tencent cloud

피드백

User Permission Settings Reference for PostgreSQL Subscription by Connector

마지막 업데이트 시간:2024-09-09 21:42:25

    Background

    When using the CKafka connector to subscribe to a Postgresql database, you need to assign the appropriate permissions to the PostgreSQL users configured in the Connection Management. Only users with the corresponding permissions can synchronize messages when accessing the database from an authorized host.
    This document explains how to set up user permissions and host access permissions.

    User Permission Settings

    Permissions need to be granted based on the decode plugin being used, as different plugins require different permissions.

    User Permissions Settings When the decoderbufs Plugin Is Used

    Log in to the PostgreSQL as a superuser, create a role, and grant the role at least REPLICATION and LOGIN permissions.
    Grant permissions:
    CREATE ROLE userName REPLICATION LOGIN;
    Note
    Superusers have the necessary permissions by default, so if the user is a superuser, you generally don't need to grant the above permissions. However, for security reasons, it is not recommended to use the superuser.

    User Permission Settings When the pgoutput Plugin Is Used

    Caution
    The pgoutput plugin requires the user configured in Connection Management to have superuser permissions.
    Step 1: Verify if the user has superuser permissions.
    // Log in to the postgresql, execute the \\du command to check user permissions.
    postgres=# \\du
    Role name | List of roles Attributes
    admin | Superuser
    postgres | Superuser, Create role, Create DB, Replication, Bypass RLS
    slave | Replication
    
    // If the configured user does not have superuser permissions, grant the permissions with the following command:
    postgres=# ALTER USER userName WITH SUPERUSER;
    Step 2: After the user has superuser permissions, follow these steps to grant the necessary permissions. The connector pgoutput plugin obtains change events by subscribing to publications on the PostgreSQL node. You can either manually create the publication before starting the connector or grant the configured user the permissions to create publications. Grant the user the following permissions: Replication,CREATE, and SELECT.
    CREATE ROLE userName REPLICATION LOGIN;
    
    GRANT CREATE ON DATABASE databaseName TO userName;
    
    GRANT SELECT ON TABLE tableName TO userName;
    The user configured in Connection Management needs to have owner permissions of the subscribed tables. You can grant the user owner permissions as follows:
    1. Create a replication group.
    CREATE ROLE <replication_group>;
    2. Add the owner of the table to the replication group.
    GRANT REPLICATION_GROUP TO <original_owner>;
    3. Add the connector user to the replication group.
    GRANT REPLICATION_GROUP TO <replication_user>;
    4. Transfer the owner permissions of the table to the replication group.
    ALTER TABLE <table_name> OWNER TO REPLICATION_GROUP;

    Host Access Permission Settings (Required for Self-Built Clusters)

    You need to configure the database to allow the host access of the connector. This can be done by setting the corresponding policies in the pg_hba.conf file. For detailed information about pg_hba.conf, see pg_hba.conf. The configuration file format is as follows:
    host databaseName userName 11.163.0.0/16 md5
    host databaseName userName 11.163.0.0/16 trust
    
    
    문의하기

    고객의 업무에 전용 서비스를 제공해드립니다.

    기술 지원

    더 많은 도움이 필요하시면, 티켓을 통해 연락 바랍니다. 티켓 서비스는 연중무휴 24시간 제공됩니다.

    연중무휴 24시간 전화 지원