Comments (6)
enisoc
commented on June 21, 2024
This is possible, although it isn't documented. You can follow the Vitess docs and inject the config in each tablet pool like this:
tabletPools:
- cell: cell1
type: replica
extraVolumes:
- [k8s volume definition to mount ACL config file]
extraVolumeMounts:
- [k8s volume mount definition to add to each container]
vttablet:
extraFlags:
[flags to configure ACLs]from vitess-operator.
maZahaca
commented on June 21, 2024
Thank you, I will try it in a meanwhile. Closing now.
from vitess-operator.
jmccoy555
commented on June 21, 2024
Hi, is this still valid as it does not appear to be working for me.
keyspaces:
- name: commerce
turndownPolicy: Immediate
partitionings:
- equal:
parts: 1
shardTemplate:
databaseInitScriptSecret:
name: example-cluster-config
key: init_db.sql
replication:
enforceSemiSync: false
tabletPools:
- cell: zone1
type: replica
replicas: 2
extraVolumes:
- name: acl-commerce
configMap:
name: acl-commerce
extraVolumeMounts:
- name: acl-commerce
mountPath: /mnt
vttablet:
extraFlags:
db_charset: utf8mb4
enforce-tableacl-config: "true"
queryserver-config-strict-table-acl: "true"
table-acl-config: /mnt/acl-commerce.json
table-acl-config-reload-interval: 5m
resources:
requests:
cpu: 100m
memory: 256Mi
mysqld:
resources:
requests:
cpu: 100m
memory: 256Mi
dataVolumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
File created within the tablet pod by the configmap. Output of cat /mnt/acl-commerce.json
{
"table_groups": [
{
"name": "commerce",
"table_names_or_prefixes": ["%"],
"readers": ["user", "commerce"],
"writers": ["user", "commerce"],
"admins": ["user", "commerce"]
}
]
}
The commerce database is still visible to all users.
I've opened a terminal into the tablet pod and checked the contents of acl-commerce.json and it matches the above which is based upon the example.
Changing the value of table-acl-config: /mnt/acl-commerce.json to a non existing file results in an error due to the enforce-tableacl-config: "true" so that is working correctly.
I've recreated the pods but it is still not having an effect., and set table-acl-config-reload-interval: 5m (not sure if the units are correct as it's not documented?? ) to make sure it reloads., but still no change.
Hopefully I'm missing something silly 🤦
Thanks.
from vitess-operator.
shilp-gupta
commented on June 21, 2024
You seem to be duplicating the vttablet. Also, the config map needs to have a key "acl-commerce.json" with value equal to the actual string.
from vitess-operator.
jmccoy555
commented on June 21, 2024
Hi @shilp-gupta thanks for the reply. I'm finding it a bit of a mine field trying to piece all this together. Good spot with the duplicate, that was just an error pasting into to here though, no idea how I managed that. Updated now.
So the above is the contents of the file when I cat /mnt/acl-commerce.json from within the pod, which I was checking was created correctly and looks like the example to me. Probably could have explained that better above. Updated that too.
The actual configmap as viewed in the kubernetes web interface is
{
"acl-commerce.json": "{\r
\"table_groups\": [\r
{\r
\"name\": \"commerce\",\r
\"table_names_or_prefixes\": [\r
\"%\"\r
],\r
\"readers\": [\r
\"user\",\r
\"commerce\"\r
],\r
\"writers\": [\r
\"user\",\r
\"commerce\"\r
],\r
\"admins\": [\r
\"user\",\r
\"commerce\"\r
]\r
}\r
]\r
}"
}
from vitess-operator.
chreniuc
commented on June 21, 2024
Here's an example for those that are still struggling to make it work, because on the non-existent docs for this, just so you won't waste time as I did:
# Missing part
cells:
- name: decontabodusseldorf
gateway:
authentication:
static:
secret:
name: vt-config-secret
key: users.json
replicas: 1
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 256Mi
vitessDashboard:
cells:
- decontabodusseldorf
extraFlags:
security_policy: read-only
replicas: 1
resources:
limits:
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
keyspaces:
- name: ionescu
turndownPolicy: Immediate
partitionings:
- equal:
parts: 1
shardTemplate:
databaseInitScriptSecret:
name: vt-config-secret
key: init_db.sql
replication:
enforceSemiSync: false
initializeBackup: true
tabletPools:
- cell: decontabodusseldorf
type: replica
replicas: 1
extraVolumes:
- name: acl-ionescu
configMap:
name: vt-config-configmap
extraVolumeMounts:
- name: acl-ionescu
mountPath: /mnt
vttablet:
extraFlags:
db_charset: utf8mb4
enforce-tableacl-config: "true"
queryserver-config-strict-table-acl: "true"
table-acl-config: /mnt/acl_users_rights.json # key from the config file
table-acl-config-reload-interval: 5m
resources:
limits:
memory: 1Gi
requests:
cpu: 200m
memory: 1Gi
mysqld:
resources:
requests:
cpu: 300m
memory: 1Gi
dataVolumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
updateStrategy:
type: Immediate
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vt-config-configmap
data:
acl_users_rights.json: |
{
"table_groups": [
{
"name": "ionescu",
"table_names_or_prefixes": ["%"],
"readers": ["ionescu_backend","ionescu_admin", "ionescu_read"],
"writers": [ "ionescu_backend","ionescu_admin", "ionescu_write"],
"admins": ["ionescu_admin"]
}
]
}
---
apiVersion: v1
kind: Secret
metadata:
name: vt-config-secret
type: Opaque
stringData:
users.json: |
{
"ionescu_backend": [{
"UserData": "ionescu_backend",
"Password": "ionescu"
},
{
"UserData": "ionescu_backend",
"Password": "ionescu2"
}],
"ionescu_admin": [{
"UserData": "ionescu_admin",
"Password": "ionescu"
}],
"ionescu_read": [{
"UserData": "ionescu_read",
"Password": "ionescu"
}],
"ionescu_write": [{
"UserData": "ionescu_write",
"Password": "ionescu"
}]
}from vitess-operator.
Related Issues (20)
- Unable to install vitess on kubernetes behind proxy HOT 1
- Feature request: support controlled mysqld version upgrade with rollback HOT 1
- Feature Request: configure operator to communicate with Vitess components using TLS
- [Feature Request] Allow enabling additional mysqld_exporter collectors
- vtctldclient backup not working with defined VitessBackupStorages in cluster HOT 4
- `vtop-rollout` tooling for safer rollout of new Vitess versions in Kubernetes
- Add custom annotations to PVC
- [Feature] Allow setting pod sysctls
- LabelPrefix["planetscale.com"] whose '.' can't apply on Prometheus 's kubernetes_sd_config section HOT 1
- Pass `--mysql_clientcert_auth_method` flag to Vitess HOT 1
- Supported Kubernetes Versions going EOL HOT 1
- Operator misbehaving when a imagePullSecrets is defined on the default service account of the namespace HOT 1
- [Feature] allow configuring VTGate rolling update parameters
- FEATURE: VTTablet naming HOT 3
- FEATURE: Operator primary vttablet balancer HOT 1
- Publishing ARM images
- missing s3_backup_force_path_style HOT 2
- Add VTAdmin setting for fetch credentials to CRD
- Helm Chart
- Bug: Unnecessary permissions in manifests
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vitess-operator.