*: Support to configure grant option and SSL when creating users. (#575)

* feat(user): create user with grant

add options 'WithGrantOption'

fix: #557

* feat(user): create user with ssl options

add options `TLSOptions`
support REQUIRE NONE/SSL/X509
TODO: Issuer, Subject and Cipher.

fix: #573

* feat(user): add printcolumn for mysql users

Author: runkecheng

api/v1alpha1/mysqluser_types.go

@@ -51,6 +51,17 @@ type UserSpec struct {
 	// Permissions is the list of roles that user has in the specified database.
 	// +optional
 	Permissions []UserPermission `json:"permissions,omitempty"`
+
+	// WithGrantOption is the flag to indicate whether the user has grant option.
+	// +optional
+	// +kubebuilder:default:=false
+	WithGrantOption bool `json:"withGrantOption,omitempty"`
+
+	// TLSOptions contains the TLS parameter of the MySQL user.
+	// Enabling SSL/TLS will encrypt the data being sent to and from the database.
+	// https://dev.mysql.com/doc/refman/5.7/en/create-user.html
+	// +kubebuilder:default:={type: "NONE"}
+	TLSOptions TLSOptions `json:"tlsOptions,omitempty"`
 }
 
 type UserOwner struct {
@@ -85,6 +96,15 @@ type UserPermission struct {
 	Privileges []string `json:"privileges,omitempty"`
 }
 
+type TLSOptions struct {
+	// TLS options for the client certificates
+	// +kubebuilder:default:=NONE
+	// +kubebuilder:validation:Enum=NONE;SSL;X509;
+	Type string `json:"type,omitempty"`
+
+	// TODO: support Issuer, Subject and Cipher.
+}
+
 // UserStatus defines the observed state of MysqlUser.
 type UserStatus struct {
 	// Conditions represents the MysqlUser resource conditions list.
@@ -122,6 +142,15 @@ type MySQLUserCondition struct {
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:subresource:finalizers
+// +kubebuilder:printcolumn:name="UserName",type="string",JSONPath=".spec.user",description="The name of the MySQL user"
+// +kubebuilder:printcolumn:name="SuperUser",type="boolean",JSONPath=".spec.withGrantOption",description="Whether the user can grant other users"
+// +kubebuilder:printcolumn:name="Hosts",type="string",JSONPath=".spec.hosts",description="The hosts that the user is allowed to connect from"
+// +kubebuilder:printcolumn:name="TLSType",type="string",JSONPath=".spec.tlsOptions.type",description="TLS type of user"
+// +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".spec.userOwner.clusterName",description="The cluster of the user"
+// +kubebuilder:printcolumn:name="NameSpace",type="string",JSONPath=".spec.userOwner.nameSpace",description="The namespace of the user"
+// +kubebuilder:printcolumn:name="Available",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="The availability of the user"
+// +kubebuilder:printcolumn:name="SecretName",type="string",priority=1,JSONPath=".spec.secretSelector.secretName",description="The name of the secret object"
+// +kubebuilder:printcolumn:name="SecretKey",type="string",priority=1,JSONPath=".spec.secretSelector.secretKey",description="The key of the secret object"
 // MysqlUser is the Schema for the users API.
 type MysqlUser struct {
 	metav1.TypeMeta   `json:",inline"`

