Update to support AAD users and groups too

Azure · Nov 25, 2020 · d3b67f1 · d3b67f1
1 parent 92ff360
commit d3b67f1
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 34 deletions.
diff --git a/api/v1alpha1/mysqlaaduser_types.go b/api/v1alpha1/mysqlaaduser_types.go
@@ -29,11 +29,12 @@ type MySQLAADUserSpec struct {
 	// +kubebuilder:validation:Required
 	Roles []string `json:"roles"`
 
-	// Note: We current do not support arbitrary AAD users (although the MySQL API does).
-
-	// ClientID is the client ID of the identity backing the user.
+	// AAD ID is the ID of the user in Azure Active Directory.
+	// When creating a user for a managed identity this must be the client id (sometimes called app id) of the managed identity.
+	// When creating a user for a "normal" (non-managed identity) user or group, this is the OID of the user or group.
+	// +kubebuilder:validation:MinLength:1
 	// +kubebuilder:validation:Required
-	ClientID string `json:"clientId,omitempty"`
+	AADID string `json:"aadId,omitempty"`
 
 	// optional
 	Username string `json:"username,omitempty"`

diff --git a/config/samples/azure_v1alpha1_mysqlaaduser.yaml b/config/samples/azure_v1alpha1_mysqlaaduser.yaml
@@ -1,27 +1,19 @@
 apiVersion: azure.microsoft.com/v1alpha1
 kind: MySQLAADUser
 metadata:
-  name: matthchr-mi-2
+  name: mysqlaaduser-sample
 spec:
-  # TODO: Fix this to be more generic names
-  server: matthchr-mysql-serv
-  dbName: matthchr-mysql-db
-  resourceGroup: matthchr-rg
-  clientId: 519fadb2-1737-4e6b-ac09-a8632da37766
+  server: mysqlserver-sample
+  dbName: mysqldatabase-sample
+  resourceGroup: resourcegroup-azure-operators
+  # AAD ID is the ID of the user in Azure Active Directory.
+  # When creating a user for a managed identity this must be the client id (sometimes called app id) of the managed identity.
+  # When creating a user for a "normal" (non-managed identity) user or group, this is the OID of the user or group.
+  aadId: 00000000-0000-0000-0000-000000000000
   roles: 
-  #now only supports granting privileges to a new user. Valid privileges are listed below:
-  #SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, 
-  #CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, 
-  #CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
+  # Valid privileges are listed below:
+  # SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES,
+  # CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT,
+  # CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
   # This adds the privileges to the specified database
     - SELECT
-  # Specify a specific username for the user
-  # username: mysqluser-sample
-  # Specify adminSecret and adminSecretKeyVault if you want to 
-  # read the MYSQL server admin creds from a specific keyvault secret
-  # adminSecret: mysqlserver-sample
-  # adminSecretKeyVault: asokeyvault
-
-  # Use the field below to optionally specify a different keyvault 
-  # to store the secrets in
-  # keyVaultToStoreSecrets: asokeyvault
diff --git a/pkg/resourcemanager/mysql/mysqlaaduser/reconcile.go b/pkg/resourcemanager/mysql/mysqlaaduser/reconcile.go
@@ -41,27 +41,25 @@ func NewMySQLAADUserManager(creds config.Credentials, identityFinder *helpers.AA
 
 var _ resourcemanager.ARMClient = &MySQLAADUserManager{}
 
-// CreateUser creates aad user
-func (m *MySQLAADUserManager) CreateUser(ctx context.Context, db *sql.DB, username string, clientID string) error {
+// CreateUser creates an aad user
+func (m *MySQLAADUserManager) CreateUser(ctx context.Context, db *sql.DB, username string, aadID string) error {
 	if err := helpers.FindBadChars(username); err != nil {
 		return fmt.Errorf("problem found with username: %v", err)
 	}
-	if err := helpers.FindBadChars(clientID); err != nil {
+	if err := helpers.FindBadChars(aadID); err != nil {
 		return fmt.Errorf("problem found with clientID: %v", err)
 	}
 
-	// TODO: Only need to do this once
-	// TODO: Need to talk to MySQL team to understand why we even need to do this
+	// TODO: Need to talk to MySQL team to understand why we even need to do this, their documentation
+	// TODO: says that we need to do this only for Managed Identities but it seems we need to do it
+	// TODO: for normal users too
 	_, err := db.ExecContext(ctx, "SET aad_auth_validate_oids_in_tenant = OFF")
 	if err != nil {
 		return err
 	}
 
 	tsql := "CREATE AADUSER IF NOT EXISTS ? IDENTIFIED BY ?"
-	_, err = db.ExecContext(ctx, tsql, username, clientID)
-
-	// TODO: If we want to support arbitrary AAD users rather than just managed identity users
-	// TODO: we need to do a standard "CREATE AADUSER IF NOT EXISTS ? as ?" when clientID is empty.
+	_, err = db.ExecContext(ctx, tsql, username, aadID)
 
 	if err != nil {
 		return err
@@ -116,7 +114,7 @@ func (m *MySQLAADUserManager) Ensure(ctx context.Context, obj runtime.Object, op
 
 	instance.Status.SetProvisioning("")
 
-	err = m.CreateUser(ctx, db, instance.Username(), instance.Spec.ClientID)
+	err = m.CreateUser(ctx, db, instance.Username(), instance.Spec.AADID)
 	if err != nil {
 		instance.Status.Message = "failed creating user, err: " + err.Error()
 		return false, err