CLOUDP-136889: Project Custom Roles (#745)

Add Custom Roles feature

Author: helderjs

.github/workflows/test-e2e.yml

@@ -91,6 +91,7 @@ jobs:
             "privatelink",
             "project-settings",
             "x509auth",
+            "custom-roles",
           ]
 
     steps:

config/crd/bases/atlas.mongodb.com_atlasprojects.yaml

@@ -277,6 +277,75 @@ spec:
                 required:
                 - name
                 type: object
+              customRoles:
+                description: The customRoles lets you create, and change custom roles
+                  in your cluster. Use custom roles to specify custom sets of actions
+                  that the Atlas built-in roles can't describe.
+                items:
+                  properties:
+                    actions:
+                      description: List of the individual privilege actions that the
+                        role grants.
+                      items:
+                        properties:
+                          name:
+                            description: Human-readable label that identifies the
+                              privilege action.
+                            type: string
+                          resources:
+                            description: List of resources on which you grant the
+                              action.
+                            items:
+                              properties:
+                                cluster:
+                                  description: Flag that indicates whether to grant
+                                    the action on the cluster resource. If true, MongoDB
+                                    Cloud ignores Database and Collection parameters.
+                                  type: boolean
+                                collection:
+                                  description: Human-readable label that identifies
+                                    the collection on which you grant the action to
+                                    one MongoDB user.
+                                  type: string
+                                database:
+                                  description: Human-readable label that identifies
+                                    the database on which you grant the action to
+                                    one MongoDB user.
+                                  type: string
+                              type: object
+                            type: array
+                        required:
+                        - name
+                        - resources
+                        type: object
+                      type: array
+                    inheritedRoles:
+                      description: List of the built-in roles that this custom role
+                        inherits.
+                      items:
+                        properties:
+                          database:
+                            description: Human-readable label that identifies the
+                              database on which someone grants the action to one MongoDB
+                              user.
+                            type: string
+                          name:
+                            description: Human-readable label that identifies the
+                              role inherited.
+                            type: string
+                        required:
+                        - database
+                        - name
+                        type: object
+                      type: array
+                    name:
+                      description: Human-readable label that identifies the role.
+                        This name must be unique for this custom role in this project.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
               encryptionAtRest:
                 description: EncryptionAtRest allows to set encryption for AWS, Azure
                   and GCP providers
@@ -1077,6 +1146,25 @@ spec:
                   - type
                   type: object
                 type: array
+              customRoles:
+                description: CustomRoles contains a list of custom roles statuses
+                items:
+                  properties:
+                    error:
+                      description: The message when the custom role is in the FAILED
+                        status
+                      type: string
+                    name:
+                      description: Role name which is unique
+                      type: string
+                    status:
+                      description: The status of the given custom role (OK or FAILED)
+                      type: string
+                  required:
+                  - name
+                  - status
+                  type: object
+                type: array
               expiredIpAccessList:
                 description: The list of IP Access List entries that are expired due
                   to 'deleteAfterDate' being less than the current date. Note, that

pkg/api/v1/atlasproject_types.go

@@ -101,6 +101,10 @@ type AtlasProjectSpec struct {
 	// Settings allow to set Project Settings for the project
 	// +optional
 	Settings *ProjectSettings `json:"settings,omitempty"`
+
+	// The customRoles lets you create, and change custom roles in your cluster. Use custom roles to specify custom sets of actions that the Atlas built-in roles can't describe.
+	// +optional
+	CustomRoles []CustomRole `json:"customRoles,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/api/v1/custom_roles.go