charts/mysql-operator/crds/mysql.radondb.com_mysqlusers.yaml

@@ -16,7 +16,46 @@ spec:
     singular: mysqluser
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - description: The name of the MySQL user
+      jsonPath: .spec.user
+      name: UserName
+      type: string
+    - description: Whether the user can grant other users
+      jsonPath: .spec.withGrantOption
+      name: SuperUser
+      type: boolean
+    - description: The hosts that the user is allowed to connect from
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: TLS type of user
+      jsonPath: .spec.tlsOptions.type
+      name: TLSType
+      type: string
+    - description: The cluster of the user
+      jsonPath: .spec.userOwner.clusterName
+      name: Cluster
+      type: string
+    - description: The namespace of the user
+      jsonPath: .spec.userOwner.nameSpace
+      name: NameSpace
+      type: string
+    - description: The availability of the user
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Available
+      type: string
+    - description: The name of the secret object
+      jsonPath: .spec.secretSelector.secretName
+      name: SecretName
+      priority: 1
+      type: string
+    - description: The key of the secret object
+      jsonPath: .spec.secretSelector.secretKey
+      name: SecretKey
+      priority: 1
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: MysqlUser is the Schema for the users API.
@@ -79,6 +118,22 @@ spec:
                     description: SecretName is the name of secret object.
                     type: string
                 type: object
+              tlsOptions:
+                default:
+                  type: NONE
+                description: TLSOptions contains the TLS parameter of the MySQL user.
+                  Enabling SSL/TLS will encrypt the data being sent to and from the
+                  database. https://dev.mysql.com/doc/refman/5.7/en/create-user.html
+                properties:
+                  type:
+                    default: NONE
+                    description: TLS options for the client certificates
+                    enum:
+                    - NONE
+                    - SSL
+                    - X509
+                    type: string
+                type: object
               user:
                 description: Username is the name of user to be operated. This field
                   should be immutable.
@@ -95,6 +150,11 @@ spec:
                     description: NameSpace is the nameSpace of cluster.
                     type: string
                 type: object
+              withGrantOption:
+                default: false
+                description: WithGrantOption is the flag to indicate whether the user
+                  has grant option.
+                type: boolean
             type: object
           status:
             description: UserStatus defines the observed state of MysqlUser.

config/crd/bases/mysql.radondb.com_mysqlusers.yaml

@@ -16,7 +16,46 @@ spec:
     singular: mysqluser
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - description: The name of the MySQL user
+      jsonPath: .spec.user
+      name: UserName
+      type: string
+    - description: Whether the user can grant other users
+      jsonPath: .spec.withGrantOption
+      name: SuperUser
+      type: boolean
+    - description: The hosts that the user is allowed to connect from
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: TLS type of user
+      jsonPath: .spec.tlsOptions.type
+      name: TLSType
+      type: string
+    - description: The cluster of the user
+      jsonPath: .spec.userOwner.clusterName
+      name: Cluster
+      type: string
+    - description: The namespace of the user
+      jsonPath: .spec.userOwner.nameSpace
+      name: NameSpace
+      type: string
+    - description: The availability of the user
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Available
+      type: string
+    - description: The name of the secret object
+      jsonPath: .spec.secretSelector.secretName
+      name: SecretName
+      priority: 1
+      type: string
+    - description: The key of the secret object
+      jsonPath: .spec.secretSelector.secretKey
+      name: SecretKey
+      priority: 1
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: MysqlUser is the Schema for the users API.
@@ -79,6 +118,22 @@ spec:
                     description: SecretName is the name of secret object.
                     type: string
                 type: object
+              tlsOptions:
+                default:
+                  type: NONE
+                description: TLSOptions contains the TLS parameter of the MySQL user.
+                  Enabling SSL/TLS will encrypt the data being sent to and from the
+                  database. https://dev.mysql.com/doc/refman/5.7/en/create-user.html
+                properties:
+                  type:
+                    default: NONE
+                    description: TLS options for the client certificates
+                    enum:
+                    - NONE
+                    - SSL
+                    - X509
+                    type: string
+                type: object
               user:
                 description: Username is the name of user to be operated. This field
                   should be immutable.
@@ -95,6 +150,11 @@ spec:
                     description: NameSpace is the nameSpace of cluster.
                     type: string
                 type: object
+              withGrantOption:
+                default: false
+                description: WithGrantOption is the flag to indicate whether the user
+                  has grant option.
+                type: boolean
             type: object
           status:
             description: UserStatus defines the observed state of MysqlUser.

config/samples/mysql_v1alpha1_mysqluser.yaml

@@ -5,6 +5,10 @@ metadata:
 spec:
   ## User to operate.
   user: sample_user
+  withGrantOption: false
+  tlsOptions:
+    ## NONE/SSL/X509
+    type: NONE
   hosts: 
     - "%"
   permissions:

controllers/mysqluser_controller.go

@@ -183,8 +183,7 @@ func (r *MysqlUserReconciler) reconcileUserInDB(ctx context.Context, mysqlUser *
 
