33.1. Cluster Initialization Settings Related to Access Management #
When a Postgres Pro Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.
A Postgres Pro Shardman cluster has two special users: administrative and replication. Postgres Pro Shardman manages controlled DBMS instances with administrative users. BiHA needs replication users for replications between controlled DBMS instances.
Security-related settings from the initialization file specify:
Authentication methods for administrative and replication users —
PgSuAuthMethod
,PgReplAuthMethod
Usernames for administrative and replication users —
PgSuUsername
,PgReplUsername
Passwords for administrative and replication users —
PgSuPassword
,PgReplPassword
pg_hba.conf
rules used by DBMS instances —StolonSpec.pgHBA
See Section 19.21.2 for detailed descriptions of these settings.
To change security-related user settings, perform these steps:
Check that the user that you want to specify in
PgReplUsername
/PgSuUsername
exists withREPLICATION
/SUPERUSER
privileges on all replication groups in the cluster and his password matches the newPgReplPassword
/PgSuPassword
setting.If this is true, create dump of the
shardman/cluster0/data/cluster
etcd key (here and further the name of the Postgres Pro Shardman cluster is assumed to becluster0
). For example:$
etcdctl --endpoints etcdserver:2379 get --print-value-only shardman/cluster0/data/cluster |jq . > clusterdata.json
This example creates the dump of the
data/cluster
key for the Postgres Pro Shardman cluster with thecluster0
name from the etcd serveretcdserver
listening on port2379
, formats the dump with jq and saves to theclusterdata.json
file.Edit the dump as necessary and store it back in etcd:
$
cat clusterdata.json | etcdctl --endpoints etcdserver:2379 put shardman/cluster0/data/cluster
Modifying these settings will lead to a DBMS restart.
Unlike the above settings, the StolonSpec.pgHBA
setting can be changed online. To do this, perform these steps:
Extract the
StolonSpec
definition fromshardman/cluster0/data/cluster
, save to some file, modify as necessary and update cluster settings with theshardmanctl config update
command:$
etcdctl --endpoints etcdserver:2379 get --print-value-only shardman/cluster0/data/cluster | jq .Spec.StolonSpec . > shardspec.json
Edit
shardspec.json
and replace theStolonSpec.pgHBA
definition with the appropriate one, for example:"pgHBA": [ "host all postgres 0.0.0.0/0 scram-sha-256", "host replication postgres 0.0.0.0/0 scram-sha-256", "host replication postgres ::0/0 scram-sha-256", "host all someuser 0.0.0.0/0 scram-sha-256" ],
Apply the edited
shardspec.json
file:$
shardmanctl --store-endpoints etcdserver:2379 --cluster-name cluster0 config update -f shardspec.json