shardman : Documentation: 17: 32.1. Cluster Initialization Settings Related to Access Management : Postgres Professional

32.1. Cluster Initialization Settings Related to Access Management
Prev	Up	Chapter 32. Cluster Configuration for Distributed System	Home	Next

32.1. Cluster Initialization Settings Related to Access Management #

When a Postgres Pro Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.

A Postgres Pro Shardman cluster has two special users: administrative and replication. Postgres Pro Shardman manages controlled DBMS instances with administrative users. BiHA needs replication users for replications between controlled DBMS instances.

Security-related settings from the initialization file specify:

Authentication methods for administrative and replication users — PgSuAuthMethod, PgReplAuthMethod
Usernames for administrative and replication users — PgSuUsername, PgReplUsername
Passwords for administrative and replication users — PgSuPassword, PgReplPassword
pg_hba.conf rules used by DBMS instances — ShardSpec.pgHBA

See Section 18.20.2 for detailed descriptions of these settings.

To change security-related user settings, perform these steps:

Check that the user that you want to specify in PgReplUsername /PgSuUsername exists with REPLICATION/ SUPERUSER privileges on all replication groups in the cluster and his password matches the new PgReplPassword/PgSuPassword setting.
If this is true, create dump of the shardman/cluster0/data/cluster etcd key (here and further the name of the Postgres Pro Shardman cluster is assumed to be cluster0). For example:
```
$ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster |jq . > clusterdata.json 
```
This example creates the dump of the data/cluster key for the Postgres Pro Shardman cluster with the cluster0 name from the etcd server etcdserver listening on port 2379, formats the dump with jq and saves to the clusterdata.json file.

Edit the dump as necessary and store it back in etcd:

$ cat clusterdata.json | etcdctl --endpoints etcdserver:2379 put shardman/cluster0/data/cluster

Modifying these settings will lead to a DBMS restart.

Unlike the above settings, the ShardSpec.pgHBA setting can be changed online. To do this, perform these steps:

Extract the ShardSpec definition from shardman/cluster0/data/cluster, save to some file, modify as necessary and update cluster settings with the shardmanctl config update command:
```
$ etcdctl --endpoints etcdserver:2379 get --print-value-only  shardman/cluster0/data/cluster | jq .Spec.ShardSpec . > shardspec.json 
```

Edit shardspec.json and replace the ShardSpec.pgHBA definition with the appropriate one, for example:

"pgHBA": [
        "host all postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres ::0/0 scram-sha-256",
        "host all someuser 0.0.0.0/0 scram-sha-256"
      ],

Apply the edited shardspec.json file:

$ shardmanctl --store-endpoints etcdserver:2379 --cluster-name cluster0 config update -f shardspec.json

Prev	Up	Next
Chapter 32. Cluster Configuration for Distributed System	Home	32.2. Scaling the Cluster

epub pdf