Adding Admin User
Follow these steps to create an admin user for installing the metadata.
- Create an admin role and grant permissions
-- Create an admin role and grant create
CREATE ROLE redadmin_role NOLOGIN ADMIN postgres;
GRANT CREATE ON DATABASE redrepo_db to redadmin_role;
- Create a RED admin user
-- Create the admin user
CREATE USER redadmin_user WITH PASSWORD 'redadmin_pass';
GRANT redadmin_role to redadmin_user;
This section assumes you have already created the RED Metadata using the admin user.
- Connect to the repo DB
- Create the RED user role and provide grants.
CREATE ROLE reduser_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO reduser_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO reduser_role;
- Create a RED user and grant the user role.
CREATE USER red_user WITH PASSWORD 'red_pass';
GRANT reduser_role to red_user;
Add a RED Scheduler Role and User
This section assumes you have already created the RED Metadata using the admin user.
- Create the RED Scheduler user role and provide grants.
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;
- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;
- [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
- RED 'red' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
-- RED 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
-- Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user;
-- Create the RED Scheduler user role and give grants to the metadata objects
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
-- RED 'red' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
-- We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
-- Grant redscheduler_role select access to the redadmin schema
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;
-- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;
-- [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
-- RED 'red' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
-- RED 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
-- Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user;
6. Create a Azkaban User role and user in PostgreSQL
-- Note this set of statements assumes you have already created
-- the Azkaban Metadata using the redadmin_user.
-- Create the Azkaban metadata user role and give grants to the Azkaban metadata objects in schema 'white'
CREATE ROLE azkabanmeta_role NOLOGIN ADMIN postgres;
-- Azkaban 'white' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA white TO azkabanmeta_role;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA white TO azkabanmeta_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA white TO azkabanmeta_role;
-- Create a Azkaban meta user and grant the user role
CREATE USER azkabanmeta_user WITH PASSWORD 'azkabanmeta_pass';
GRANT azkabanmeta_role to azkabanmeta_user;
Examples
-- Create an admin role, database and grant create
CREATE ROLE redadmin_role NOLOGIN ADMIN postgres;
CREATE DATABASE redrepo_db;
GRANT CREATE ON DATABASE redrepo_db to redadmin_role;
-- Create the admin user
CREATE USER redadmin_user WITH PASSWORD 'redadmin_pass';
GRANT redadmin_role to redadmin_user;
-- External Step
--******* External Step: Install Red metadata using the redadmin_user *********
--
-- Note this set of statements assumes you have already created
-- the RED Metadata using the admin user.
-- Create the RED user role and give grants to the metadata objects
CREATE ROLE reduser_role NOLOGIN ADMIN postgres;
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO reduser_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO reduser_role;
-- Create a RED user and grant the user role
CREATE USER red_user WITH PASSWORD 'red_pass';
GRANT reduser_role to red_user;
-- Create the RED Scheduler user role and give grants to the metadata objects
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
-- RED 'red' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
-- We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
-- Grant redscheduler_role select access to the redadmin schema
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;
-- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;
-- [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
-- RED 'red' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
-- RED 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
-- Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user;
-- External Step
--******* External Step: Install Azkaban Metadata using the redadmin_user *********
--******* -- This can be done via RedSchedulerInstaller.exe or azkaban-installer.jar
--******* -- Best way is to use azkaban-installer.jar upgrade-schema option which can installl the metadata separately to the Web Server
--******* -- If RedSchedulerInstaller.exe is used then the Web Server (and Executor) azkaban.local.properties should be updated after install to use the scheduler_user rather than redadmin_user
--
-- Create the Azkaban metadata user role and give grants to the Azkaban metadata objects in schema 'white'
CREATE ROLE azkabanmeta_role NOLOGIN ADMIN postgres;
-- Azkaban 'white' schema permissions
-- You must run these GRANT's after connecting to the repo database, in psql run: '\c azkabanrepo_db' to connect to the db
GRANT USAGE ON SCHEMA white TO azkabanmeta_role;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA white TO azkabanmeta_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA white TO azkabanmeta_role;
-- Create a Azkaban meta user and grant the user role
CREATE USER azkabanmeta_user WITH PASSWORD 'azkabanmeta_pass';
GRANT azkabanmeta_role to azkabanmeta_user;
Adding Azkaban Users
If you require additional users for the Azkaban dashboard or API, other than the default users, you can add them following this process:
Create Azkaban accounts by editing the azkaban-users.xml file in the Web Server install directory, any changes to the settings in this file will not take effect until the Azkaban Web Server is restarted.
<web_server_dir>\<server_name>\azkaban-users.xml
For example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<azkaban-users>
<role name="admin" permissions="ADMIN"/>
<role name="read" permissions="READ"/>
<role name="executor" permissions="EXECUTE"/>
<user username="admin" password="admin" roles="admin"/>
<user username="readonly" password="readonly" roles="read"/>
<user username="executor" password="executor" roles="executor,read"/>
</azkaban-users>
The possible role permissions are the following:
| Permissions | Values |
|---|
| ADMIN | Grants all access to everything in Azkaban. |
| READ | Gives users read-only access to every project and their logs |
| WRITE | Allows users to upload files, change job properties, or remove any project |
| EXECUTE | Allows users to trigger the execution of any flow |
| SCHEDULE | Users can add or remove schedules for any flows |
| CREATEPROJECTS | Allows users to create new projects if project creation is locked down |