Postgres Pro
Downloads
2.5. Access Management
Prev UpChapter 2. ManageHome Next

2.5. Access Management #

2.5.1. Cluster Initialization Settings Related to Access Management
2.5.2. Managing Users and Roles
2.5.3. Managing Permissions on Sharded Tables

A Shardman cluster emulates a usual PostgreSQL security model, which, however, has features inherent to a distributed DBMS. This section describes these features and aims to give you an idea of access management in a Shardman cluster.

2.5.1. Cluster Initialization Settings Related to Access Management #

When a Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.

A Shardman cluster has two special users: administrative and replication. stolon and Shardman manage controlled DBMS instances with administrative users. stolon needs replication users for replications between controlled DBMS instances.

Security-related settings from the initialization file specify:

  • Authentication methods for administrative and replication users — PgSuAuthMethod, PgReplAuthMethod

  • Usernames for administrative and replication users — PgSuUsername, PgReplUsername

  • Passwords for administrative and replication users — PgSuPassword, PgReplPassword

  • pg_hba.conf rules used by DBMS instances — StolonSpec.pgHBA

See sdmspec.json for detailed descriptions of these settings.

To change security-related user settings, perform these steps:

  1. Check that the user that you want to specify in PgReplUsername /PgSuUsername exists with REPLICATION/ SUPERUSER privileges on all replication groups in the cluster and his password matches the new PgReplPassword/PgSuPassword setting.

  2. If this is true, create dump of the shardman/cluster0/data/cluster etcd key (here and further the name of the Shardman cluster is assumed to be cluster0). For example: 

    $ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster |jq . > clusterdata.json

    This example creates the dump of the data/cluster key for the Shardman cluster with the cluster0 name from the etcd server etcdserver listening on port 2379, formats the dump with jq and saves to the clusterdata.json file.

  3. Edit the dump as necessary and store it back in etcd: 

    $ cat clusterdata.json | etcdctl --endpoints etcdserver:2379 put shardman/cluster0/data/cluster

Modifying these settings will lead to a DBMS restart.

Unlike the above settings, the StolonSpec.pgHBA setting can be changed online. To do this, perform these steps:

  1. Extract the StolonSpec definition from shardman/cluster0/data/cluster, save to some file, modify as necessary and update cluster settings with the shardmanctl config update command: 

    $ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster | jq .Spec.StolonSpec . > stolonspec.json

  2. Edit stolonspec.json and replace the StolonSpec.pgHBA definition with the appropriate one, for example: 

    "pgHBA": [
        "host all postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres ::0/0 scram-sha-256",
        "host all someuser 0.0.0.0/0 scram-sha-256"
      ],

  3. Apply the edited stolonspec.json file: 

    $ shardmanctl --store-endpoints etcdserver:2379 --cluster-name cluster0 config update -f stolonspec.json

2.5.2. Managing Users and Roles #

Users and roles in a Shardman cluster are usual PostgreSQL users and roles. You can manage them separately on each server or globally, using broadcast DDL. Shardman also uses concepts of global users and global roles. And only the global users (or roles) can create and own other Shardman cluster-wide objects, such as sharded or global tables. Operations on such users are always performed on all replication groups simultaneously. For example, when you include a global role in some other role or drop it, this operation will be performed on all replication groups.

You can create a global user with a CREATE USER ... IN ROLE global statement, for example: 

CREATE USER someuser ENCRYPTED PASSWORD 'somepass' IN ROLE global;

When a global user is created, Shardman automatically creates user mappings on all replication groups and grants this user with access to all foreign servers corresponding to existing replication groups. Therefore, when you create a global user, you need to specify either a cleartext password, so that it can be saved in a user mapping, or no password at all. A passwordless global user or role is unable to access foreign servers, but you can use such a role to accumulate some permissions and grant it to different users. You can also set a password for a passwordless global user later.

Global users can be created only by user with CREATEROLE permission on all cluster nodes.

ALTER and DROP statements for global users are broadcasted to all replication groups. When a role is granted to a global user, this operation is also broadcasted. Renaming a global user is not supported since this invalidates md5/scram-sha-256 passwords stored in user mappings.

The list of global users is stored in the shardman.users table.

The role specified in PgSuUsername (usually, postgres) is also created as global user during cluster initialization. However, the role specified in PgReplUsername is created as local user on each replication group.

The role global is reserved and cannot be used directly in a Shardman cluster. Note that 'global' is not a really defined role but just a reserved word.

2.5.3. Managing Permissions on Sharded Tables #

In Shardman, a sharded table is basically a partitioned table where partitions are either local shards or foreign tables referencing shards in other replication groups.

Permissions granted on a sharded table are broadcasted to all replication groups and to all partitions of the table.

When a new replication group is added to a cluster, shardmanctl copies the schema from a random existing replication group to the new one. It also creates a foreign server for the new replication group on all existing replication groups and recreates foreign servers on new replication groups. Permissions for the created foreign servers and user mappings are copied from a random foreign server in an existing replication group. In the new replication group, for each partition of the sharded table shardmanctl creates a foreign table referencing the existing shard and replaces the partition with this foreign table. Later some of these foreign tables can be replaced by real tables. This happens during the shardmanctl nodes add rebalance stage when rebalance is enabled. Data for these partitions is transferred from existing nodes using logical replication. When shardmanctl creates tables (or foreign tables), it copies permissions from the parent table. The parent table must already have correct permissions since they were copied from an existing replication group.

2.5.3.1. Examples #

These examples assume administrator privileges.

If you want to create a sharded table and a global user, as well as grant him read-only access to the table, you can use the following statements: 

CREATE USER someuser ENCRYPTED PASSWORD 'somepass' IN ROLE global;
CREATE TABLE pgbench_branches (
       bid integer NOT NULL PRIMARY KEY,
       bbalance integer,
       filler character(88)
)
WITH (distributed_by = 'bid', num_parts = 8);
GRANT SELECT ON pgbench_branches TO someuser;

To allow someuser to access a Shardman cluster, you should also provide proper settings in pg_hba.conf (as this is done earlier).

Now assume that a new clover is added to the cluster with the shardmanctl nodes add command, like this: 

$ shardmanctl --store-endpoints http://etcdserver:2379 --cluster-name cluster0 nodes add -n newnode1,newnode2

In this example, some shards of the pgbench_branches table are transferred to new replication groups and someuser is granted the SELECT privilege on this table. Later you can drop someuser from all replication groups in the cluster in one command: 

DROP USER someuser;

Prev Up Next
2.4. Analyzing and Vacuuming Home 2.6. Backup and Recovery
pdf