- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Instance Management
- Creating Instance
- Naming with Consecutive Numeric Suffixes or Designated Pattern String
- Viewing Instance
- Upgrading Instance
- Downgrading Instance Configuration
- Terminating/Returning Instances
- Change from Pay-as-You-Go to Monthly Subscription
- Upgrading Instance Version
- Adding Routing Policy
- Public Network Bandwidth Management
- Connecting to Prometheus
- AZ Migration
- Setting Maintenance Time
- Setting Message Size
- Topic Management
- Consumer Group
- Monitoring and Alarms
- Smart Ops
- Permission Management
- Tag Management
- Querying Message
- Event Center
- Migration to Cloud
- Data Compression
- Instance Management
- CKafka Connector
- Practical Tutorial
- Practical Tutorial of CKafka Client
- Connector Practical Tutorial
- Connecting Flink to CKafka
- Connecting Schema Registry to CKafka
- Connecting Spark Streaming to CKafka
- Connecting Flume to CKafka
- Connecting Kafka Connect to CKafka
- Connecting Storm to CKafka
- Connecting Logstash to CKafka
- Connecting Filebeat to CKafka
- Multi-AZ Deployment
- Log Access
- Replacing Supportive Route (Old)
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- DataHub APIs
- ACL APIs
- Topic APIs
- BatchModifyGroupOffsets
- BatchModifyTopicAttributes
- CreateConsumer
- CreateDatahubTopic
- CreatePartition
- CreateTopic
- CreateTopicIpWhiteList
- DeleteTopic
- DeleteTopicIpWhiteList
- DescribeDatahubTopic
- DescribeTopic
- DescribeTopicAttributes
- DescribeTopicDetail
- DescribeTopicProduceConnection
- DescribeTopicSubscribeGroup
- FetchMessageByOffset
- FetchMessageListByOffset
- ModifyDatahubTopic
- ModifyTopicAttributes
- DescribeTopicSyncReplica
- Instance APIs
- Route APIs
- Other APIs
- Data Types
- Error Codes
- SDK Documentation
- General References
- Conducting Production and Consumption Pressure Testing on CKafka
- Configuration Guide for Common Parameters in CKafka
- Connecting to Legacy Self-Built Kafka
- Suggestions for CKafka Version Selection
- CKafka Data Reliability Description
- Connector
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Instance Management
- Creating Instance
- Naming with Consecutive Numeric Suffixes or Designated Pattern String
- Viewing Instance
- Upgrading Instance
- Downgrading Instance Configuration
- Terminating/Returning Instances
- Change from Pay-as-You-Go to Monthly Subscription
- Upgrading Instance Version
- Adding Routing Policy
- Public Network Bandwidth Management
- Connecting to Prometheus
- AZ Migration
- Setting Maintenance Time
- Setting Message Size
- Topic Management
- Consumer Group
- Monitoring and Alarms
- Smart Ops
- Permission Management
- Tag Management
- Querying Message
- Event Center
- Migration to Cloud
- Data Compression
- Instance Management
- CKafka Connector
- Practical Tutorial
- Practical Tutorial of CKafka Client
- Connector Practical Tutorial
- Connecting Flink to CKafka
- Connecting Schema Registry to CKafka
- Connecting Spark Streaming to CKafka
- Connecting Flume to CKafka
- Connecting Kafka Connect to CKafka
- Connecting Storm to CKafka
- Connecting Logstash to CKafka
- Connecting Filebeat to CKafka
- Multi-AZ Deployment
- Log Access
- Replacing Supportive Route (Old)
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- DataHub APIs
- ACL APIs
- Topic APIs
- BatchModifyGroupOffsets
- BatchModifyTopicAttributes
- CreateConsumer
- CreateDatahubTopic
- CreatePartition
- CreateTopic
- CreateTopicIpWhiteList
- DeleteTopic
- DeleteTopicIpWhiteList
- DescribeDatahubTopic
- DescribeTopic
- DescribeTopicAttributes
- DescribeTopicDetail
- DescribeTopicProduceConnection
- DescribeTopicSubscribeGroup
- FetchMessageByOffset
- FetchMessageListByOffset
- ModifyDatahubTopic
- ModifyTopicAttributes
- DescribeTopicSyncReplica
- Instance APIs
- Route APIs
- Other APIs
- Data Types
- Error Codes
- SDK Documentation
- General References
- Conducting Production and Consumption Pressure Testing on CKafka
- Configuration Guide for Common Parameters in CKafka
- Connecting to Legacy Self-Built Kafka
- Suggestions for CKafka Version Selection
- CKafka Data Reliability Description
- Connector
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
User Permission Settings Reference for PostgreSQL Subscription by Connector
Last updated: 2024-09-09 21:42:25
Background
When using the CKafka connector to subscribe to a Postgresql database, you need to assign the appropriate permissions to the PostgreSQL users configured in the Connection Management. Only users with the corresponding permissions can synchronize messages when accessing the database from an authorized host.
This document explains how to set up user permissions and host access permissions.
User Permission Settings
Permissions need to be granted based on the decode plugin being used, as different plugins require different permissions.
User Permissions Settings When the decoderbufs Plugin Is Used
Log in to the PostgreSQL as a superuser, create a role, and grant the role at least
REPLICATION and LOGIN permissions.Grant permissions:
CREATE ROLE userName REPLICATION LOGIN;
Note
Superusers have the necessary permissions by default, so if the user is a superuser, you generally don't need to grant the above permissions. However, for security reasons, it is not recommended to use the superuser.
User Permission Settings When the pgoutput Plugin Is Used
Caution
The pgoutput plugin requires the user configured in Connection Management to have superuser permissions.
Step 1: Verify if the user has superuser permissions.
// Log in to the postgresql, execute the \\du command to check user permissions.postgres=# \\duRole name | List of roles Attributesadmin | Superuserpostgres | Superuser, Create role, Create DB, Replication, Bypass RLSslave | Replication// If the configured user does not have superuser permissions, grant the permissions with the following command:postgres=# ALTER USER userName WITH SUPERUSER;
Step 2: After the user has superuser permissions, follow these steps to grant the necessary permissions.
The connector pgoutput plugin obtains change events by subscribing to publications on the PostgreSQL node. You can either manually create the publication before starting the connector or grant the configured user the permissions to create publications.
Grant the user the following permissions:
Replication,CREATE, and SELECT.CREATE ROLE userName REPLICATION LOGIN;GRANT CREATE ON DATABASE databaseName TO userName;GRANT SELECT ON TABLE tableName TO userName;
The user configured in Connection Management needs to have owner permissions of the subscribed tables. You can grant the user owner permissions as follows:
1. Create a replication group.
CREATE ROLE <replication_group>;
2. Add the owner of the table to the replication group.
GRANT REPLICATION_GROUP TO <original_owner>;
3. Add the connector user to the replication group.
GRANT REPLICATION_GROUP TO <replication_user>;
4. Transfer the owner permissions of the table to the replication group.
ALTER TABLE <table_name> OWNER TO REPLICATION_GROUP;
Host Access Permission Settings (Required for Self-Built Clusters)
You need to configure the database to allow the host access of the connector. This can be done by setting the corresponding policies in the
pg_hba.conf file. For detailed information about pg_hba.conf, see pg_hba.conf. The configuration file format is as follows:host databaseName userName 11.163.0.0/16 md5host databaseName userName 11.163.0.0/16 trust
Yes
No
Was this page helpful?