CLOUDP-350197: allow to create a custom role with cluster: true #553
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
from
43c0502 to
2d7b9a0
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
2 times, most recently
from
cce9040 to
91233d8
Compare
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
from
2d7b9a0 to
3040210
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
from
91233d8 to
d9c39b3
Compare
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
2 times, most recently
from
70c14e8 to
c150032
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
from
d9c39b3 to
0492502
Compare
lsierant
requested review from
anandsyncs,
mircea-cosbuc and
nammn
and removed request for
a team
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
from
c150032 to
545dc80
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
from
d3381a7 to
8fa7a1a
Compare
vinilage
requested changes
Oct 29, 2025
| date: 2025-10-27 | ||
| --- | ||
|
|
||
| * Fixed a problem that prevented specifying cluster-wide privileges in database custom roles. |
There was a problem hiding this comment.
I propose to change to: "Fixed inability to specify cluster-wide privileges in custom roles."
anandsyncs
approved these changes
Oct 30, 2025
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
from
545dc80 to
71cd46b
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
from
4c3939d to
f515880
Compare
vinilage
approved these changes
Oct 31, 2025
Comment on lines
+1
to
+6
| --- | ||
| kind: fix | ||
| date: 2025-10-27 | ||
| --- | ||
|
|
||
| * Fixed inability to specify cluster-wide privileges in custom roles. |
lsierant
force-pushed
the
lsierant/custom-roles-regression-tests
branch
from
71cd46b to
724fa83
Compare
lsierant
force-pushed
the
lsierant/custom-roles
branch
from
f515880 to
3392469
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a problem which was preventing creating cluster-wide mongodb custom roles.
Context
As described in MongoDB docs the resource object is either:
or
So that means we cannot provide empty strings for
dbandcollectionfields as empty string means "any db/collection".At the same time our previous serialization rules were always sending empty strings even if not set. This was the source of the problem - it wasn't possible to specify
cluster: truebecause the operator was also sending empty db and collections.Backwards compatibility
Making
dbandcollectionfields just as omitempty*stringis not sufficient, because that would change the semantics of the resource and would be potentially a breaking change. In order to preserve backwards compatibility we need additional logic (see normalizePrivilegeResource that will maintain the same behavior for non-cluster-wide resources (sending empty strings even if the field is not set in yaml).Proof of Work
Tests passing.
Based on PR #551
Chain of upstream PRs as of 2025-10-25
PR CLOUDP-349078: custom roles regression tests #551:
master←lsierant/custom-roles-regression-testslsierant/custom-roles-regression-tests←lsierant/custom-roles