 	// Create/Update user in database.
 	userLog.Info("creating mysql user", "key", mysqlUser.GetKey(), "username", mysqlUser.Spec.User, "cluster", mysqlUser.GetClusterKey())
-	if err := internal.CreateUserIfNotExists(sqlRunner, mysqlUser.Spec.User, password, mysqlUser.Spec.Hosts,
-		mysqlUser.Spec.Permissions); err != nil {
+	if err := internal.CreateUserIfNotExists(sqlRunner, mysqlUser.Unwrap(), password); err != nil {
 		return err
 	}
 

internal/sql_runner.go

@@ -334,22 +334,23 @@ func columnValue(scanArgs []interface{}, slaveCols []string, colName string) str
 }
 
 // CreateUserIfNotExists creates a user if it doesn't already exist and it gives it the specified permissions.
-func CreateUserIfNotExists(
-	sqlRunner SQLRunner, user, pass string, hosts []string, permissions []apiv1alpha1.UserPermission,
-) error {
+func CreateUserIfNotExists(sqlRunner SQLRunner, user *apiv1alpha1.MysqlUser, pass string) error {
+	userName := user.Spec.User
+	hosts := user.Spec.Hosts
+	permissions := user.Spec.Permissions
 
 	// Throw error if there are no allowed hosts.
 	if len(hosts) == 0 {
 		return errors.New("no allowedHosts specified")
 	}
 
 	queries := []Query{
-		getCreateUserQuery(user, pass, hosts),
+		getCreateUserQuery(userName, pass, hosts, user.Spec.TLSOptions),
 		// todo: getAlterUserQuery.
 	}
 
 	if len(permissions) > 0 {
-		queries = append(queries, permissionsToQuery(permissions, user, hosts))
+		queries = append(queries, permissionsToQuery(permissions, userName, hosts, user.Spec.WithGrantOption))
 	}
 
 	query := BuildAtomicQuery(queries...)
@@ -361,12 +362,17 @@ func CreateUserIfNotExists(
 	return nil
 }
 
-func getCreateUserQuery(user, pwd string, allowedHosts []string) Query {
+func getCreateUserQuery(user, pwd string, allowedHosts []string, tlsOption apiv1alpha1.TLSOptions) Query {
 	idsTmpl, idsArgs := getUsersIdentification(user, &pwd, allowedHosts)
+	idsTmpl += getUserTLSRequire(tlsOption)
 
 	return NewQuery(fmt.Sprintf("CREATE USER IF NOT EXISTS%s", idsTmpl), idsArgs...)
 }
 
+func getUserTLSRequire(tlsOption apiv1alpha1.TLSOptions) string {
+	return fmt.Sprintf(" REQUIRE %s", tlsOption.Type)
+}
+
 func getUsersIdentification(user string, pwd *string, allowedHosts []string) (ids string, args []interface{}) {
 	for i, host := range allowedHosts {
 		// Add comma if more than one allowed hosts are used.
@@ -397,7 +403,7 @@ func DropUser(sqlRunner SQLRunner, user, host string) error {
 	return nil
 }
 
-func permissionsToQuery(permissions []apiv1alpha1.UserPermission, user string, allowedHosts []string) Query {
+func permissionsToQuery(permissions []apiv1alpha1.UserPermission, user string, allowedHosts []string, withGrant bool) Query {
 	permQueries := []Query{}
 
 	for _, perm := range permissions {
@@ -416,6 +422,9 @@ func permissionsToQuery(permissions []apiv1alpha1.UserPermission, user string, a
 			idsTmpl, idsArgs := getUsersIdentification(user, nil, allowedHosts)
 
 			query := "GRANT " + strings.Join(escPerms, ", ") + " ON " + schemaTable + " TO" + idsTmpl
+			if withGrant {
+				query += " WITH GRANT OPTION"
+			}
 			args = append(args, idsArgs...)
 
 			permQueries = append(permQueries, NewQuery(query, args...))