Support Druid User and Roles creation for druid-basic-security extension

[SatyaKuppam]

Support User and Role Creation for druid-basic-security extension

druid-basic-security extension adds authentication (auth) and authorization (authz) logic, by supporting HTTP basic auth and role-based access control. Managing the users and roles via the HTTP API is cumbersome and non-auditable. Adding user and role creation via the druid-operator will provide a safe and auditable way to control the lifecycle of users and associated roles.

This change proposes the creation of a new CRD called DruidUser that contains all the necessary metadata and permissions for creating a new user. The operator will use the basic-security HTTP API to manage the lifecycle of the users including password creation. Passwords will be mounted as k8s Secrets in the same namespace as a cluster.

So a DruidUser can look like this:

apiVersion: druid.apache.org/v1alpha1
kind: DruidUser
metadata:
  labels: 
       namespace: druid-namespace
  name: druid-cluster-1-user-alpha          # creates a K8s secret of the same name
spec:
  type: basic-security             # type so other methods can be supported in the future
  druidCluster: druid-cluster-1
  spec:
      nativeSpec:
        permissions:
          - type: DATASOURCE
             name: .*
             action: READ
          - type: DATASOURCE
             name: .*
             action: WRITE

User, Role and permissions mapping

   +------+        Belongs to     +------+       Has many      +-----------+     Grants          +---------------------+
   | User |---------------------->| Role |-------------------->| Permission|-------------------->|Resource (datasource)|
   +------+                       +------+                     +-----------+                     +---------------------+
                                                               |
                                                               |
                                                               +-----------+     Grants          +---------------------+ 
                                                               | Permission|-------------------->|Resource (Configs).  | 
                                                               +-----------+                     +---------------------+                             

Figure: Users can have only one Role and the Role can have multiple permissions like the YAML example above

Creation Lifecycle:

Explaining how this feature works in brief:

• check for any changes to the DruidUserSecrets in the namespace
• determine the cluster name and endpoint
• if type is basic-security, check if the extension is enabled (there is a HTTP endpoint that we can hit) otherwise fail
• generate a password using UUID
• create the auth and authz user with the required permissions

Deletion Lifecycle

• finalizer should delete all associated kubernetes secrets and DruidUsers after the cluster is delete
• delete individual DruidUsers and associated kubernetes secrets during the reconcile loop

I want to implement this feature, but before I do, I want to align on the following:

• creating a new DruidUser CRD is fine
• creating passwords as UUIDs
• mounting the passwords as K8s secrets
• operator's Druid role should allow user creation
• the lifecycle makes sense?
• there is no good way to change passwords of existing users, suggestion is to create a brand new DruidUser from time to time if you want to roll passwords