Adding Admin User

Follow these steps to create an admin user for installing the metadata.

  1. Create an admin role and grant permissions 
    -- Create an admin role and grant create
CREATE ROLE redadmin_role NOLOGIN ADMIN postgres;
GRANT CREATE ON DATABASE redrepo_db to redadmin_role;
  2. Create a RED admin user 
    -- Create the admin user
CREATE USER redadmin_user WITH PASSWORD 'redadmin_pass';
GRANT redadmin_role to redadmin_user;

Adding Users After Metadata Creation

This section assumes you have already created the RED Metadata using the admin user.

  1. Connect to the repo DB
  2. Create the RED user role and provide grants. 
    CREATE ROLE reduser_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO reduser_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO reduser_role;

    For each developer user of RED create an individual PostgreSQL user for them.
  3. Create a RED user and grant the user role.
    CREATE USER red_user WITH PASSWORD 'red_pass';
GRANT reduser_role to red_user; 

Add a RED Scheduler Role and User

This section assumes you have already created the RED Metadata using the admin user.

  1. Create the RED Scheduler user role and provide grants. 
    CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
    We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest. 
    GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
    Grant redscheduler_role select access to the redadmin schema 
    GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;
  2. Create the RED scheduler user and grant the RED Scheduler role 
    CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;
  3. [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance 
    CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
  4. RED 'red' schema permissions
     -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
    GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
    GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
      -- RED 'redadmin' schema permissions
    GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
    GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
      -- Create a RED profile admin user and grant the user role
    CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
    GRANT redschedulerprofile_role to redschedulerprofile_user;


-- Create the RED Scheduler user role and give grants to the metadata objects
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
  -- RED 'red' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
  -- We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
  -- Grant redscheduler_role select access to the redadmin schema
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;

-- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;

-- [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance 
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
  -- RED 'red' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
  -- RED 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
  -- Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user;

6. Create a Azkaban User role and user in PostgreSQL

-- Note this set of statements assumes you have already created
--  the Azkaban Metadata using the redadmin_user.

-- Create the Azkaban metadata user role and give grants to the Azkaban metadata objects in schema 'white'
CREATE ROLE azkabanmeta_role NOLOGIN ADMIN postgres;
  -- Azkaban 'white' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA white TO azkabanmeta_role;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA white TO azkabanmeta_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA white TO azkabanmeta_role;

-- Create a Azkaban meta user and grant the user role
CREATE USER azkabanmeta_user WITH PASSWORD 'azkabanmeta_pass';
GRANT azkabanmeta_role to azkabanmeta_user;

Examples

-- Create an admin role, database and grant create
CREATE ROLE redadmin_role NOLOGIN ADMIN postgres;
CREATE DATABASE redrepo_db;
GRANT CREATE ON DATABASE redrepo_db to redadmin_role;

-- Create the admin user
CREATE USER redadmin_user WITH PASSWORD 'redadmin_pass';
GRANT redadmin_role to redadmin_user;


-- External Step
--******* External Step: Install Red metadata using the redadmin_user *********
-- 


-- Note this set of statements assumes you have already created
--  the RED Metadata using the admin user.
-- Create the RED user role and give grants to the metadata objects
CREATE ROLE reduser_role NOLOGIN ADMIN postgres;
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO reduser_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO reduser_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO reduser_role;
 
-- Create a RED user and grant the user role
CREATE USER red_user WITH PASSWORD 'red_pass';
GRANT reduser_role to red_user;

-- Create the RED Scheduler user role and give grants to the metadata objects
CREATE ROLE redscheduler_role NOLOGIN ADMIN postgres;
  -- RED 'red' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA red TO redscheduler_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA red TO redscheduler_role;
  -- We can potentially grant "INSERT, UPDATE, DELETE" to only the ws_wrk tables here, but we still need select on the rest
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA red TO redscheduler_role;
  -- Grant redscheduler_role select access to the redadmin schema
GRANT USAGE ON SCHEMA redadmin TO redscheduler_role;
GRANT SELECT ON ALL TABLES IN SCHEMA redadmin TO redscheduler_role;

-- Create the RED scheduler user and grant the RED Scheduler role
CREATE USER redscheduler_user WITH PASSWORD 'redscheduler_pass';
GRANT redscheduler_role to redscheduler_user;

-- [OPTIONALLY] create the RED Scheduler Profile Role and User, or just use the redadmin_user for Profile maintenance 
CREATE ROLE redschedulerprofile_role NOLOGIN ADMIN postgres;
  -- RED 'red' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c redrepo_db' to connect to the repo db
GRANT USAGE ON SCHEMA red TO redschedulerprofile_role;
GRANT SELECT ON ALL TABLES IN SCHEMA red TO redschedulerprofile_role;
  -- RED 'redadmin' schema permissions
GRANT USAGE ON SCHEMA redadmin TO redschedulerprofile_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA redadmin TO redschedulerprofile_role;
  -- Create a RED profile admin user and grant the user role
CREATE USER redschedulerprofile_user WITH PASSWORD 'red_pass';
GRANT redschedulerprofile_role to redschedulerprofile_user;


-- External Step
--******* External Step: Install Azkaban Metadata using the redadmin_user *********
--******* -- This can be done via RedSchedulerInstaller.exe or azkaban-installer.jar
--******* -- Best way is to use azkaban-installer.jar upgrade-schema option which can installl the metadata separately to the Web Server
--******* -- If RedSchedulerInstaller.exe is used then the Web Server (and Executor) azkaban.local.properties should be updated after install to use the scheduler_user rather than redadmin_user
--

-- Create the Azkaban metadata user role and give grants to the Azkaban metadata objects in schema 'white'
CREATE ROLE azkabanmeta_role NOLOGIN ADMIN postgres;
  -- Azkaban 'white' schema permissions
  -- You must run these GRANT's after connecting to the repo database, in psql run: '\c azkabanrepo_db' to connect to the db
GRANT USAGE ON SCHEMA white TO azkabanmeta_role;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA white TO azkabanmeta_role;
GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA white TO azkabanmeta_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA white TO azkabanmeta_role;

-- Create a Azkaban meta user and grant the user role
CREATE USER azkabanmeta_user WITH PASSWORD 'azkabanmeta_pass';
GRANT azkabanmeta_role to azkabanmeta_user;

Adding Azkaban Users

If you require additional users for the Azkaban dashboard or API, other than the default users, you can add them following this process:

Create Azkaban accounts by editing the azkaban-users.xml file in the Web Server install directory, any changes to the settings in this file will not take effect until the Azkaban Web Server is restarted.

<web_server_dir>\<server_name>\azkaban-users.xml

For example:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<azkaban-users>
  <role name="admin" permissions="ADMIN"/>
  <role name="read" permissions="READ"/>
  <role name="executor" permissions="EXECUTE"/>
  <user username="admin" password="admin" roles="admin"/>
  <user username="readonly" password="readonly" roles="read"/>
  <user username="executor" password="executor" roles="executor,read"/>
</azkaban-users>

The possible role permissions are the following:

PermissionsValues
ADMINGrants all access to everything in Azkaban.
READGives users read-only access to every project and their logs
WRITEAllows users to upload files, change job properties, or remove any project
EXECUTEAllows users to trigger the execution of any flow
SCHEDULEUsers can add or remove schedules for any flows
CREATEPROJECTSAllows users to create new projects if project creation is locked down