Merge pull request #27 from Ontotext-AD/GDB-6295-Update-users-provisi…

…oning-to-work-with-the-new-users-file GDB-6295 update users provisioning to work with the new users file
Ontotext-AD · Feb 14, 2022 · b5ea69f · b5ea69f
2 parents 6db1f09 + 1010315
commit b5ea69f
Show file tree

Hide file tree

Showing 14 changed files with 332 additions and 119 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -5,8 +5,8 @@ apiVersion: v2
 name: graphdb
 description: Helm chart for GraphDB Free/SE/EE
 type: application
-version: 9.10.1
-appVersion: 9.10.1
+version: 10.0.0
+appVersion: 10.0.0
 home: https://graphdb.ontotext.com/
 icon: https://graphdb.ontotext.com/home/images/visual_Logo_GraphDB_02_12_2015.png
 maintainers:

diff --git a/README.md b/README.md
@@ -251,7 +251,7 @@ There are 3 important configuration sections:
 
 #### GraphDB cluster configuration
 
-By default the Helm chart supports the 3 topologies that we recommend in our documentation. This is configured by settings `graphdb.topology`
+By default the Helm chart supports the 3 topologies that we recommend in our documentation. This is configured by setting `graphdb.topology`
 Possible values: `standalone, 1m_3w, 2m3w_rw_ro, 2m3w_muted`. Masters and workers count in cluster modes are controlled by mastersCount and workersCount properties
 
 **standalone** - Launches single instance of GraphDB with a preconfigured worker repository.
@@ -310,25 +310,40 @@ A list of available JMX attributes can be found [here](https://graphdb.ontotext.
 
 GraphDB's Helm chart supports deploying GraphDB with or without security. This can be toggled through `graphdb.security.enabled`.
 If it is deployed with security enabled, a special provisioning user is used for repository provisioning, cluster linking, health checks and so on.
-Additional users can be added through the settings file: `files/config/settings.js`. The users are described with their roles, username and a bcrypt64 password.
+Additional users can be added through the users file: `files/config/users.js`. The users are described with their roles, username and a bcrypt64 password.
 
-The file is provisioned before GraphDB's startup with the configmap `graphdb.masters.settingsConfigmap`.
-It can be overridden with other configmap containing the `settings.js` file. The same configmap is used for the `graphdb.properties` file as well.
+The file can be provisioned before GraphDB's startup with the `usersConfigMap` configmap or left to default.
+It can be overridden with other configmap containing the `users.js` file.
 Note that the `provisioning` user is required when security is turned on!
 
-By default if the security is turned on, GraphDB's basic security method is used. More complicated security configurations
+By default, if the security is turned on, GraphDB's basic security method is used. More complicated security configurations
 can be configured using additional configurations in `graphdb.properties`.
 
 See https://graphdb.ontotext.com/documentation/enterprise/access-control.html
 
-#### Provisioning additional properties
+Prior to GraphDB 10.0.0 the users and their settings were saved in the `settings.js` file.
+
+#### Provisioning additional properties and settings
 
 Most of GraphDB's properties can be passed through `java_args`. Another option is to supply a `graphdb.properties` file.
-This file is provisioned on all GraphDB instances during GraphDB's startup using configmap `graphdb.masters.settingsConfigmap`.
-It can be overridden with other configmap containing the `graphdb.properties` file. The same configmap is used for the `settings.js` file as well.
+This file can be provisioned on during GraphDB's startup using `propertiesConfigMap`configmap or left to default.
+It can be overridden with other configmap containing the `graphdb.properties` file.
 
 The `graphdb.properties` file is also used for more complex security configurations such as LDAP, Oauth, Kerberos.
 
