Allow managing Postgres serviceuser permissions
Closed this issue ยท 4 comments
This might be more of an feature request for the Aiven API, but you don't have an issue tracker for that. ๐
Using the aiven-operator, we can create a PostgreSQL service, a database in that service and a service user for that service.
However, we are not able to give the service user permissions for using that database.
In order to do that, we would need to connect with the avnadmin user using a postgres client and issuing the necessary queries to grant privileges.
It would be much simpler if there was a way to describe these access privileges when creating the service user in Kubernetes.
@mortenlj you can submit bugs or ideas regarding the whole Aiven platform through ideas.aiven.io.
You can also check our community forum at https://aiven.io/community/forum/
@mortenlj Just a FYI, In our management tooling we do not duplicate database internals and in Aiven the "users" on Aiven are not "users" in the database or specific databases. This is done intentionally. It's pretty simple to add that functionality on your own. You can either wrap this into an operator, or you can use your own scripting to bootstrap the database. I don't see us blending the service control and control planes, as it would create a huge amount of complexity with over a dozen different services.
in Aiven the "users" on Aiven are not "users" in the database or specific databases.
When creating a Redis service and associated service user, the API allows specifying ACL rules for that user.
When creating an OpenService service and associated service user, the API allows specifying which indexes the user has access to, and what kind of access.
When creating a Kafka service and associated service user, the API allows specifying which topics the user has access to, and what kind of access.
I feel it's not too far of a stretch to assume that when creating a Postgres service and associated service user, the API allows specifying which database the user has access to, and what kind of access.
The service user does have access to connect to the postgres service, so the user exists, it just doesn't have any privileges once connected.
Note that I'm talking about service users, not "Aiven Console users".
However, I realise this is more of an API issue, because the operator can't do anything unless the API supports it, so I'll move the request to ideas.aiven.io.
Hey, @mortenlj! ๐
Thank you! Feel free to contact our support as well if you want to escalate this issue to the appropriate API team.