PDS users and permissions
Following are the users / tokens created by PDS for each data service and the valid permissions for each user:
You can delete the pds
user. However, deleting the other users will cause PDS functionality to stop working.
Cassandra
Username | Permissions |
pds |
|
pds-cluster-admin |
|
pds-backup |
|
pds-probes |
|
Consul
Token | Permissions |
initial management | global-management policy |
pds-agent | custom policy with limited access |
pds | global-management policy |
pds-backup | global-management policy |
pds-observability | custom policy with limited access |
pds-probes | custom policy with limited access |
Couchbase
Username | Permissions |
pds | admin |
pds-observability | read admin ( |
pds-backup | admin |
pds-cluster-admin | all (cluster administrator) |
pds-probes | read admin ( |
Elasticsearch
Username | Permissions |
pds | manage_security |
pds-observability | monitor |
pds-backup | manage |
pds-cluster-admin | all |
Kafka
Username | Permissions |
pds | Kafka client authentication user account |
pds-cluster-admin | Kafka inter-broker communication user account |
MongoDB
Username | Permissions |
pds |
|
pds-observability |
|
pds-cluster-admin |
|
pds-probes |
|
pds-backup |
|
MySQL
Username | Permissions |
pds |
|
pds-observability |
|
pds-cluster-admin |
|
pds-router |
|
pds-probes |
|
pds-backup |
|
|
|
PostgreSQL
Username | Permissions |
pds |
|
postgres_exporter |
|
pds-backup |
|
pds-observability |
|
pds-cluster-admin |
|
The PDS 118 release introduces an automated migration to PDS system users for PostgreSQL. To finalize the migration process, it is necessary to manually restart the pods.
If you create a new deployment with system users support, then you can delete or change password. To accomplish this, you can access the primary PostgreSQL pod's shell and execute the following commands:
-
Change the
pds
user password:PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c "ALTER USER pds WITH PASSWORD '<NEW_PASSWORD>'"
-
Delete
pds
user and all dependent objects:PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c 'DROP OWNED BY pds; DROP USER pds;'
If you upgrade the existing deployment to include the image with system users support, you cannot delete the pds
user. However, you can block it from connecting. To block the pds
user, run the following command on the primary pod:
PGPASSWORD=$(cat ~/creds/cluster-admin-password) psql -h localhost -U pds-cluster-admin postgres -c 'ALTER USER pds NOLOGIN;'
RabbitMQ
Username | Permissions |
pds | root permissions, with admin tag |
Redis
Username | Permissions |
pds |
|
pds-cluster-admin |
|
pds-backup |
|
pds-probes |
|
pds-observability |
|
redis-exporter |
|
SQL Server
Username | Permissions |
pds |
|
pds-cluster-admin |
|
pds-backup |
|
pds-observability |
|
pds-probes |
|
Zookeeper
Username | Permissions |
pds | default user, root permissions |
PDS user descriptions
The following table provides a brief explanation of how each PDS user can be utilized to accomplish specific tasks:
Username | Description |
initial management | used to bootstrap the Access Control List (ACL) system |
pds | for initial client connection |
pds-agent | used for nodes to communicate between each other |
pds-backup | used for backup and restore |
pds-cluster-admin | used for cluster initialization and/or inter-node communication |
pds-observability | used for collecting metrics |
pds-probes | used for pod readiness and liveness probes |
pds-router | used for routing requests |
postgres_exporter | used for collecting metrics |