From c5adf7e613f3ba0e3eac7b0f345938ff8ddc0c0b Mon Sep 17 00:00:00 2001 From: Thomas Achatz Date: Wed, 2 Oct 2024 10:13:49 +0200 Subject: [PATCH] Fix JWT auth handlers for clusters without users --- CHANGES.rst | 2 ++ crate/operator/cratedb.py | 4 ++-- crate/operator/operations.py | 11 ++++++----- crate/operator/update_user_password.py | 5 ++--- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 3f135acb..82622fde 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,6 +9,8 @@ Unreleased * Add ``minDomains`` to ``TopologySpreadConstraint`` to ensure that pods are spread across zones. +* Fixed JWT auth handlers for clusters without users. + 2.41.1 (2024-08-30) ------------------- diff --git a/crate/operator/cratedb.py b/crate/operator/cratedb.py index eef7b0ad..e7703397 100644 --- a/crate/operator/cratedb.py +++ b/crate/operator/cratedb.py @@ -104,8 +104,8 @@ async def create_user( if not user_exists: query = f"CREATE USER {username_ident} WITH (password = %s" params = [password] - if crate_version_supports_jwt(crate_version): - iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") + iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") + if crate_version_supports_jwt(crate_version) and iss: query += ', jwt = {"iss" = %s, "username" = %s, "aud" = %s}' params.extend([iss, username, name]) diff --git a/crate/operator/operations.py b/crate/operator/operations.py index bed2ea55..b148a555 100644 --- a/crate/operator/operations.py +++ b/crate/operator/operations.py @@ -1200,9 +1200,8 @@ async def set_user_jwt( user_exists = bool(row[0]) username_ident = quote_ident(username, cursor._impl) - if user_exists: - iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") - + iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") + if user_exists and iss: query = ( f"ALTER USER {username_ident} SET " f"""(jwt = {{"iss" = '{iss}', "username" = '{username}', """ @@ -1339,7 +1338,9 @@ async def handle( # type: ignore """ cratedb = await get_cratedb_resource(namespace, name) crate_version = cratedb["spec"]["cluster"]["version"] - if crate_version_supports_jwt(crate_version): + users = cratedb["spec"].get("users") + gc_config = cratedb["spec"].get("grandCentral", {}) + if crate_version_supports_jwt(crate_version) and users and gc_config: async with GlobalApiClient() as api_client: core = CoreV1Api(api_client) host = await get_host(core, namespace, name) @@ -1348,7 +1349,7 @@ async def handle( # type: ignore host, password, timeout=CONNECT_TIMEOUT ) as conn: async with conn.cursor() as cursor: - for user_spec in cratedb["spec"].get("users"): + for user_spec in users: username = user_spec["name"] await set_user_jwt( diff --git a/crate/operator/update_user_password.py b/crate/operator/update_user_password.py index 12190dcc..33bc69d8 100644 --- a/crate/operator/update_user_password.py +++ b/crate/operator/update_user_password.py @@ -104,11 +104,10 @@ async def pod_exec(cmd): async with WsApiClient() as ws_api_client: core_ws = CoreV1Api(ws_api_client) - if crate_version_supports_jwt(crate_version): + iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") + if crate_version_supports_jwt(crate_version) and iss: # For users with `jwt` and `password` set, we need to reset # `jwt` config first to be able to update the password. - iss = cratedb["spec"].get("grandCentral", {}).get("jwkUrl") - command_reset_user_jwt = get_curl_command( { "stmt": 'ALTER USER "{}" SET (jwt = NULL)'.format(username),