From 9782d5e2b4d2782fd51ea7321a75a73c474f19e1 Mon Sep 17 00:00:00 2001 From: Tanmay Jain Date: Fri, 29 Mar 2024 10:56:09 +0530 Subject: [PATCH 1/2] Fixing role quotas update in server --- controllers/access_control.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/controllers/access_control.go b/controllers/access_control.go index 33378ed3c..926821880 100644 --- a/controllers/access_control.go +++ b/controllers/access_control.go @@ -576,6 +576,16 @@ func (roleCreate aerospikeRoleCreateUpdate) updateRole( } } + if role.ReadQuota != roleCreate.readQuota || role.WriteQuota != roleCreate.writeQuota { + if err := client.SetQuotas( + adminPolicy, roleCreate.name, roleCreate.readQuota, roleCreate.writeQuota, + ); err != nil { + return fmt.Errorf( + "error setting quotas for role %s: %v", roleCreate.name, err, + ) + } + } + logger.Info("Updated role", "role name", roleCreate.name) recorder.Eventf( aeroCluster, corev1.EventTypeNormal, "RoleUpdated", From 18ca1014d5b656d9bf4deee9aa167f67fe5343bd Mon Sep 17 00:00:00 2001 From: Tanmay Jain Date: Mon, 1 Apr 2024 18:21:31 +0530 Subject: [PATCH 2/2] Fixing testcase --- test/access_control_test.go | 84 +++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 4 deletions(-) diff --git a/test/access_control_test.go b/test/access_control_test.go index 1b784f456..668b73aaf 100644 --- a/test/access_control_test.go +++ b/test/access_control_test.go @@ -1903,6 +1903,8 @@ var _ = Describe( "read-write.test", "read-write-udf.test.users", }, + ReadQuota: 2, + WriteQuota: 2, }, { Name: "roleToDrop", @@ -1971,6 +1973,82 @@ var _ = Describe( ) Expect(err).ToNot(HaveOccurred()) + By("DisableQuota") + + accessControl = asdbv1.AerospikeAccessControlSpec{ + Roles: []asdbv1.AerospikeRoleSpec{ + { + Name: "profiler", + Privileges: []string{ + "read-write.test", + "read-write-udf.test.users", + }, + }, + { + Name: "roleToDrop", + Privileges: []string{ + "read-write.test", + "read-write-udf.test.users", + }, + Whitelist: []string{ + "8.8.0.0/16", + }, + }, + }, + Users: []asdbv1.AerospikeUserSpec{ + { + Name: "admin", + SecretName: authSecretName, + Roles: []string{ + "sys-admin", + "user-admin", + }, + }, + + { + Name: "profileUser", + SecretName: authSecretName, + Roles: []string{ + "profiler", + "sys-admin", + }, + }, + + { + Name: "userToDrop", + SecretName: authSecretName, + Roles: []string{ + "profiler", + }, + }, + }, + } + + aerospikeConfigSpec, err = NewAerospikeConfSpec(latestImage) + if err != nil { + Fail( + fmt.Sprintf( + "Invalid Aerospike Config Spec: %v", + err, + ), + ) + } + if err = aerospikeConfigSpec.setEnableSecurity(true); err != nil { + Expect(err).ToNot(HaveOccurred()) + } + if err = aerospikeConfigSpec.setEnableQuotas(false); err != nil { + Expect(err).ToNot(HaveOccurred()) + } + + aeroCluster = getAerospikeClusterSpecWithAccessControl( + clusterNamespacedName, &accessControl, + aerospikeConfigSpec, + ) + err = testAccessControlReconcile( + aeroCluster, ctx, + ) + Expect(err).ToNot(HaveOccurred()) + By("QuotaParamsSpecifiedButFlagIsOff") accessControl = asdbv1.AerospikeAccessControlSpec{ @@ -2154,12 +2232,10 @@ func validateAccessControl( err = validateRoles(clientP, &aeroCluster.Spec) if err != nil { - return fmt.Errorf("error creating client: %v", err) + return fmt.Errorf("error validating roles: %v", err) } - err = validateUsers(clientP, aeroCluster) - - return err + return validateUsers(clientP, aeroCluster) } func getRole(