Skip to main content
Version: 123.3

PDS users and permissions

Following are the users / tokens created by PDS for each data service and the valid permissions for each user:

note

You can delete the pds user. However, deleting the other users will cause PDS functionality to stop working.

Cassandra

Username

Permissions

pds

CREATE ROLE '$user' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '$password'

pds-cluster-admin

CREATE ROLE '$user' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '$password'

pds-backup

CREATE ROLE '$user' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '$password'

pds-probes

CREATE ROLE '$user' WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = '$password'

Consul

Token

Permissions

initial management

global-management policy

pds-agent

custom policy with limited access

pds

global-management policy

pds-backup

global-management policy

pds-observability

custom policy with limited access

pds-probes

custom policy with limited access

Couchbase

Username

Permissions

pds

admin

pds-observability

read admin (ro_admin)

pds-backup

admin

pds-cluster-admin

all (cluster administrator)

pds-probes

read admin (ro_admin)

Elasticsearch

Username

Permissions

pds

manage_security

pds-observability

monitor

pds-backup

manage

pds-cluster-admin

all

Kafka

Username

Permissions

pds

Kafka client authentication user account

pds-cluster-admin

Kafka inter-broker communication user account

MongoDB

Username

Permissions

pds

userAdminAnyDatabase

pds-observability

clusterMonitor on admin db, read on local db

pds-cluster-admin

clusterAdmin, userAdminAnyDatabase

pds-probes

clusterMonitor on admin db, read on local db

pds-backup

restore, backup built-in roles and pds-find-system-preimages custom role

MySQL

Username

Permissions

pds

GRANT ALL PRIVILEGES ON . TO pds@% WITH GRANT OPTION

pds-observability

GRANT SELECT, PROCESS, REPLICATION CLIENT ON . TO pds-observability@localhost

pds-cluster-admin

  • GRANT SELECT, RELOAD, SHUTDOWN, PROCESS, FILE, EXECUTE, REPLICATION SLAVE,
    REPLICATION CLIENT, CREATE USER ON . TO pds-cluster-admin@% WITH GRANT OPTION

  • GRANT CLONE_ADMIN,CONNECTION_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,
    REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,ROLE_ADMIN,SYSTEM_VARIABLES_ADMIN ON . TO pds-cluster-admin@% WITH GRANT OPTION

  • GRANT INSERT, UPDATE, DELETE ON mysql.* TO pds-cluster-admin@% WITH GRANT OPTION

  • GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,
    CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON mysql_innodb_cluster_metadata.*
    TO pds-cluster-admin@% WITH GRANT OPTION

  • GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,
    CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT,
    TRIGGER ON mysql_innodb_cluster_metadata_bkp.* TO pds-cluster-admin@% WITH GRANT OPTION

  • GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,
    CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT,
    TRIGGER ON mysql_innodb_cluster_metadata_previous.* TO pds-cluster-admin@% WITH GRANT OPTION

pds-router

  • GRANT USAGE ON . TO pds-router@%

  • GRANT SELECT, EXECUTE ON mysql_innodb_cluster_metadata.* TO pds-router@%

  • GRANT INSERT, UPDATE, DELETE ON mysql_innodb_cluster_metadata.routers TO pds-router@%

  • GRANT INSERT, UPDATE, DELETE ON mysql_innodb_cluster_metadata.v2_routers TO pds-router@%

  • GRANT SELECT ON performance_schema.global_variables TO pds-router@%

  • GRANT SELECT ON performance_schema.replication_group_member_stats TO pds-router@%

  • GRANT SELECT ON performance_schema.replication_group_members TO pds-router@%

pds-probes

  • GRANT USAGE ON . TO pds-probes@%

  • GRANT SELECT, EXECUTE ON mysql_innodb_cluster_metadata.* TO pds-probes@%

  • GRANT INSERT, UPDATE, DELETE ON mysql_innodb_cluster_metadata.routers TO pds-probes@%

