CLOUDP-79918: Support custom MongoDB roles (#286)

* CLOUDP-79918: Support custom MongoDB roles

* Fixed decoding in e2e test

* Address PR comments

* Refactor to reuse getAdminSetting code

* Address PR comments II

* Address PR comments

Author: alyacb

.evergreen.yml

@@ -180,6 +180,7 @@ task_groups:
     - e2e_test_statefulset_arbitrary_config_update
     - e2e_test_replica_set_mongod_config
     - e2e_test_replica_set_cross_namespace_deploy
+    - e2e_test_replica_set_custom_role
   teardown_task:
     - func: upload_e2e_logs
 
@@ -332,6 +333,12 @@ tasks:
           test: replica_set_cross_namespace_deploy
           clusterwide: true
 
+  - name: e2e_test_replica_set_custom_role
+    commands:
+      - func: run_e2e_test
+        vars:
+          test: replica_set_custom_role
+
   - name: release_blocker
     commands:
       - func: clone

deploy/crds/mongodb.com_mongodb_crd.yaml

@@ -50,14 +50,15 @@ spec:
               description: Members is the number of members in the replica set
               type: integer
             replicaSetHorizons:
-              description: Add this parameter and values if you need your database
-                to be accessed outside of Kubernetes. This setting allows you to
-                provide different DNS settings within the Kubernetes cluster and
-                to the Kubernetes cluster. The Kubernetes Operator uses split horizon
-                DNS for replica set members. This feature allows communication both
-                within the Kubernetes cluster and from outside Kubernetes.
+              description: ReplicaSetHorizons Add this parameter and values if you
+                need your database to be accessed outside of Kubernetes. This setting
+                allows you to provide different DNS settings within the Kubernetes
+                cluster and to the Kubernetes cluster. The Kubernetes Operator uses
+                split horizon DNS for replica set members. This feature allows communication
+                both within the Kubernetes cluster and from outside Kubernetes.
               items:
-                properties: {}
+                additionalProperties:
+                  type: string
                 type: object
               type: array
             security:
@@ -74,6 +75,93 @@ spec:
                         - SCRAM
                         type: string
                       type: array
+                    roles:
+                      description: User-specified custom MongoDB roles that should
+                        be configured in the deployment.
+                      items:
+                        description: CustomRole defines a custom MongoDB role.
+                        properties:
+                          authenticationRestrictions:
+                            description: The authentication restrictions the server
+                              enforces on the role.
+                            items:
+                              description: AuthenticationRestriction specifies a list
+                                of IP addresses and CIDR ranges users are allowed
+                                to connect to or from.
+                              properties:
+                                clientSource:
+                                  items:
+                                    type: string
+                                  type: array
+                                serverAddress:
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - clientSource
+                              - serverAddress
+                              type: object
+                            type: array
+                          db:
+                            description: The database of the role.
+                            type: string
+                          privileges:
+                            description: The privileges to grant the role.
+                            items:
+                              description: Privilege defines the actions a role is
+                                allowed to perform on a given resource.
+                              properties:
+                                actions:
+                                  items:
+                                    type: string
+                                  type: array
+                                resource:
+                                  description: Resource specifies specifies the resources
+                                    upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
+                                    for more.
+                                  properties:
+                                    anyResource:
+                                      type: boolean
+                                    cluster:
+                                      type: boolean
+                                    collection:
+                                      type: string
+                                    db:
+                                      type: string
+                                  type: object
+                              required:
+                              - actions
+                              - resource
+                              type: object
+                            type: array
+                          role:
+                            description: The name of the role.
+                            type: string
+                          roles:
+                            description: An array of roles from which this role inherits
+                              privileges.
+                            items:
+                              description: Role is the database role this user should
+                                have
+                              properties:
+                                db:
+                                  description: DB is the database the role can act
+                                    on
+                                  type: string
+                                name:
+                                  description: Name is the name of the role
+                                  type: string
+                              required:
+                              - db
+                              - name
+                              type: object
+                            type: array
+                        required:
+                        - db
+                        - privileges
+                        - role
+                        type: object
+                      type: array
                   required:
                   - modes
                   type: object
@@ -169,8 +257,9 @@ spec:
                       type: object
                     type: array
                   scramCredentialsSecretName:
-                    description: ScramCredentialsSecretName appended by string "scram-credentials" is the name of the secret object
-                      created by the mongoDB operator for storing SCRAM credentials
+                    description: ScramCredentialsSecretName appended by string "scram-credentials"
+                      is the name of the secret object created by the mongoDB operator
+                      for storing SCRAM credentials
                     type: string
                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                 required:
@@ -192,16 +281,21 @@ spec:
         status:
           description: MongoDBStatus defines the observed state of MongoDB
           properties:
-            currentStatefulSetReplicas:
-              type: integer
             currentMongoDBMembers:
               type: integer
+            currentStatefulSetReplicas:
+              type: integer
             message:
               type: string
             mongoUri:
               type: string
             phase:
               type: string
+          required:
+          - currentMongoDBMembers
+          - currentStatefulSetReplicas
+          - mongoUri
+          - phase
           type: object
       type: object
   version: v1

deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: custom-role-mongodb
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "4.2.6"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+      roles: # custom roles are defined here
+        - role: testRole
+          db: admin
+          privileges:
+            - resource:
+                db: "test"
+                collection: "" # an empty string indicates any collection
+              actions:
+                - find
+          roles: []
+  users:
+    - name: my-user
+      db: admin
+      passwordSecretRef: # a reference to the secret that will be used to generate the user's password
+        name: my-user-password
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: userAdminAnyDatabase
+          db: admin
+        - name: testRole # apply the custom role to the user
+          db: admin
+      scramCredentialsSecretName: my-scram
+
+# the user credentials will be generated from this secret
+# once the credentials are generated, this secret is no longer required
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-user-password
+type: Opaque
+stringData:
+  password: 58LObjiMpxcjP1sMDW

pkg/apis/mongodb/v1/mongodb_types.go

@@ -51,8 +51,12 @@ type MongoDBSpec struct {
 	// +optional
 	FeatureCompatibilityVersion string `json:"featureCompatibilityVersion,omitempty"`
 
