This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AlloyDB Role/User Permission

Posted a month ago
Jerson_Arockiya
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Experts,

I would like to know about assigning roles to other users in AlloyDB, please share your input.

I have created a new AlloyDB cluster and can see multiple users/roles in the instance by default. There is a role/user called alloydbadmin(Permission - Superuser, Create role, Create DB, Replication, Bypass RLS) which contains more permissions than postgres(Permission - Create role, Create DB) user. FYI below,

Jerson_Arockiya_1-1719561091177.png

Jerson_Arockiya_2-1719561595628.png

I was tried to assign the alloydbadmin role to postgres user from postgres user but it throws an error that ERROR: must be superuser to alter superuser.

Questions here,

1. Can we assign the alloydbadmin role to postgres user?

2. Does the postgres user contain all the permissions of alloydbadmin users? if not, how can I have all permission to the postgres user?

1 4 641
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

Update 21-7-2024: The alloydbadmin role cannot be assigned to other users in AlloyDB service in the cloud. In theory you should be able to do most of the tasks using the postgres role. 

AlloyDB offers several predefined roles, each tailored to specific capabilities essential for effective database management. Among these roles, the alloydbadmin role stands out as the most powerful. It encompasses superuser privileges within AlloyDB, allowing users to create roles and databases, manage replication processes such as setting up read replicas, and bypass row-level security (RLS). This role is inherently managed by the AlloyDB service itself and, consequently, cannot be directly assigned to other users within the database environment.

Another significant role is the alloydbsuperuser, which resembles the traditional PostgreSQL superuser role but with certain limitations unique to the AlloyDB context. While it possesses full privileges within the database, it does not extend to service-level configurations. This distinction ensures a level of control that balances comprehensive database management with specific restrictions on service configurations.

Additionally, AlloyDB includes specialized roles such as alloydbagent and alloydbimportexport, designed for tasks like managing backup and restore operations, monitoring database health and performance, and executing import/export operations. These roles provide focused capabilities that facilitate efficient and secure database operations.

The postgres role is a standard PostgreSQL role that allows users to create roles and databases within AlloyDB. Typically used as the default user for initial connection and basic administration, it serves as a foundational role for managing everyday database activities.

Assigning the alloydbadmin role to the postgres user directly within the AlloyDB environment is not feasible. This limitation arises because alloydbadmin is a service-level role rather than a database role. The error message "must be superuser to alter superuser" underscores this restriction, reflecting the inherent design of AlloyDB's role management system.

Comparing the permissions of the postgres user and the alloydbadmin role reveals key differences. The postgres user holds full privileges within the database, enabling activities such as creating tables and managing users. However, the alloydbadmin role extends beyond these capabilities, encompassing additional privileges related to the management and configuration of the AlloyDB service. This broader scope includes managing high-level settings and configurations essential for maintaining and optimizing the database environment.

To elevate the permissions of the postgres user, there are two primary approaches:

Option 1: Grant Specific Permissions (Recommended)

The first and recommended approach involves granting specific permissions directly to the postgres user. This method ensures that the user receives only the necessary privileges without overextending their access rights.

  1. Connect as a superuser: Utilize the alloydbadmin user or another superuser account.
  2. Grant permissions: Employ SQL GRANT statements to selectively assign the required privileges to the postgres user. For instance:
 
GRANT CREATE ON DATABASE my_database TO postgres;
GRANT USAGE ON SCHEMA my_schema TO postgres;

This approach aligns with the principle of least privilege, enhancing security by providing only the specific permissions needed for the user's tasks.

Option 2: Use IAM 

The second approach leverages Identity and IAM to grant the roles/alloydb.admin role to the postgres user. This method offers broader administrative control over the AlloyDB instance but may exceed the precise needs of the user.

  1. Go to IAM & Admin: Navigate to the IAM & Admin section in the Google Cloud Console.
  2. Find the AlloyDB instance: Locate the specific instance to be managed.
  3. Add the postgres user: Assign the roles/alloydb.admin role to the postgres user, granting extensive administrative capabilities, including managing backups, scaling resources, and modifying instance settings.

When granting broad administrative permissions like roles/alloydb.admin, it is crucial to proceed with caution. Adhering to the principle of least privilege by granting only the specific permissions necessary for a user's tasks is a fundamental security practice. This approach minimizes potential risks and ensures that users have access only to the functionalities required for their responsibilities.

Posted on --/--/---- --:-- AM
baetensmatthias
Google Developer Expert
Google Developer Expert
In response to ms4446
Reply posted on --/--/---- --:-- AM

Hi @ms4446 - are you able to point me to the documentation on what the password for `alloydbadmin` is or where to set this password?

Or, if you know about another way to disable `google_columnar_engine`, that would be helpful as well.

0 Likes

Posted on --/--/---- --:-- AM
baetensmatthias
Google Developer Expert
Google Developer Expert
In response to baetensmatthias
Reply posted on --/--/---- --:-- AM

@ms4446 I actually don't think it's possible, have you tried it on an instance? If I understand correctly from the docs, the highest permissions you have as an AlloyDB user is the `postgres` user role which is part of the `alloydbsuperuser` group role.

When I try to execute: `gcloud alloydb users set-password alloydbadmin --cluster=ticket-213687 --region=asia-southeast1 --password=alloydbadmin` it results in: `ERROR: (gcloud.alloydb.users.set-password) INVALID_ARGUMENT: the username "alloydbadmin" is restricted - '@type': type.googleapis.com/google.rpc.RequestInfo`

As per the docs:
"As a managed service, AlloyDB does not let you grant users the PostgreSQL `superuser` role." - if I understand correctly `alloydbadmin` is this `superuser` and as such we don't have access to it.

0 Likes

Posted on --/--/---- --:-- AM
GlebO
Staff
In response to baetensmatthias
Reply posted on --/--/---- --:-- AM

That's correct the alloydbadmin role cannot be assigned to other users in AlloyDB service in the cloud. In theory you should be able to do most of the tasks using the postgres role. 

Top Solution Authors
View all