33.1. Cluster Initialization Settings Related to Access Management #

When a Postgres Pro Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.

A Postgres Pro Shardman cluster has two special users: administrative and replication. Postgres Pro Shardman manages controlled DBMS instances with administrative users. BiHA needs replication users for replications between controlled DBMS instances.

Security-related settings from the initialization file specify:

  • Authentication methods for administrative and replication users — PgSuAuthMethod, PgReplAuthMethod

  • Usernames for administrative and replication users — PgSuUsername, PgReplUsername

  • Passwords for administrative and replication users — PgSuPassword, PgReplPassword

  • pg_hba.conf rules used by DBMS instances — StolonSpec.pgHBA

See Section 19.21.2 for detailed descriptions of these settings.

To change security-related user settings, perform these steps:

  1. Check that the user that you want to specify in PgReplUsername /PgSuUsername exists with REPLICATION/ SUPERUSER privileges on all replication groups in the cluster and his password matches the new PgReplPassword/PgSuPassword setting.

  2. If this is true, create dump of the shardman/cluster0/data/cluster etcd key (here and further the name of the Postgres Pro Shardman cluster is assumed to be cluster0). For example:

    $ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster |jq . > clusterdata.json 
    

    This example creates the dump of the data/cluster key for the Postgres Pro Shardman cluster with the cluster0 name from the etcd server etcdserver listening on port 2379, formats the dump with jq and saves to the clusterdata.json file.

  3. Edit the dump as necessary and store it back in etcd:

    $ cat clusterdata.json | etcdctl --endpoints etcdserver:2379 put shardman/cluster0/data/cluster
    

Modifying these settings will lead to a DBMS restart.

Unlike the above settings, the StolonSpec.pgHBA setting can be changed online. To do this, perform these steps:

  1. Extract the StolonSpec definition from shardman/cluster0/data/cluster, save to some file, modify as necessary and update cluster settings with the shardmanctl config update command:

    $ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster | jq .Spec.StolonSpec . > shardspec.json 
    

  2. Edit shardspec.json and replace the StolonSpec.pgHBA definition with the appropriate one, for example:

    "pgHBA": [
            "host all postgres 0.0.0.0/0 scram-sha-256",
            "host replication postgres 0.0.0.0/0 scram-sha-256",
            "host replication postgres ::0/0 scram-sha-256",
            "host all someuser 0.0.0.0/0 scram-sha-256"
          ],
    

  3. Apply the edited shardspec.json file:

    $ shardmanctl --store-endpoints etcdserver:2379 --cluster-name cluster0 config update -f shardspec.json