add optional ldap relation

canonical · Mar 5, 2024 · 80d131f · 80d131f
1 parent 3468c77
commit 80d131f
Show file tree

Hide file tree

Showing 8 changed files with 264 additions and 27 deletions.
diff --git a/config.yaml b/config.yaml
@@ -23,12 +23,10 @@ options:
       The url of the ldap to synchronize users from.
       In format `ldap://<host>:<port>`.
     type: string
-    default: ldap://comsys-openldap-k8s:389
   sync-ldap-bind-dn:
     description: |
       The bind domain name for ldap synchronization.
     type: string
-    default: cn=admin,dc=canonical,dc=dev,dc=com
   sync-ldap-bind-password:
     description: |
         The bind password for ldap synchronization.
@@ -38,7 +36,6 @@ options:
     description: |
       Search base for ldap users and groups.
     type: string
-    default: dc=canonical,dc=dev,dc=com
   sync-ldap-user-object-class:
     description: |
       The object class corresponding to users for ldapsearch.
@@ -53,7 +50,6 @@ options:
     description: |
       Search base for ldap users.
     type: string
-    default: dc=canonical,dc=dev,dc=com
   sync-group-user-map-sync-enabled:
     description: |
       Set to true to sync groups without users.
@@ -69,7 +65,6 @@ options:
       Search base for ldap groups.
       If not specified this takes the value of `sync-ldap-search-base`.
     type: string
-    default: dc=canonical,dc=dev,dc=com
   sync-ldap-user-search-scope:
     description: |
       Search scope for the users.
@@ -113,12 +108,6 @@ options:
       Enable to incrementally sync as opposed to full sync after initial run.
     type: boolean
     default: true
-  ranger-usersync-password:
-    description: |
-      The password for the Ranger usersync user.
-      Must be updated to match in Ranger admin.
-    type: string
-    default: rangerR0cks!
   policy-mgr-url:
     type: string
     default: http://ranger-k8s:6080

diff --git a/metadata.yaml b/metadata.yaml
@@ -27,6 +27,8 @@ requires:
     limit: 1
   nginx-route:
     interface: nginx-route
+  ldap:
+    interface: ldap
 
 provides:
   policy:

diff --git a/src/charm.py b/src/charm.py
@@ -22,8 +22,10 @@
     ADMIN_ENTRYPOINT,
     APP_NAME,
     APPLICATION_PORT,
+    RELATION_VALUES,
     USERSYNC_ENTRYPOINT,
 )
+from relations.ldap import LDAPRelationHandler
 from relations.postgres import PostgresRelationHandler
 from relations.provider import RangerProvider
 from state import State
@@ -78,6 +80,7 @@ def __init__(self, *args):
         )
         self.postgres_relation_handler = PostgresRelationHandler(self)
         self.provider = RangerProvider(self)
+        self.ldap = LDAPRelationHandler(self)
 
         # Handle Ingress
         self._require_nginx_route()
@@ -213,17 +216,20 @@ def _configure_ranger_usersync(self, container):
             context: Environment variables for pebble plan.
         """
         context = {}
+        ldap = self._state.ldap or {}
         for key, value in vars(self.config).items():
-            if key.startswith("sync"):
-                updated_key = key.upper().replace("-", "_")
-                context[updated_key] = value
+            if not key.startswith("sync"):
+                continue
+
+            if key in RELATION_VALUES:
+                value = ldap.get(key) or self.config[key]
+
+            updated_key = key.upper()
+            context[updated_key] = value
 
         context.update(
             {
                 "POLICY_MGR_URL": self.config["policy-mgr-url"],
-                "RANGER_USERSYNC_PASSWORD": self.config[
-                    "ranger-usersync-password"
-                ],
             }
         )
         config = render("ranger-usersync-config.jinja", context)
@@ -246,12 +252,18 @@ def validate(self):
         if self.config["charm-function"].value == "admin":
             self.postgres_relation_handler.validate()
 
+        if self.config["charm-function"].value == "usersync":
+            self.ldap.validate()
+
     def update(self, event):
         """Update the Ranger server configuration and re-plan its execution.
 
