Adding Admin User
Follow these steps to create an admin user for installing the metadata.
- Create an admin role and grant permissions
-- Create an admin role and grant create
CREATE ROLE redadmin_role NOLOGIN ADMIN postgres;
GRANT CREATE ON DATABASE redrepo_db to redadmin_role; |
- Create a RED admin user
-- Create the admin user
CREATE USER redadmin_user WITH PASSWORD 'redadmin_pass';
GRANT redadmin_role to redadmin_user; |
Adding Users After Metadata Creation
This section assumes you have already created the RED Metadata using the admin user.
- Connect to the repo DB
- Create the RED user role and provide grants.
CREATE ROLE reduser_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO reduser_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO reduser_role; |
| For each developer user of RED create an individual PostgreSQL user for them. |
- Create a RED user and grant the user role.
CREATE USER red_user WITH PASSWORD 'red_pass';
GRANT reduser_role to red_user; |
Add a RED Scheduler Role and User
This section assumes you have already created the RED Metadata using the admin user.
- Create the RED Scheduler user role and provide grants.
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role; |
We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest.
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role; |
Grant redscheduler_role select access to the redadmin schema
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role; |
- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user; |
- Optionally, create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres; |
Grant 'red' schema permissions.
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role; |
Grant 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role; |
Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user; |
Create an Azkaban User role and user in PostgreSQL
This section assumes you have already created the Azkaban Metadata using the admin user.
- Create the Azkaban metadata user role and provide grants to the Azkaban metadata objects in schema 'white'
CREATE ROLE azkabanmeta_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA white TO azkabanmeta_role;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA white TO azkabanmeta_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA white TO azkabanmeta_role; |
- Create an Azkaban meta user and grant the user role
CREATE USER azkabanmeta_user WITH PASSWORD 'azkabanmeta_pass';
GRANT azkabanmeta_role to azkabanmeta_user; |
Adding Azkaban Users
If you require additional users for the Azkaban dashboard or API, other than the default users, you can add them following this process:
Create Azkaban accounts by editing the azkaban-users.xml file in the Web Server install directory, any changes to the settings in this file will not take effect until the Azkaban Web Server is restarted.
<web_server_dir>\<server_name>\azkaban-users.xml
For example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<azkaban-users>
<role name="admin" permissions="ADMIN"/>
<role name="read" permissions="READ"/>
<role name="executor" permissions="EXECUTE"/>
<user username="admin" password="admin" roles="admin"/>
<user username="readonly" password="readonly" roles="read"/>
<user username="executor" password="executor" roles="executor,read"/>
<azkaban-users/> |
When entering the passwords they must follow the same password encryption settings configured on Azkaban, for more information refer to the Password Encryption in Azkaban section in RED Scheduler Configuration. |
The possible role permissions are the following:
| Permissions | Values |
|---|
| ADMIN | Grants all access to everything in Azkaban. |
| READ | Gives users read-only access to every project and their logs |
| WRITE | Allows users to upload files, change job properties, or remove any project |
| EXECUTE | Allows users to trigger the execution of any flow |
| SCHEDULE | Users can add or remove schedules for any flows |
| CREATEPROJECTS | Allows users to create new projects if project creation is locked down |