@@ -0,0 +1,73 @@
+package v1
+
+import "go.mongodb.org/atlas/mongodbatlas"
+
+type CustomRole struct {
+	// Human-readable label that identifies the role. This name must be unique for this custom role in this project.
+	Name string `json:"name"`
+	// List of the built-in roles that this custom role inherits.
+	// +optional
+	InheritedRoles []Role `json:"inheritedRoles,omitempty"`
+	// List of the individual privilege actions that the role grants.
+	// +optional
+	Actions []Action `json:"actions,omitempty"`
+}
+
+type Role struct {
+	// Human-readable label that identifies the role inherited.
+	Name string `json:"name"`
+	// Human-readable label that identifies the database on which someone grants the action to one MongoDB user.
+	Database string `json:"database"`
+}
+
+type Action struct {
+	// Human-readable label that identifies the privilege action.
+	Name string `json:"name"`
+	// List of resources on which you grant the action.
+	Resources []Resource `json:"resources"`
+}
+
+type Resource struct {
+	// Flag that indicates whether to grant the action on the cluster resource. If true, MongoDB Cloud ignores Database and Collection parameters.
+	Cluster *bool `json:"cluster,omitempty"`
+	// Human-readable label that identifies the database on which you grant the action to one MongoDB user.
+	Database *string `json:"database,omitempty"`
+	// Human-readable label that identifies the collection on which you grant the action to one MongoDB user.
+	Collection *string `json:"collection,omitempty"`
+}
+
+func (in *CustomRole) ToAtlas() *mongodbatlas.CustomDBRole {
+	actions := make([]mongodbatlas.Action, 0, len(in.Actions))
+
+	for _, action := range in.Actions {
+		resources := make([]mongodbatlas.Resource, 0, len(action.Resources))
+
+		for _, resource := range action.Resources {
+			resources = append(resources, mongodbatlas.Resource{
+				Collection: resource.Collection,
+				DB:         resource.Database,
+				Cluster:    resource.Cluster,
+			})
+		}
+
+		actions = append(actions, mongodbatlas.Action{
+			Action:    action.Name,
+			Resources: resources,
+		})
+	}
+
+	inheritedRoles := make([]mongodbatlas.InheritedRole, 0, len(in.InheritedRoles))
+
+	for _, inheritedRole := range in.InheritedRoles {
+		inheritedRoles = append(inheritedRoles, mongodbatlas.InheritedRole{
+			Db:   inheritedRole.Database,
+			Role: inheritedRole.Name,
+		})
+	}
+
+	return &mongodbatlas.CustomDBRole{
+		Actions:        actions,
+		InheritedRoles: inheritedRoles,
+		RoleName:       in.Name,
+	}
+}

pkg/api/v1/status/atlasproject.go

@@ -58,6 +58,12 @@ func AtlasProjectCloudAccessRolesOption(cloudAccessRoles []CloudProviderAccessRo
 	}
 }
 
+func AtlasProjectSetCustomRolesOption(customRoles *[]CustomRole) AtlasProjectStatusOption {
+	return func(s *AtlasProjectStatus) {
+		s.CustomRoles = *customRoles
+	}
+}
+
 func AtlasProjectPrometheusOption(prometheus *Prometheus) AtlasProjectStatusOption {
 	return func(s *AtlasProjectStatus) {
 		s.Prometheus = prometheus
@@ -93,6 +99,9 @@ type AtlasProjectStatus struct {
 	// CloudProviderAccessRoles contains a list of configured cloud provider access roles. AWS support only
 	CloudProviderAccessRoles []CloudProviderAccessRole `json:"cloudProviderAccessRoles,omitempty"`
 
+	// CustomRoles contains a list of custom roles statuses
+	CustomRoles []CustomRole `json:"customRoles,omitempty"`
+
 	// Prometheus contains the status for Prometheus integration
 	// including the prometheusDiscoveryURL
 	// +optional

pkg/api/v1/status/condition.go

@@ -46,6 +46,7 @@ const (
 	EncryptionAtRestReadyType       ConditionType = "EncryptionAtRestReady"
 	AuditingReadyType               ConditionType = "AuditingReady"
 	ProjectSettingsReadyType        ConditionType = "ProjectSettingsReady"
+	ProjectCustomRolesReadyType     ConditionType = "ProjectCustomRolesReady"
 )
 
 // AtlasDeployment condition types

pkg/api/v1/status/custom_roles.go

@@ -0,0 +1,17 @@
+package status
+
+type CustomRoleStatus string
+
+const (
+	CustomRoleStatusOK     CustomRoleStatus = "OK"
+	CustomRoleStatusFailed CustomRoleStatus = "FAILED"
+)
+
+type CustomRole struct {
+	// Role name which is unique
+	Name string `json:"name"`
+	// The status of the given custom role (OK or FAILED)
+	Status CustomRoleStatus `json:"status"`
+	// The message when the custom role is in the FAILED status
+	Error string `json:"error,omitempty"`
+}