Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support auth through ydb-go-sdk in communication with YDB cluster #158

Merged
merged 18 commits into from
Oct 11, 2023
Merged

Support auth through ydb-go-sdk in communication with YDB cluster #158

merged 18 commits into from
Oct 11, 2023

Conversation

kobzonega
Copy link
Contributor

@kobzonega kobzonega commented Oct 10, 2023
edited
Loading

I hereby agree to the terms of the CLA available at: https://yandex.ru/legal/cla/?lang=en

Improve this Pull Request to support common types for authorization in communication with YDB cluster.

It is now possible to use field enable enforce_static_user_credentials: true in configuration YAML. YDB operator support 3 types of auth: anonymous (by default), access_token (oauth) and static credentials (username/password). Default password are using at init new cluster storage process if other not specified (just do not specify password field).

In general ydb-operator obtain a token from secretKeyRef from Storage spec.operatorConnection section and use that in following communication with YDB (for example in healthcheck and create tenant methods)

operatorConnection:
  accessToken:
    secretKeyRef:
      name: "mystorage-token"
      key: "token"
  staticCredentials:
    username: "root"
    password:
      secretKeyRef:
        name: "mystorage-root-password"
        key: "password"

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • Feature
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe):

What is the current behavior?

Not possible to specify enforce_static_user_credentials
Operator uses shell-in-pod-execution, raw grpc and ydb-go-sdk to communicate with YDB

Issue Number: YDBOPS-6056 (about static creds in general), YDBOPS-6646 (enforce_static_user_credentials fix), YDBOPS-7373 (support authorization common types for ydb-operator)

What is the new behavior?

  • Now possible to specify enforce_static_user_credentials, operator correctly issues commands to YDB, using a token which it obtains from ydb-go-sdk. No raw grpc!
  • Operator uses shell-in-pod-execution and ydb-go-sdk. Again, no raw grpc!

Other information

Refactoring:

  • Reduced copypaste. internal/connection/connection.go is now the place for everything connected with communication. Later, other communication-specific logic can also be placed there.
  • [minor] new method IsGrpcSecure to reduce the number of terribly long identical lines and copypaste. Will do the same later for Interconnect, I think.

@github-actions
Copy link

Hi! Thank you for contributing!
The tests on this PR will run after a maintainer adds an ok-to-test label to this PR manually. Thank you for your patience!

@artgromov artgromov added the ok-to-test Testing pipelines will run label Oct 11, 2023
@github-actions github-actions bot removed the ok-to-test Testing pipelines will run label Oct 11, 2023
@artgromov artgromov added the ok-to-test Testing pipelines will run label Oct 11, 2023
@github-actions github-actions bot removed the ok-to-test Testing pipelines will run label Oct 11, 2023
@artgromov artgromov merged commit 762c96f into ydb-platform:master Oct 11, 2023
9 checks passed
@kobzonega kobzonega mentioned this pull request Oct 13, 2023
Merged
7 tasks
@kobzonega kobzonega mentioned this pull request Aug 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@artgromov artgromov artgromov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kobzonega @artgromov @Jorres