+Some additional settings are kept in the `settings.js` file. Most of those settings are internal for GraphDB and better left managed by the client.
+The file can be provisioned before GraphDB's startup with the `settingsConfigMap` configmap or left to default.
+It can be overridden with other configmap containing the `settings.js` file.
+Note the `settings.js` must contain `security.enabled" : true` property when security is turned on!
+
+GraphDB uses logback to configure logging using the `logback.xml` file.
+The file can be provisioned before GraphDB's startup with the `logbackConfigMap` configmap or left to default.
+It can be overridden with other configmap containing the `logback.xml` file.
+
+Since GraphDB 9.10.1 the Jolokia access is managed using the `jolokia-access.xml` file.
+The file can be provisioned before GraphDB's startup with the `jolokiaAccessConfigmap` configmap or left to default.
+It can be overridden with other configmap containing the `jolokia-access.xml` file.
+
 See https://graphdb.ontotext.com/documentation/enterprise/configuring-graphdb.html?highlight=properties
 See https://graphdb.ontotext.com/documentation/enterprise/access-control.html
 
@@ -493,6 +508,11 @@ about defining resource limits.
 | graphdb.clusterConfig.readOnlyMasters | list | `["master-2"]` | Describes which masters will be set as read only. Required only for 2m3w_rw_ro topology. |
 | graphdb.clusterConfig.syncPeersMapping | list | `["master-1 <-> master-2"]` | Describes which masters will be linked as sync peer. Required for 2m3w_rw_ro and 2m3w_muted topology. |
 | graphdb.clusterConfig.workersCount | int | `2` |  |
+| graphdb.configs.jolokiaAccessConfigMap | string | `"graphdb-jolokia-access-configmap"` | Reference to a configmap used to overwrite the default GraphDB jolokia-access.xml, with an externally provided jolokia-access.xml. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html
+| graphdb.configs.logbackConfigMap | string | `"graphdb-logback-configmap"` | Reference to a configmap used to overwrite the default GraphDB logback.xml, with an externally provided logback.xml. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html
+| graphdb.configs.propertiesConfigMap | string | `"graphdb-properties-configmap"` | Reference to a configmap used to overwrite the default graphdb.properties, with an externally provided graphdb.properties. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html
+| graphdb.configs.settingsConfigMap | string | `"graphdb-settings-configmap"` | Reference to a configmap used to overwrite the default GraphDB settings.js, with an externally provided settings.js. Even if left to default if security is enabled the configmap will be used to enable GraphDB's security. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html
+| graphdb.configs.usersConfigMap | string | `"graphdb-users-configmap"` | Reference to a configmap used to overwrite the default GraphDB users.js, with an externally provided users.js. Even if left to default if security is enabled the configmap will be used to add a provisioning user. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html
 | graphdb.masters.java_args | string | `"-XX:MaxRAMPercentage=70 -XX:+UseContainerSupport -Ddefault.min.distinct.threshold=100m -Dgraphdb.home.work=/mnt/graphdb"` | Java arguments with which master instances will be launched. GraphDB configuration properties can also be passed here in the format -Dprop=value |
 | graphdb.masters.license | string | `"graphdb-license"` | Reference to a secret containing 'graphdb.license' file to be used by master nodes. Can be set to "" (no license) if this GraphDB instance is used only with a "master" repository! Important: Must be created beforehand |
 | graphdb.masters.nodes[0].java_args | string | `"-XX:MaxRAMPercentage=70 -XX:+UseContainerSupport -Ddefault.min.distinct.threshold=100m"` |  |
@@ -503,7 +523,6 @@ about defining resource limits.
 | graphdb.masters.persistence.volumeNamePrefix | string | `"graphdb-default-master"` | Name reference of a persistent volume to which the claim will try to attach. If changed, the default PVs won't be used. Example result: graphdb-default-master-1-pv |
 | graphdb.masters.repositoryConfigmap | string | `"graphdb-repo-default-configmap"` | Reference to a configuration map containing one or more .ttl files used for repository initialization in the post install hook. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-a-repository.html |
 | graphdb.masters.resources | object | `{"limits":{"memory":"1Gi"},"requests":{"memory":"1Gi"}}` | Below are minimum requirements for data sets of up to 50 million RDF triples For resizing, refer according to your GraphDB version documentation For EE see http://graphdb.ontotext.com/documentation/enterprise/requirements.html |
-| graphdb.masters.settingsConfigmap | string | `"graphdb-settings-default-configmap"` | Reference to a configuration map containing settings.js and graphdb.properties(optional) files used for security and properties provisioning in the post install hook. For reference see https://graphdb.ontotext.com/documentation/standard/configuring-graphdb.html |
 | graphdb.security.enabled | bool | `false` |  |
 | graphdb.security.provisioningPassword | string | `"iHaveSuperpowers"` |  |
 | graphdb.security.provisioningUsername | string | `"provisioner"` |  |

