tencent cloud

Feedback

User Permission Settings Reference for PostgreSQL Subscription by Connector

Last updated: 2024-09-09 21:42:25

    Background

    When using the CKafka connector to subscribe to a Postgresql database, you need to assign the appropriate permissions to the PostgreSQL users configured in the Connection Management. Only users with the corresponding permissions can synchronize messages when accessing the database from an authorized host.
    This document explains how to set up user permissions and host access permissions.

    User Permission Settings

    Permissions need to be granted based on the decode plugin being used, as different plugins require different permissions.

    User Permissions Settings When the decoderbufs Plugin Is Used

    Log in to the PostgreSQL as a superuser, create a role, and grant the role at least REPLICATION and LOGIN permissions.
    Grant permissions:
    CREATE ROLE userName REPLICATION LOGIN;
    Note
    Superusers have the necessary permissions by default, so if the user is a superuser, you generally don't need to grant the above permissions. However, for security reasons, it is not recommended to use the superuser.

    User Permission Settings When the pgoutput Plugin Is Used

    Caution
    The pgoutput plugin requires the user configured in Connection Management to have superuser permissions.
    Step 1: Verify if the user has superuser permissions.
    // Log in to the postgresql, execute the \\du command to check user permissions.
    postgres=# \\du
    Role name | List of roles Attributes
    admin | Superuser
    postgres | Superuser, Create role, Create DB, Replication, Bypass RLS
    slave | Replication
    
    // If the configured user does not have superuser permissions, grant the permissions with the following command:
    postgres=# ALTER USER userName WITH SUPERUSER;
    Step 2: After the user has superuser permissions, follow these steps to grant the necessary permissions. The connector pgoutput plugin obtains change events by subscribing to publications on the PostgreSQL node. You can either manually create the publication before starting the connector or grant the configured user the permissions to create publications. Grant the user the following permissions: Replication,CREATE, and SELECT.
    CREATE ROLE userName REPLICATION LOGIN;
    
    GRANT CREATE ON DATABASE databaseName TO userName;
    
    GRANT SELECT ON TABLE tableName TO userName;
    The user configured in Connection Management needs to have owner permissions of the subscribed tables. You can grant the user owner permissions as follows:
    1. Create a replication group.
    CREATE ROLE <replication_group>;
    2. Add the owner of the table to the replication group.
    GRANT REPLICATION_GROUP TO <original_owner>;
    3. Add the connector user to the replication group.
    GRANT REPLICATION_GROUP TO <replication_user>;
    4. Transfer the owner permissions of the table to the replication group.
    ALTER TABLE <table_name> OWNER TO REPLICATION_GROUP;

    Host Access Permission Settings (Required for Self-Built Clusters)

    You need to configure the database to allow the host access of the connector. This can be done by setting the corresponding policies in the pg_hba.conf file. For detailed information about pg_hba.conf, see pg_hba.conf. The configuration file format is as follows:
    host databaseName userName 11.163.0.0/16 md5
    host databaseName userName 11.163.0.0/16 trust
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support