32.1. Cluster Initialization Settings Related to Access Management

32.1. Cluster Initialization Settings Related to Access Management
Prev	Up	Chapter 32. Cluster Configuration for Distributed System	Home	Next

32.1. Cluster Initialization Settings Related to Access Management #

When a Postgres Pro Shardman cluster is initialized, security-related settings are taken from the initialization file. You can change them later, but do this with care and remember that in most cases, the change will require a DBMS restart.

A Postgres Pro Shardman cluster has two special users: administrative and replication. Postgres Pro Shardman manages controlled DBMS instances with administrative users. BiHA needs replication users for replications between controlled DBMS instances.

Security-related settings from the initialization file specify:

Authentication methods for administrative and replication users — PgSuAuthMethod, PgReplAuthMethod
Usernames for administrative and replication users — PgSuUsername, PgReplUsername
Passwords for administrative and replication users — PgSuPassword, PgReplPassword
pg_hba.conf rules used by DBMS instances — ShardSpec.pgHBA

See Section 18.20.2 for detailed descriptions of these settings.

To change security-related user settings, perform these steps:

Change the password for the postgres user in the cluster0 cluster:

$ shardmanctl --cluster-name cluster0 config update credentials --user postgres --password newpassword --yes

Update SSL certificates:

                    $ shardmanctl --cluster-name cluster0 config update credentials --user postgres --ssl-cert /path/to/cert.pem --ssl-key /path/to/key.pem --yes

Modifying these settings will lead to a DBMS restart.

Unlike the above settings, the ShardSpec.pgHBA setting can be changed online. To do this, perform these steps:

Extract the current ShardSpec definition, save it to a file, and modify it as necessary:
```
$ shardmanctl --cluster-name cluster0 store get -a shardspec -f shardspec.json
```

Edit shardspec.json and replace the ShardSpec.pgHBA definition with the appropriate one, for example:

"pgHBA": [
        "host all postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres 0.0.0.0/0 scram-sha-256",
        "host replication postgres ::0/0 scram-sha-256",
        "host all someuser 0.0.0.0/0 scram-sha-256"
      ],

Apply the edited shardspec.json file:

$ shardmanctl --cluster-name cluster0 config update -f shardspec.json