diff --git a/files/config/jolokia-access.xml b/files/config/jolokia-access.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<restrict>
+    <!--Do not allow exec and write operations outside of allowed ones-->
+    <commands>
+        <command>read</command>
+        <command>list</command>
+        <command>version</command>
+        <command>search</command>
+    </commands>
+    <allow>
+        <mbean>
+            <name>java.lang:type=Memory</name>
+            <attribute mode="read">*</attribute>
+            <operation>gc</operation>
+        </mbean>
+        <mbean>
+            <name>ReplicationCluster:*</name>
+            <attribute>*</attribute>
+            <operation>*</operation>
+        </mbean>
+        <mbean>
+            <name>Tomcat:*</name>
+            <attribute>*</attribute>
+            <operation>*</operation>
+        </mbean>
+        <mbean>
+            <name>ch.qos.logback.classic:*</name>
+            <attribute>*</attribute>
+            <operation>*</operation>
+        </mbean>
+        <mbean>
+            <name>com.ontotext:*</name>
+            <attribute>*</attribute>
+            <operation>*</operation>
+        </mbean>
+        <mbean>
+            <name>java.util.logging:type=Logging</name>
+            <attribute>*</attribute>
+            <operation>*</operation>
+        </mbean>
+    </allow>
+
+    <deny>
+        <mbean>
+            <name>jolokia:*</name>
+            <operation>*</operation>
+            <attribute>*</attribute>
+        </mbean>
+    </deny>
+</restrict>
diff --git a/files/config/settings.js b/files/config/settings.js
@@ -1,32 +1,4 @@
 {
-  "users" : {
-    "admin" : {
-      "username" : "admin",
-      "password" : "{bcrypt}$2a$10$H7uekkF1ZFLIV5M1g9tDs.syZGtkMqrfj2Si2SHG1WgwhpNqpZwne",
-      "grantedAuthorities" : [ "ROLE_ADMIN" ],
-      "appSettings" : {
-        "DEFAULT_INFERENCE" : true,
-        "DEFAULT_VIS_GRAPH_SCHEMA" : true,
-        "DEFAULT_SAMEAS" : true,
-        "IGNORE_SHARED_QUERIES" : false,
-        "EXECUTE_COUNT" : true
-      },
-      "dateCreated" : 1618403171751
-    },
-    "provisioner" : {
-      "username" : "{{ .Values.graphdb.security.provisioningUsername }}",
-          "password" : "{bcrypt}{{ htpasswd .Values.graphdb.security.provisioningUsername .Values.graphdb.security.provisioningPassword | trimPrefix (printf "%s:" .Values.graphdb.security.provisioningUsername) }}",
-          "grantedAuthorities" : [ "ROLE_ADMIN" ],
-          "appSettings" : {
-        "DEFAULT_INFERENCE" : true,
-            "DEFAULT_VIS_GRAPH_SCHEMA" : true,
-            "DEFAULT_SAMEAS" : true,
-            "IGNORE_SHARED_QUERIES" : false,
-            "EXECUTE_COUNT" : true
-      },
-      "dateCreated" : 1618403171751
-    }
-  },
   "import.server" : { },
   "import.local" : { },
   "properties" : {
@@ -35,30 +7,6 @@
   {{- end }}
     "current.location" : ""
   },
-  "user_queries" : {
-    "admin" : {
-      "SPARQL Select template" : {
-        "name" : "SPARQL Select template",
-        "body" : "SELECT ?s ?p ?o\nWHERE {\n\t?s ?p ?o .\n} LIMIT 100",
-        "shared" : false
-      },
-      "Clear graph" : {
-        "name" : "Clear graph",
-        "body" : "CLEAR GRAPH <http://example>",
-        "shared" : false
-      },
-      "Add statements" : {
-        "name" : "Add statements",
-        "body" : "PREFIX dc: <http://purl.org/dc/elements/1.1/>\nINSERT DATA\n      {\n      GRAPH <http://example> {\n          <http://example/book1> dc:title \"A new book\" ;\n                                 dc:creator \"A.N.Other\" .\n          }\n      }",
-        "shared" : false
-      },
-      "Remove statements" : {
-        "name" : "Remove statements",
-        "body" : "PREFIX dc: <http://purl.org/dc/elements/1.1/>\nDELETE DATA\n{\nGRAPH <http://example> {\n    <http://example/book1> dc:title \"A new book\" ;\n                           dc:creator \"A.N.Other\" .\n    }\n}",
-        "shared" : false
-      }
-    }
-  },
   "locations" : {
     "" : {
       "location" : "",

