Configuration of PostgreSQL Operator RBAC
PostreSQL Operator RBAC
The conf/postgres-operator/pgorole file is read at start up time when the operator is deployed to the Kubernetes cluster. This file defines the PostgreSQL Operator roles whereby PostgreSQL Operator API users can be authorized.
The conf/postgres-operator/pgouser file is read at start up time also and contains username, password, role, and namespace information as follows:
username:password:pgoadmin:
pgouser1:password:pgoadmin:pgouser1
pgouser2:password:pgoadmin:pgouser2
pgouser3:password:pgoadmin:pgouser1,pgouser2
readonlyuser:password:pgoreader:
The format of the pgouser server file is:
<username>:<password>:<role>:<namespace,namespace>
The namespace is a comma separated list of namespaces that user has access to. If you do not specify a namespace, then all namespaces is assumed, meaning this user can access any namespace that the Operator is watching.
A user creates a .pgouser file in their $HOME directory to identify themselves to the Operator. An entry in .pgouser will need to match entries in the conf/postgres-operator/pgouser file. A sample .pgouser file contains the following:
username:password
The format of the .pgouser client file is:
<username>:<password>
The users pgouser file can also be located at:
/etc/pgo/pgouser
or it can be found at a path specified by the PGOUSER environment variable.
If the user tries to access a namespace that they are not configured for within the server side pgouser file then they will get an error message as follows:
Error: user [pgouser1] is not allowed access to namespace [pgouser2]
If you wish to add all available permissions to a pgorole, you can specify it by using a single *
in your configuration. Note that if you are editing your YAML file directly, you will need to ensure to write it as "*"
to ensure it is recognized as a string.
The following list shows the current complete list of possible pgo permissions that you can specify within the pgorole file when creating roles:
Permission | Description |
---|---|
ApplyPolicy | allow pgo apply |
Cat | allow pgo cat |
Clone | allow pgo clone |
CreateBackup | allow pgo backup |
CreateCluster | allow pgo create cluster |
CreateDump | allow pgo create pgdump |
CreateFailover | allow pgo failover |
CreatePgAdmin | allow pgo create pgadmin |
CreatePgbouncer | allow pgo create pgbouncer |
CreatePolicy | allow pgo create policy |
CreateSchedule | allow pgo create schedule |
CreateUpgrade | allow pgo upgrade |
CreateUser | allow pgo create user |
DeleteBackup | allow pgo delete backup |
DeleteCluster | allow pgo delete cluster |
DeletePgAdmin | allow pgo delete pgadmin |
DeletePgbouncer | allow pgo delete pgbouncer |
DeletePolicy | allow pgo delete policy |
DeleteSchedule | allow pgo delete schedule |
DeleteUpgrade | allow pgo delete upgrade |
DeleteUser | allow pgo delete user |
DfCluster | allow pgo df |
Label | allow pgo label |
Reload | allow pgo reload |
Restart | allow pgo restart |
Restore | allow pgo restore |
RestoreDump | allow pgo restore for pgdumps |
ShowBackup | allow pgo show backup |
ShowCluster | allow pgo show cluster |
ShowConfig | allow pgo show config |
ShowPgAdmin | allow pgo show pgadmin |
ShowPgBouncer | allow pgo show pgbouncer |
ShowPolicy | allow pgo show policy |
ShowPVC | allow pgo show pvc |
ShowSchedule | allow pgo show schedule |
ShowNamespace | allow pgo show namespace |
ShowSystemAccounts | allows commands with the --show-system-accounts flag to return system account information (e.g. the postgres superuser) |
ShowUpgrade | allow pgo show upgrade |
ShowWorkflow | allow pgo show workflow |
Status | allow pgo status |
TestCluster | allow pgo test |
UpdatePgBouncer | allow pgo update pgbouncer |
UpdateCluster | allow pgo update cluster |
User | allow pgo user |
Version | allow pgo version |
If the user is unauthorized for a pgo command, the user will get back this response:
Error: Authentication Failed: 403
Making Security Changes
Importantly, it is necesssary to redeploy the PostgreSQL Operator prior to giving effect to the user security changes in the pgouser and pgorole files:
make deployoperator
Performing this command will recreate the pgo-config ConfigMap that stores these files and is mounted by the Operator during its initialization.