkfbBkL7nBgvA=
-kubedb.dev/apimachinery v0.33.2-0.20230613082109-19397df99ef7/go.mod h1:bFkJ6mbKUpmvmfVML6dczw/+BEO8AMKcuWZckydR2Y0=
+kubedb.dev/apimachinery v0.34.1-0.20230724122802-eb1b7f2152cc h1:pwUjqKeog1LH/SjbrsU05Hqe4EWd5UcCNRS/yE+hXbU=
+kubedb.dev/apimachinery v0.34.1-0.20230724122802-eb1b7f2152cc/go.mod h1:K4tmJODPLOBgYGA/4N8Cx4ZwX1ZtZF8E+O1NIRWwyzA=
 lukechampine.com/uint128 v1.1.1 h1:pnxCASz787iMf+02ssImqk6OLt+Z5QHMoZyUXR4z6JU=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.33.6/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=

vendor/kmodules.xyz/client-go/Makefile

@@ -45,7 +45,7 @@ endif
 ### These variables should not need tweaking.
 ###
 
-SRC_PKGS := admissionregistration api apiextensions apiregistration apps batch certificates client core discovery dynamic extensions meta networking openapi policy rbac storage tools
+SRC_PKGS := admissionregistration api apiextensions apiregistration apps batch certificates client conditions core discovery dynamic extensions meta networking openapi policy rbac storage tools
 SRC_DIRS := $(SRC_PKGS) *.go
 
 DOCKER_PLATFORMS := linux/amd64 linux/arm linux/arm64