-	// ReplicaSetHorizons allows providing different DNS settings within the
-	// Kubernetes cluster and to the Kubernetes cluster.
+	// ReplicaSetHorizons Add this parameter and values if you need your database
+	// to be accessed outside of Kubernetes. This setting allows you to
+	// provide different DNS settings within the Kubernetes cluster and
+	// to the Kubernetes cluster. The Kubernetes Operator uses split horizon
+	// DNS for replica set members. This feature allows communication both
+	// within the Kubernetes cluster and from outside Kubernetes.
 	// +optional
 	ReplicaSetHorizons ReplicaSetHorizonConfiguration `json:"replicaSetHorizons,omitempty"`
 
@@ -78,6 +82,96 @@ type MongoDBSpec struct {
 // replica set members.
 type ReplicaSetHorizonConfiguration []automationconfig.ReplicaSetHorizons
 
+// CustomRole defines a custom MongoDB role.
+type CustomRole struct {
+	// The name of the role.
+	Role string `json:"role"`
+	// The database of the role.
+	DB string `json:"db"`
+	// The privileges to grant the role.
+	Privileges []Privilege `json:"privileges"`
+	// An array of roles from which this role inherits privileges.
+	// +optional
+	Roles []Role `json:"roles"`
+	// The authentication restrictions the server enforces on the role.
+	// +optional
+	AuthenticationRestrictions []AuthenticationRestriction `json:"authenticationRestrictions,omitempty"`
+}
+
+// ConvertToAutomationConfigCustomRole converts between a custom role defined by the crd and a custom role
+// that can be used in the automation config.
+func (c CustomRole) ConvertToAutomationConfigCustomRole() automationconfig.CustomRole {
+	ac := automationconfig.CustomRole{Role: c.Role, DB: c.DB, Roles: []automationconfig.Role{}}
+
+	// Add privileges.
+	for _, privilege := range c.Privileges {
+		ac.Privileges = append(ac.Privileges, automationconfig.Privilege{
+			Resource: automationconfig.Resource{
+				DB:          privilege.Resource.DB,
+				Collection:  privilege.Resource.Collection,
+				AnyResource: privilege.Resource.AnyResource,
+				Cluster:     privilege.Resource.Cluster,
+			},
+			Actions: privilege.Actions,
+		})
+	}
+
+	// Add roles.
+	for _, dbRole := range c.Roles {
+		ac.Roles = append(ac.Roles, automationconfig.Role{
+			Role:     dbRole.Name,
+			Database: dbRole.DB,
+		})
+	}
+
+	// Add authentication restrictions (if any).
+	for _, restriction := range c.AuthenticationRestrictions {
+		ac.AuthenticationRestrictions = append(ac.AuthenticationRestrictions,
+			automationconfig.AuthenticationRestriction{
+				ClientSource:  restriction.ClientSource,
+				ServerAddress: restriction.ServerAddress,
+			})
+	}
+
+	return ac
+}
+
+// ConvertCustomRolesToAutomationConfigCustomRole converts custom roles to custom roles
+// that can be used in the automation config.
+func ConvertCustomRolesToAutomationConfigCustomRole(roles []CustomRole) []automationconfig.CustomRole {
+	acRoles := []automationconfig.CustomRole{}
+	for _, role := range roles {
+		acRoles = append(acRoles, role.ConvertToAutomationConfigCustomRole())
+	}
+	return acRoles
+}
+
+// Privilege defines the actions a role is allowed to perform on a given resource.
+type Privilege struct {
+	Resource Resource `json:"resource"`
+	Actions  []string `json:"actions"`
+}
+
+// Resource specifies specifies the resources upon which a privilege permits actions.
+// See https://docs.mongodb.com/manual/reference/resource-document for more.
+type Resource struct {
+	// +optional
+	DB *string `json:"db,omitempty"`
+	// +optional
+	Collection *string `json:"collection,omitempty"`
+	// +optional
+	Cluster bool `json:"cluster,omitempty"`
+	// +optional
+	AnyResource bool `json:"anyResource,omitempty"`
+}
+
+// AuthenticationRestriction specifies a list of IP addresses and CIDR ranges users
+// are allowed to connect to or from.
+type AuthenticationRestriction struct {
+	ClientSource  []string `json:"clientSource"`
+	ServerAddress []string `json:"serverAddress"`
+}
+
 // StatefulSetConfiguration holds the optional custom StatefulSet
 // that should be merged into the operator created one.
 type StatefulSetConfiguration struct {
@@ -212,6 +306,10 @@ type LocalObjectReference struct {
 type Authentication struct {
 	// Modes is an array specifying which authentication methods should be enabled
 	Modes []AuthMode `json:"modes"`
+
+	// User-specified custom MongoDB roles that should be configured in the deployment.
+	// +optional
+	Roles []CustomRole `json:"roles,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=SCRAM