Skip to content

Commit

Permalink
Update to support AAD users and groups too (#1319)
Browse files Browse the repository at this point in the history
  • Loading branch information
matthchr authored Nov 26, 2020
1 parent 92ff360 commit c3fa704
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 34 deletions.
9 changes: 5 additions & 4 deletions api/v1alpha1/mysqlaaduser_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,12 @@ type MySQLAADUserSpec struct {
// +kubebuilder:validation:Required
Roles []string `json:"roles"`

// Note: We current do not support arbitrary AAD users (although the MySQL API does).

// ClientID is the client ID of the identity backing the user.
// AAD ID is the ID of the user in Azure Active Directory.
// When creating a user for a managed identity this must be the client id (sometimes called app id) of the managed identity.
// When creating a user for a "normal" (non-managed identity) user or group, this is the OID of the user or group.
// +kubebuilder:validation:MinLength:1
// +kubebuilder:validation:Required
ClientID string `json:"clientId,omitempty"`
AADID string `json:"aadId,omitempty"`

// optional
Username string `json:"username,omitempty"`
Expand Down
32 changes: 12 additions & 20 deletions config/samples/azure_v1alpha1_mysqlaaduser.yaml
Original file line number Diff line number Diff line change
@@ -1,27 +1,19 @@
apiVersion: azure.microsoft.com/v1alpha1
kind: MySQLAADUser
metadata:
name: matthchr-mi-2
name: mysqlaaduser-sample
spec:
# TODO: Fix this to be more generic names
server: matthchr-mysql-serv
dbName: matthchr-mysql-db
resourceGroup: matthchr-rg
clientId: 519fadb2-1737-4e6b-ac09-a8632da37766
server: mysqlserver-sample
dbName: mysqldatabase-sample
resourceGroup: resourcegroup-azure-operators
# AAD ID is the ID of the user in Azure Active Directory.
# When creating a user for a managed identity this must be the client id (sometimes called app id) of the managed identity.
# When creating a user for a "normal" (non-managed identity) user or group, this is the OID of the user or group.
aadId: 00000000-0000-0000-0000-000000000000
roles:
#now only supports granting privileges to a new user. Valid privileges are listed below:
#SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES,
#CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT,
#CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
# Valid privileges are listed below:
# SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES,
# CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT,
# CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
# This adds the privileges to the specified database
- SELECT
# Specify a specific username for the user
# username: mysqluser-sample
# Specify adminSecret and adminSecretKeyVault if you want to
# read the MYSQL server admin creds from a specific keyvault secret
# adminSecret: mysqlserver-sample
# adminSecretKeyVault: asokeyvault

# Use the field below to optionally specify a different keyvault
# to store the secrets in
# keyVaultToStoreSecrets: asokeyvault
18 changes: 8 additions & 10 deletions pkg/resourcemanager/mysql/mysqlaaduser/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,27 +41,25 @@ func NewMySQLAADUserManager(creds config.Credentials, identityFinder *helpers.AA

var _ resourcemanager.ARMClient = &MySQLAADUserManager{}

// CreateUser creates aad user
func (m *MySQLAADUserManager) CreateUser(ctx context.Context, db *sql.DB, username string, clientID string) error {
// CreateUser creates an aad user
func (m *MySQLAADUserManager) CreateUser(ctx context.Context, db *sql.DB, username string, aadID string) error {
if err := helpers.FindBadChars(username); err != nil {
return fmt.Errorf("problem found with username: %v", err)
}
if err := helpers.FindBadChars(clientID); err != nil {
if err := helpers.FindBadChars(aadID); err != nil {
return fmt.Errorf("problem found with clientID: %v", err)
}

// TODO: Only need to do this once
// TODO: Need to talk to MySQL team to understand why we even need to do this
// TODO: Need to talk to MySQL team to understand why we even need to do this, their documentation
// TODO: says that we need to do this only for Managed Identities but it seems we need to do it
// TODO: for normal users too
_, err := db.ExecContext(ctx, "SET aad_auth_validate_oids_in_tenant = OFF")
if err != nil {
return err
}

tsql := "CREATE AADUSER IF NOT EXISTS ? IDENTIFIED BY ?"
_, err = db.ExecContext(ctx, tsql, username, clientID)

// TODO: If we want to support arbitrary AAD users rather than just managed identity users
// TODO: we need to do a standard "CREATE AADUSER IF NOT EXISTS ? as ?" when clientID is empty.
_, err = db.ExecContext(ctx, tsql, username, aadID)

if err != nil {
return err
Expand Down Expand Up @@ -116,7 +114,7 @@ func (m *MySQLAADUserManager) Ensure(ctx context.Context, obj runtime.Object, op

instance.Status.SetProvisioning("")

err = m.CreateUser(ctx, db, instance.Username(), instance.Spec.ClientID)
err = m.CreateUser(ctx, db, instance.Username(), instance.Spec.AADID)
if err != nil {
instance.Status.Message = "failed creating user, err: " + err.Error()
return false, err
Expand Down

0 comments on commit c3fa704

Please sign in to comment.