User Management

Info

FEATURE AVAILABILITY: Available in v5.6.0 and above

In order to log into and use your pgAdmin, you need user credentials. Crunchy Postgres for Kubernetes (CPK) provides a way to manage internal pgAdmin users through the PGAdmin API.

Defining Users

Users are defined in the users field in the PGAdmin custom resource. Below is an example of a PGAdmin manifest with a single user in place:

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
  name: rhino
spec:
  dataVolumeClaimSpec:
    accessModes:
    - "ReadWriteOnce"
    resources:
      requests:
        storage: 1Gi
  serverGroups:
  - name: supply
    postgresClusterSelector: {}
  users:
  - username: user@example.com
    role: User
    passwordRef:
      name: user-password-secret
      key: password

Info

Note: If a user already exists in pgAdmin, presumably added via the pgAdmin GUI, the operator will not be able to “take control” of that user if it is added to the users field. We therefore recommend committing to one user management method or the other: managing users via the PGAdmin spec or via the pgAdmin GUI.

User Properties

When defining a user, there are three properties that you can set:

  • username (required) - The username for the user. The username for these internal users must be in email format.
  • role (optional) - The role that you want to give this user. The options are Administrator and User. If left unset, the role will default to User.
  • passwordRef (required) - A reference to a Kubernetes Secret and key that hold the password for this user.
    • name (required) - The name of the Secret.
    • key (required) - The key inside the Secret that holds the password.

Given the sensitive nature of passwords, we require that the passwords be stored in Secrets and then obtained by referencing those Secrets in the user spec. Given that the passwordRef references not only the name of the Secret, but also the key that holds a particular password, you can choose to have a separate Secret for each user or you can store multiple passwords in one Secret.

Warning

pgAdmin allows users to set a minimum password length with the PASSWORD_LENGTH_MIN setting. The default minimum password length is 6 characters. If you adjust this setting, ensure your passwords meet the updated minimum.

Example

Let's say you wanted to add two users, where one has admin privileges and the other does not, and you want to store both passwords in one Secret. You would start by creating the Secret:

kubectl create secret generic pgadmin-password-secret -n postgres-operator --from-literal=hippo-password=$HIPPO_USER_PASSWORD --from-literal=elephant-password=$ELEPHANT_USER_PASSWORD

This creates a Secret called pgadmin-password-secret in the postgres-operator namespace, with two keys: hippo-password and elephant-password.

You would then update the users field in your PGAdmin manifest to create these two users and reference the Secret you just created to set the users' passwords.

spec:
  users:
  - username: hippo@example.com
    role: Administrator
    passwordRef:
      name: pgadmin-password-secret
      key: hippo-password
  - username: elephant@example.com
    passwordRef:
      name: pgadmin-password-secret
      key: elephant-password

Notice that the role setting was omitted for the elephant@example.com user and will therefore default to a User role.

If you change the password stored in your Secret, the operator will automatically update the password in pgAdmin. You can also change the passwordRef to point to a different Secret or key. Likewise, you can change a user's role and it will be updated in pgAdmin.

Warning

While the passwordRef and role properties can be changed, a user's username cannot be modified. If you “change” the username for a given user in the spec, the operator will perceive this as the removal of the old user and the creation of a new user. The “old” user will be removed from the Postgres Operator's local database of users; however, the user will not be removed from pgAdmin. If you wish to fully delete any user, you will need to remove the user from your spec and then delete the user via the pgAdmin GUI while logged in as a user with an Administrator role.

Retrieving and editing passwords

If you've forgotten a password, you can either retrieve it from the Secret or change the password altogether. Let's start by retrieving a password.

Following the example in the previous section, let's say we want to retrieve the password for the hippo@example.com user. We can do this with the following command:

Bash:

kubectl get secret/pgadmin-password-secret -n postgres-operator -o 'go-template={{index .data "hippo-password" | base64decode }}'

Powershell:

kubectl get secret/pgadmin-password-secret -n postgres-operator -o 'go-template={{index .data \"hippo-password\" | base64decode }}'

If we instead wanted to change this password, we could do that with the following command:

Bash:

kubectl patch secret/pgadmin-password-secret -n postgres-operator -p='{"stringData":{ "hippo-password" : "$NEW_PASSWORD" }}'

Powershell:

kubectl patch secret/pgadmin-password-secret -n postgres-operator -p='{\"stringData\":{ \"hippo-password\" : \"$NEW_PASSWORD\" }}'

Where "$NEW_PASSWORD" is your new password.