fixes for the role of user admin

gkech · gkech · commit 539e164811bf · 2026-01-05T13:41:49.000+02:00
diff --git a/pkg/controller/perconaservermongodb/mgo.go b/pkg/controller/perconaservermongodb/mgo.go
@@ -647,7 +647,7 @@ func (r *ReconcilePerconaServerMongoDB) handleRsAddToShard(ctx context.Context,
 }
 
 // handleReplsetInit initializes the replset within the first running pod's mongod container.
-// This must be ran from within the running container to utilize the MongoDB Localhost Exception.
+// This must be run from within the running container to utilize the MongoDB Localhost Exception.
 //
 // See: https://www.mongodb.com/docs/manual/core/localhost-exception/
 func (r *ReconcilePerconaServerMongoDB) handleReplsetInit(ctx context.Context, cr *api.PerconaServerMongoDB, replset *api.ReplsetSpec, pods []corev1.Pod) (*corev1.Pod, *api.ReplsetMemberStatus, error) {
@@ -1007,6 +1007,7 @@ func (r *ReconcilePerconaServerMongoDB) createOrUpdateSystemUsers(ctx context.Co
 	}
 
 	users := []api.SystemUserRole{api.RoleClusterAdmin, api.RoleClusterMonitor, api.RoleBackup, api.RoleDatabaseAdmin}
+	// When handleReplsetInit is not executed, e.g. when auth is disabled, the UserAdmin role should be created.
 	if cr.CompareVersion("1.22.0") >= 0 {
 		users = append(users, api.RoleUserAdmin)
 	}
@@ -1029,7 +1030,7 @@ func (r *ReconcilePerconaServerMongoDB) createOrUpdateSystemUsers(ctx context.Co
 			}
 			continue
 		}
-		if !compareRoles(user.Roles, getRoles(cr, role)) {
+		if !compareRoles(user.Roles, getRoles(cr, role)) && role != api.RoleUserAdmin {
 			log.Info("Updating user roles", "database", "admin", "user", creds.Username, "currentRoles", user.Roles, "newRoles", getRoles(cr, role))
 			err = cli.UpdateUserRoles(ctx, "admin", creds.Username, getRoles(cr, role))
 			if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -647,7 +647,7 @@ func (r *ReconcilePerconaServerMongoDB) handleRsAddToShard(ctx context.Context,`
`647`	`647`	`}`
`648`	`648`
`649`	`649`	`// handleReplsetInit initializes the replset within the first running pod's mongod container.`
`650`		`-// This must be ran from within the running container to utilize the MongoDB Localhost Exception.`
	`650`	`+// This must be run from within the running container to utilize the MongoDB Localhost Exception.`
`651`	`651`	`//`
`652`	`652`	`// See: https://www.mongodb.com/docs/manual/core/localhost-exception/`
`653`	`653`	`func (r ReconcilePerconaServerMongoDB) handleReplsetInit(ctx context.Context, cr api.PerconaServerMongoDB, replset api.ReplsetSpec, pods []corev1.Pod) (corev1.Pod, *api.ReplsetMemberStatus, error) {`
`@@ -1007,6 +1007,7 @@ func (r *ReconcilePerconaServerMongoDB) createOrUpdateSystemUsers(ctx context.Co`
`1007`	`1007`	`}`
`1008`	`1008`
`1009`	`1009`	`users := []api.SystemUserRole{api.RoleClusterAdmin, api.RoleClusterMonitor, api.RoleBackup, api.RoleDatabaseAdmin}`
	`1010`	`+ // When handleReplsetInit is not executed, e.g. when auth is disabled, the UserAdmin role should be created.`
`1010`	`1011`	`if cr.CompareVersion("1.22.0") >= 0 {`
`1011`	`1012`	`users = append(users, api.RoleUserAdmin)`
`1012`	`1013`	`}`
`@@ -1029,7 +1030,7 @@ func (r *ReconcilePerconaServerMongoDB) createOrUpdateSystemUsers(ctx context.Co`
`1029`	`1030`	`}`
`1030`	`1031`	`continue`
`1031`	`1032`	`}`
`1032`		`- if !compareRoles(user.Roles, getRoles(cr, role)) {`
	`1033`	`+ if !compareRoles(user.Roles, getRoles(cr, role)) && role != api.RoleUserAdmin {`
`1033`	`1034`	`log.Info("Updating user roles", "database", "admin", "user", creds.Username, "currentRoles", user.Roles, "newRoles", getRoles(cr, role))`
`1034`	`1035`	`err = cli.UpdateUserRoles(ctx, "admin", creds.Username, getRoles(cr, role))`
`1035`	`1036`	`if err != nil {`