Support disable user creating for OAuth

api/v1/ytsaurus_types.go

@@ -227,6 +227,8 @@ type OauthServiceSpec struct {
 	//+kubebuilder:default:=false
 	Secure   bool                     `json:"secure,omitempty"`
 	UserInfo OauthUserInfoHandlerSpec `json:"userInfoHandler,omitempty"`
+	// If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication.
+	DisableUserCreation *bool `json:"disableUserCreation,omitempty"`
 }
 
 type HealthcheckProbeParams struct {

config/crd/bases/cluster.ytsaurus.tech_ytsaurus.yaml

@@ -14893,6 +14893,10 @@ spec:
                 type: object
               oauthService:
                 properties:
+                  disableUserCreation:
+                    description: If DisableUserCreation is set, proxies will NOT create
+                      non-existing users with O
+                    type: boolean
                   host:
                     minLength: 1
                     type: string

docs/api.md

@@ -1047,6 +1047,7 @@ _Appears in:_
 | `port` _integer_ |  | 80 |  |
 | `secure` _boolean_ |  | false |  |
 | `userInfoHandler` _[OauthUserInfoHandlerSpec](#oauthuserinfohandlerspec)_ |  |  |  |
+| `disableUserCreation` _boolean_ | If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication. |  |  |
 
 
 #### OauthUserInfoHandlerSpec

pkg/ytconfig/canondata/TestGetHTTPProxyConfig/test.canondata

@@ -109,8 +109,10 @@
             ];
         };
         "oauth_cookie_authenticator"={
+            "create_user_if_not_exists"=%false;
         };
         "oauth_token_authenticator"={
+            "create_user_if_not_exists"=%false;
         };
         "require_authentication"=%true;
     };

pkg/ytconfig/canondata/TestGetRPCProxyConfig/test.canondata

@@ -106,6 +106,7 @@
         ];
     };
     "oauth_token_authenticator"={
+        "create_user_if_not_exists"=%false;
     };
     "require_authentication"=%true;
 }

pkg/ytconfig/canondata/TestGetStrawberryControllerConfig/test.canondata

@@ -27,4 +27,4 @@
     "http_controller_mappings"={
         "*"=chyt;
     };
-}
+}

pkg/ytconfig/canondata/TestGetStrawberryControllerConfigWithCustomFamilies/test.canondata

@@ -26,4 +26,4 @@
         "superservice1.some.domain"=superservice1;
         "superservice3.some.domain"=superservice3;
     };
-}
+}

pkg/ytconfig/canondata/TestGetStrawberryControllerConfigWithExtendedHTTPMapping/test.canondata

@@ -28,4 +28,4 @@
         "*"=chyt;
         "jupyt.some.domain"=jupyt;
     };
-}
+}

pkg/ytconfig/generator.go

@@ -495,10 +495,17 @@ func (g *Generator) getRPCProxyConfigImpl(spec *ytv1.RPCProxiesSpec) (RPCProxySe
 
 	g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)
 
-	if g.ytsaurus.Spec.OauthService != nil {
-		c.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
+	oauthService := g.ytsaurus.Spec.OauthService
+	if oauthService != nil {
+		c.OauthService = ptr.To(getOauthService(*oauthService))
 		c.CypressUserManager = CypressUserManager{}
-		c.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
+		var createUserIfNotExist *bool
+		if oauthService.DisableUserCreation != nil {
+			createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
+		}
+		c.OauthTokenAuthenticator = &OauthTokenAuthenticator{
+			CreateUserIfNotExists: createUserIfNotExist,
+		}
 		c.RequireAuthentication = ptr.To(true)
 	}
 
@@ -670,10 +677,19 @@ func (g *Generator) getHTTPProxyConfigImpl(spec *ytv1.HTTPProxiesSpec) (HTTPProx
 	g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)
 	g.fillBusServer(&c.CommonServer, spec.NativeTransport)
 
-	if g.ytsaurus.Spec.OauthService != nil {
-		c.Auth.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
-		c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{}
-		c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
+	oauthService := g.ytsaurus.Spec.OauthService
+	if oauthService != nil {
+		c.Auth.OauthService = ptr.To(getOauthService(*oauthService))
+		var createUserIfNotExist *bool
+		if oauthService.DisableUserCreation != nil {
+			createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
+		}
+		c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{
+			CreateUserIfNotExists: createUserIfNotExist,
+		}
+		c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{
+			CreateUserIfNotExists: createUserIfNotExist,
+		}
 	}
 
 	return c, nil

pkg/ytconfig/generator_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
 	"github.com/ytsaurus/ytsaurus-k8s-operator/pkg/consts"
 
 	"k8s.io/utils/ptr"
@@ -597,6 +598,7 @@ func withOauthSpec(ytsaurus *ytv1.Ytsaurus) *ytv1.Ytsaurus {
 				},
 			},
 		},
+		DisableUserCreation: ptr.To(true),
 	}
 	return ytsaurus
 }

pkg/ytconfig/proxy.go

@@ -32,8 +32,12 @@ type LoginTransformation struct {
 	Replacement  string `yson:"replacement,omitempty"`
 }
 
-type OauthCookieAuthenticator struct{}
-type OauthTokenAuthenticator struct{}
+type OauthCookieAuthenticator struct {
+	CreateUserIfNotExists *bool `yson:"create_user_if_not_exists,omitempty"`
+}
+type OauthTokenAuthenticator struct {
+	CreateUserIfNotExists *bool `yson:"create_user_if_not_exists,omitempty"`
+}
 
 type Coordinator struct {
 	Enable            bool   `yson:"enable"`

ytop-chart/templates/crds/ytsaurus.cluster.ytsaurus.tech.yaml

@@ -14904,6 +14904,10 @@ spec:
                 type: object
               oauthService:
                 properties:
+                  disableUserCreation:
+                    description: If DisableUserCreation is set, proxies will NOT create
+                      non-existing users with O
+                    type: boolean
                   host:
                     minLength: 1
                     type: string