diff --git a/files/config/users.js b/files/config/users.js
@@ -0,0 +1,54 @@
+{
+  "users" : {
+    "admin" : {
+      "username" : "admin",
+      "password" : "{bcrypt}$2a$10$H7uekkF1ZFLIV5M1g9tDs.syZGtkMqrfj2Si2SHG1WgwhpNqpZwne",
+      "grantedAuthorities" : [ "ROLE_ADMIN" ],
+      "appSettings" : {
+        "DEFAULT_INFERENCE" : true,
+        "DEFAULT_VIS_GRAPH_SCHEMA" : true,
+        "DEFAULT_SAMEAS" : true,
+        "IGNORE_SHARED_QUERIES" : false,
+        "EXECUTE_COUNT" : true
+      },
+      "dateCreated" : 1618403171751
+    },
+    "provisioner" : {
+      "username" : "{{ .Values.graphdb.security.provisioningUsername }}",
+      "password" : "{bcrypt}{{ htpasswd .Values.graphdb.security.provisioningUsername .Values.graphdb.security.provisioningPassword | trimPrefix (printf "%s:" .Values.graphdb.security.provisioningUsername) }}",
+      "grantedAuthorities" : [ "ROLE_ADMIN" ],
+      "appSettings" : {
+        "DEFAULT_INFERENCE" : true,
+        "DEFAULT_VIS_GRAPH_SCHEMA" : true,
+        "DEFAULT_SAMEAS" : true,
+        "IGNORE_SHARED_QUERIES" : false,
+        "EXECUTE_COUNT" : true
+      },
+      "dateCreated" : 1618403171751
+    }
+  },
+  "user_queries" : {
+    "admin" : {
+      "SPARQL Select template" : {
+        "name" : "SPARQL Select template",
+        "body" : "SELECT ?s ?p ?o\nWHERE {\n\t?s ?p ?o .\n} LIMIT 100",
+        "shared" : false
+      },
+      "Clear graph" : {
+        "name" : "Clear graph",
+        "body" : "CLEAR GRAPH <http://example>",
+        "shared" : false
+      },
+      "Add statements" : {
+        "name" : "Add statements",
+        "body" : "PREFIX dc: <http://purl.org/dc/elements/1.1/>\nINSERT DATA\n      {\n      GRAPH <http://example> {\n          <http://example/book1> dc:title \"A new book\" ;\n                                 dc:creator \"A.N.Other\" .\n          }\n      }",
+        "shared" : false
+      },
+      "Remove statements" : {
+        "name" : "Remove statements",
+        "body" : "PREFIX dc: <http://purl.org/dc/elements/1.1/>\nDELETE DATA\n{\nGRAPH <http://example> {\n    <http://example/book1> dc:title \"A new book\" ;\n                           dc:creator \"A.N.Other\" .\n    }\n}",
+        "shared" : false
+      }
+    }
+  }
+}
diff --git a/templates/configuration/graphdb-jolokia-access-configmap.yaml b/templates/configuration/graphdb-jolokia-access-configmap.yaml
@@ -0,0 +1,16 @@
+# Default configuration map for provisioning the GraphDB jolokia access settings.
+# To change it, prepare another configuration map and update "graphdb.configs.jolokiaAccessConfigMap"
+{{- $configs := (.Values.graphdb.configs | default dict) }}
+{{- if $configs.jolokiaAccessConfigMap }}
+{{- if eq $configs.jolokiaAccessConfigMap "graphdb-jolokia-access-configmap" }}
+apiVersion: {{ .Values.versions.configmap }}
+kind: ConfigMap
+metadata:
+  name: graphdb-jolokia-access-configmap
+  labels:
+    name: graphdb-jolokia-access-configmap
+data:
+  jolokia-access.xml: |-
+{{ tpl (.Files.Get "files/config/jolokia-access.xml" | indent 4) . }}
+{{- end }}
+{{- end }}
diff --git a/templates/configuration/graphdb-logback-configmap.yaml b/templates/configuration/graphdb-logback-configmap.yaml
@@ -1,6 +1,8 @@
-# Default configuration map for provisioning GraphDB repository.