         Args:
             event: The event triggered when the relation changed.
         """
+        if not self.unit.is_leader():
+            return
+
         try:
             self.validate()
         except ValueError as err:

diff --git a/src/literals.py b/src/literals.py
@@ -25,3 +25,11 @@
 APP_NAME = "ranger-k8s"
 ADMIN_ENTRYPOINT = "/home/ranger/scripts/ranger-admin-entrypoint.sh"
 USERSYNC_ENTRYPOINT = "/home/ranger/scripts/ranger-usersync-entrypoint.sh"
+RELATION_VALUES = [
+    "sync_ldap_bind_dn",
+    "sync_ldap_bind_password",
+    "sync_ldap_search_base",
+    "sync_ldap_user_search_base",
+    "sync_group_search_base",
+    "sync_ldap_url",
+]
diff --git a/src/relations/ldap.py b/src/relations/ldap.py
@@ -0,0 +1,115 @@
+# Copyright 2023 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""Defines ldap relation event handling methods."""
+
+import logging
+
+from ops import framework
+
+from literals import RELATION_VALUES
+from utils import log_event_handler
+
+logger = logging.getLogger(__name__)
+
+
+class LDAPRelationHandler(framework.Object):
+    """Client for ldap relations."""
+
+    def __init__(self, charm, relation_name="ldap"):
+        """Construct.
+
+        Args:
+            charm: The charm to attach the hooks to.
+            relation_name: The name of the relation defaults to ldap.
+        """
+        super().__init__(charm, "ldap")
+        self.charm = charm
+        self.relation_name = relation_name
+
+        # Handle database relation.
+        self.framework.observe(
+            charm.on[self.relation_name].relation_created,
+            self._on_relation_created,
+        )
+        self.framework.observe(
+            charm.on[self.relation_name].relation_changed,
+            self._on_relation_changed,
+        )
+        self.framework.observe(
+            charm.on[self.relation_name].relation_broken,
+            self._on_relation_broken,
+        )
+
+    @log_event_handler(logger)
+    def _on_relation_created(self, event):
+        """Handle ldap relation created.
+
+        Args:
+            event: The relation created event.
+        """
+        if self.charm.config["charm-function"] != "usersync":
+            return
+
+        if event.relation:
+            event.relation.data[self.charm.app].update({"user": "admin"})
+
+    @log_event_handler(logger)
+    def _on_relation_changed(self, event):
+        """Handle ldap relation changed.
+
+        Args:
+            event: Relation changed event.
+        """
+        if self.charm.config["charm-function"] != "usersync":
+            return
+
+        container = self.charm.model.unit.get_container(self.charm.name)
+        if not container.can_connect():
+            event.defer()
+            return
+
+        event_data = event.relation.data[event.app]
+        base_dn = event_data.get("base_dn")
+        self.charm._state.ldap = {
+            "sync_ldap_bind_password": event_data.get("admin_password"),
+            "sync_ldap_bind_dn": f"cn=admin,{base_dn}",
+            "sync_ldap_search_base": base_dn,
+            "sync_ldap_user_search_base": base_dn,
+            "sync_group_search_base": base_dn,
+            "sync_ldap_url": event_data.get("ldap_url"),
+        }
+
+        self.charm.update(event)
+
+    @log_event_handler(logger)
+    def _on_relation_broken(self, event):
+        """Handle ldap relation broken.
+
+        Args:
+            event: Relation broken event.
+        """
+        if self.charm.config["charm-function"] != "usersync":
+            return
+
+        container = self.charm.model.unit.get_container(self.charm.name)
+        if not container.can_connect():
+            event.defer()
+            return
+
+        self.charm._state.ldap = {}
+        self.charm.update(event)
+
+    def validate(self):
+        """Check if the required ldap parameters are available.
+
+        Raises:
+            ValueError: if ldap parameters are not available.
+        """
+        config = vars(self.charm.config)
+        if not self.charm._state.ldap:
+            for value in RELATION_VALUES:
+                if not config.get(value):
+                    raise ValueError(
+                        "Add an LDAP relation or update config values."
+                    )
diff --git a/templates/ranger-usersync-config.jinja b/templates/ranger-usersync-config.jinja
@@ -27,7 +27,7 @@ unix_group=ranger
 
 # This password should be changed from the default. 
 # Please note that this password should be as per rangerusersync user in ranger admin.
-rangerUsersync_password= {{ RANGER_USERSYNC_PASSWORD}}
+rangerUsersync_password= rangerR0cks!
 
 hadoop_conf=/etc/hadoop/conf
 

diff --git a/tests/integration/test_usersync.py b/tests/integration/test_usersync.py
@@ -53,6 +53,7 @@ async def test_user_sync(self, ops_test: OpsTest):
             config=ranger_config,
         )
 
+        await ops_test.model.integrate(USERSYNC_NAME, LDAP_NAME)
         await ops_test.model.set_config({"update-status-hook-interval": "5m"})
         await ops_test.model.wait_for_idle(
             apps=[USERSYNC_NAME, LDAP_NAME],