You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Update roles.md
* Update database-level roles in SQL query results
* Add charmed_dba, charmed_admin and charmed_databases_owner to SQL query result
* Add CREATEDB to custom word list
Signed-off-by: Marcelo Henrique Neppel <[email protected]>
* Add note about roles that cannot be requested through relation
---------
Signed-off-by: Marcelo Henrique Neppel <[email protected]>
Copy file name to clipboardExpand all lines: docs/explanation/roles.md
+26-32Lines changed: 26 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
3
3
There are several definitions of roles in Charmed PostgreSQL:
4
4
* Predefined PostgreSQL roles
5
-
* Instancelevel DB/relation-specific roles
5
+
* Instance-level DB/relation-specific roles
6
6
* LDAP-specific roles
7
7
* Extra user roles relation flag
8
8
@@ -35,13 +35,17 @@ test123=> SELECT * FROM pg_roles;
35
35
36
36
## Charmed PostgreSQL 16 roles
37
37
38
-
Charmed PostgreSQL 16 introduces the following instancelevel predefined roles:
38
+
Charmed PostgreSQL 16 introduces the following instance-level predefined roles:
39
39
40
40
*`charmed_stats` (inherit from pg_monitor)
41
-
*`charmed_read` (inherit from pg_read_all_data)
42
-
*`charmed_dml` (inherit from pg_write_all_data)
43
-
*`charmed_backup` (inherit from pg_checkpoint)
41
+
*`charmed_read` (inherit from pg_read_all_data and `charmed_stats`)
42
+
*`charmed_dml` (inherit from pg_write_all_data and `charmed_read`)
43
+
*`charmed_backup` (inherit from pg_checkpoint and `charmed_stats`)
44
44
*`charmed_dba` (allowed to escalate to any other user, including the superuser `operator`)
45
+
*`charmed_admin` (inherit from `charmed_dml` and allowed to escalate to the database-specific `charmed_<database-name>_owner` role, which is explained later in this document)
46
+
*`charmed_databases_owner` (allowed to create databases; it can be requested through the CREATEDB extra user role)
47
+
48
+
Currently, `charmed_backup` and `charmed_dba` cannot be requested through the relation as extra user roles.
45
49
46
50
```text
47
51
test123=> SELECT * FROM pg_roles;
@@ -52,25 +56,30 @@ test123=> SELECT * FROM pg_roles;
52
56
charmed_read | f | t | f | f | f | f | -1 | ******** | | f | | 16388
53
57
charmed_dml | f | t | f | f | f | f | -1 | ******** | | f | | 16390
54
58
charmed_backup | f | t | f | f | f | f | -1 | ******** | | f | | 16392
59
+
charmed_dba | f | t | f | f | f | f | -1 | ******** | | f | | 16393
60
+
charmed_admin | f | t | f | f | f | f | -1 | ******** | | f | | 16394
61
+
charmed_databases_owner | f | t | f | t | t | f | -1 | ******** | | f | | 16395
55
62
...
56
63
```
57
64
58
65
Charmed PostgreSQL 16 also introduces catalogue/database level roles, with permissions tied to each database that's created. Example for a database named `test`:
59
66
60
67
```text
61
-
test123=> SELECT * FROM pg_roles where rolname like 'test_%';;
charmed_test_owner | f | t | f | f | f | f | -1 | ******** | | f | | 16396
72
+
charmed_test_admin | f | f | f | f | f | f | -1 | ******** | | f | | 16397
73
+
charmed_test_dml | f | t | f | f | f | f | -1 | ******** | | f | | 16398
66
74
```
67
75
68
-
The `*_admin` role is assigned to each relation user (explained in the next section) with access to the specific database. When that user connects to the database, it's auto-escalated to the `*_owner` user, which will own every object inside the database, simplifying the permissions to perform operations on those objects when a new user requests access to that same database.
76
+
The `charmed_<database-name>_admin` role is assigned to each relation user (explained in the next section) with access to the specific database. When that user connects to the database, it's auto-escalated to the `charmed_<database-name>_owner` user, which will own every object inside the database, simplifying the permissions to perform operations on those objects when a new user requests access to that same database.
69
77
70
-
<!--TODO: are the next two sections also relevant for 16?-->
71
-
### Relation specific roles
78
+
There is also a `charmed_<database-name>_dml` role that is assigned to each relation user to still allow them to read and write to the database objects even if the mechanism to auto-escalate the relation user to the `charmed_<database-name>_owner` role doesn't work.
72
79
73
-
For each application/relation the dedicated user is been created (with matching role and all all resources ownership). The resources ownership is being updated on each re-relation for new users/roles regeneration. Example of simple application relation to PostgreSQL and creating table:
80
+
### Relation-specific roles
81
+
82
+
For each application/relation, the dedicated user has been created:
74
83
75
84
```text
76
85
postgres=# SELECT * FROM pg_roles;
@@ -85,17 +94,9 @@ postgres=# SELECT * FROM pg_user;
0 commit comments