  • GRANT INSERT, UPDATE, DELETE ON mysql_innodb_cluster_metadata.v2_routers TO pds-probes@%

  • GRANT SELECT ON performance_schema.global_variables TO pds-probes@%

  • GRANT SELECT ON performance_schema.replication_group_member_stats TO pds-probes@%

  • GRANT SELECT ON performance_schema.replication_group_members TO pds-probes@%

pds-backup

GRANT SELECT, RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO pds-backup@localhost GRANT BACKUP_ADMIN ON . TO pds-backup@localhost

mysql_innodb_cluster_[n] (being automatically created in cluster mode for each node)

GRANT REPLICATION SLAVE ON . TO mysql_innodb_cluster_1@% GRANT BACKUP_ADMIN,CONNECTION_ADMIN,GROUP_REPLICATION_STREAM ON . TO mysql_innodb_cluster_1@%

PostgreSQL

Username

Permissions

pds

superuser

postgres_exporter

pg_monitor

pds-backup

pg_read_all_settings, pg_start_backup, pg_stop_backup, pg_create_restore_point

pds-observability

pg_monitor

pds-cluster-admin

superuser

The PDS 118 release introduces an automated migration to PDS system users for PostgreSQL. To finalize the migration process, it is necessary to manually restart the pods.

If you create a new deployment with system users support, then you can delete or change password. To accomplish this, you can access the primary PostgreSQL pod's shell and execute the following commands:

  1. Change the pds user password:

    PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c "ALTER USER pds WITH PASSWORD '<NEW_PASSWORD>'"

  2. Delete pds user and all dependent objects:

    PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c 'DROP OWNED BY pds; DROP USER pds;'

If you upgrade the existing deployment to include the image with system users support, you cannot delete the pds user. However, you can block it from connecting. To block the pds user, run the following command on the primary pod:

PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c 'ALTER USER pds NOLOGIN;'

RabbitMQ

Username

Permissions

pds

root permissions, with admin tag

Redis

Username

Permissions

pds

allcommands allchannels allkeys

pds-cluster-admin

allcommands allchannels allkeys

pds-backup

+info +cluster|nodes +lastsave +bgsave

pds-probes

+cluster|nodes +ping

pds-observability

+client +ping +info +config|get +cluster|info +slowlog +latency +memory +select +get +scan +xinfo +type +pfcount +strlen +llen +scard +zcard +hlen +xlen +eval allkeys

redis-exporter

+client +ping +info +config|get +cluster|info +slowlog +latency +memory +select +get +scan +xinfo +type +pfcount +strlen +llen +scard +zcard +hlen +xlen +eval allkeys

SQL Server

Username

Permissions

pds

ALTER SERVER ROLE SysAdmin ADD MEMBER [$user];

pds-cluster-admin

ALTER SERVER ROLE SysAdmin ADD MEMBER [$user];

pds-backup

ALTER SERVER ROLE SysAdmin ADD MEMBER [$user];

pds-observability

GRANT VIEW ANY DEFINITION TO [$user];
GRANT VIEW SERVER STATE TO [$user];

pds-probes

GRANT VIEW ANY DEFINITION TO [$user];
GRANT VIEW SERVER STATE TO [$user];

Zookeeper

Username

Permissions

pds

default user, root permissions

PDS user descriptions

The following table provides a brief explanation of how each PDS user can be utilized to accomplish specific tasks:

Username

Description

initial management

used to bootstrap the Access Control List (ACL) system

pds

for initial client connection

pds-agent

used for nodes to communicate between each other

pds-backup

used for backup and restore

pds-cluster-admin

used for cluster initialization and/or inter-node communication

pds-observability

used for collecting metrics

pds-probes

used for pod readiness and liveness probes

pds-router

used for routing requests

postgres_exporter

used for collecting metrics

Last updated on
Was this page helpful?