-# To change it, prepare another configuration map and update "graphdb.repositoryConfigmap"
-{{- if .Values.deployment.logbackConfigMap }}
+# Default configuration map for provisioning GraphDB logback settings.
+# To change it, prepare another configuration map and update "graphdb.configs.logbackConfigMap"
+{{- $configs := (.Values.graphdb.configs | default dict) }}
+{{- if $configs.logbackConfigMap }}
+{{- if eq $configs.logbackConfigMap "graphdb-logback-configmap" }}
 apiVersion: {{ .Values.versions.configmap }}
 kind: ConfigMap
 metadata:
@@ -11,3 +13,4 @@ data:
   logback.xml: |-
 {{ tpl (.Files.Get "files/config/logback.xml" | indent 4) . }}
 {{- end }}
+{{- end }}
diff --git a/templates/configuration/graphdb-properties-configmap.yaml b/templates/configuration/graphdb-properties-configmap.yaml
@@ -0,0 +1,16 @@
+# Default configuration map for provisioning GraphDB properties.
+# To change it, prepare another configuration map and update "graphdb.configs.propertiesConfigMap"
+{{- $configs := (.Values.graphdb.configs | default dict) }}
+{{- if $configs.propertiesConfigMap}}
+{{- if eq $configs.propertiesConfigMap "graphdb-properties-configmap" }}
+apiVersion: {{ .Values.versions.configmap }}
+kind: ConfigMap
+metadata:
+  name: graphdb-properties-configmap
+  labels:
+    name: graphdb-properties-configmap
+data:
+  graphdb.properties: |-
+{{ tpl (.Files.Get "files/config/graphdb.properties" | indent 4) . }}
+{{- end }}
+{{- end }}
diff --git a/templates/configuration/graphdb-settings-configmap.yaml b/templates/configuration/graphdb-settings-configmap.yaml
@@ -0,0 +1,15 @@
+# Default configuration map for provisioning GraphDB settings.js file.
+# To change it, prepare another configuration map and update "graphdb.configs.settingsConfigMap"
+{{- $configs := (.Values.graphdb.configs | default dict) }}
+{{- $settingsConfigMap := $configs.settingsConfigMap | default "" }}
+{{- if or (eq $settingsConfigMap "graphdb-settings-configmap") (and (not $settingsConfigMap ) (.Values.graphdb.security.enabled)) }}
+apiVersion: {{ .Values.versions.configmap }}
+kind: ConfigMap
+metadata:
+  name: graphdb-settings-configmap
+  labels:
+    name: graphdb-settings-configmap
+data:
+  settings.js: |-
+{{ tpl (.Files.Get "files/config/settings.js" | indent 4) . }}
+{{- end }}
diff --git a/templates/configuration/graphdb-settings-default-configmap.yaml b/templates/configuration/graphdb-settings-default-configmap.yaml
diff --git a/templates/configuration/graphdb-users-configmap.yaml b/templates/configuration/graphdb-users-configmap.yaml
@@ -0,0 +1,15 @@
+# Default configuration map for provisioning GraphDB users.js file.
+# To change it, prepare another configuration map and update "graphdb.configs.usersConfigMap"
+{{- $configs := (.Values.graphdb.configs | default dict) }}
+{{- $usersConfigMap := $configs.usersConfigMap | default ""}}
+{{- if or (eq $usersConfigMap "graphdb-users-configmap") (and (not $usersConfigMap) (.Values.graphdb.security.enabled)) }}
+apiVersion: {{ .Values.versions.configmap }}
+kind: ConfigMap
+metadata:
+  name: graphdb-users-configmap
+  labels:
+    name: graphdb-users-configmap
+data:
+  users.js: |-
+{{ tpl (.Files.Get "files/config/users.js" | indent 4) . }}
+{{- end }}