When a Postgres Pro Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.
A Postgres Pro Shardman cluster has two special users: administrative and replication. Postgres Pro Shardman manages controlled DBMS instances with administrative users. BiHA needs replication users for replications between controlled DBMS instances.
Security-related settings from the initialization file specify:
Authentication methods for administrative and replication users —
PgSuAuthMethod, PgReplAuthMethod
Usernames for administrative and replication users —
PgSuUsername, PgReplUsername
Passwords for administrative and replication users —
PgSuPassword, PgReplPassword
pg_hba.conf rules used by DBMS instances —
ShardSpec.pgHBA
See Section 18.20.2 for detailed descriptions of these settings.
To change security-related user settings, perform these steps:
Check that the user that you want to specify in PgReplUsername
/PgSuUsername exists with REPLICATION/
SUPERUSER privileges on all replication groups in the cluster and his
password matches the new PgReplPassword/PgSuPassword
setting.
If this is true, create dump of the shardman/cluster0/data/cluster
etcd key (here and further the name of the Postgres Pro Shardman
cluster is assumed to be cluster0). For example:
$etcdctl --endpoints etcdserver:2379 get --print-value-only shardman/cluster0/data/cluster |jq . > clusterdata.json
This example creates the dump of the data/cluster key for
the Postgres Pro Shardman cluster with the cluster0
name from the etcd server etcdserver
listening on port 2379, formats the dump with jq
and saves to the clusterdata.json file.
Edit the dump as necessary and store it back in etcd:
$cat clusterdata.json | etcdctl --endpoints etcdserver:2379 put shardman/cluster0/data/cluster
Modifying these settings will lead to a DBMS restart.
Unlike the above settings, the
ShardSpec.pgHBA setting can be changed online. To do this, perform these
steps:
Extract the ShardSpec definition from
shardman/cluster0/data/cluster, save to some file, modify as
necessary and update cluster settings with the shardmanctl config update
command:
$etcdctl --endpoints etcdserver:2379 get --print-value-only shardman/cluster0/data/cluster | jq .Spec.ShardSpec . > shardspec.json
Edit shardspec.json and replace the
ShardSpec.pgHBA definition with the appropriate one, for example:
"pgHBA": [
"host all postgres 0.0.0.0/0 scram-sha-256",
"host replication postgres 0.0.0.0/0 scram-sha-256",
"host replication postgres ::0/0 scram-sha-256",
"host all someuser 0.0.0.0/0 scram-sha-256"
],
Apply the edited shardspec.json file:
$shardmanctl --store-endpoints etcdserver:2379 --cluster-name cluster0 config update -f shardspec.json