Merge pull request #2551 from EnterpriseDB/release/2022-04-13

Release: 2022-04-13

product_docs/docs/bart/2.6/bart_migration/01_choosing_your_tool.mdx

@@ -35,7 +35,7 @@ tools on a generic level:
  | Custom WAL sizes                           | Yes                                                                              |   Yes ( v11+) |
  | Backup compression                         | Coming soon                                                                          |        Yes |
  | Partial restore (only selected databases)  | -                                                                                |   Yes |
- | PEM integration                            | Coming soon                                                                          |       - |
+ | PEM integration                            | Yes                                                                          |       - |
  | License                                    | [GPLv3](https://github.com/EnterpriseDB/barman/blob/master/LICENSE)              |   [MIT](https://github.com/pgbackrest/pgbackrest/blob/master/LICENSE) |
 
 

product_docs/docs/bdr/4.0/conflicts.mdx

@@ -790,7 +790,7 @@ is not the case, conflict resolution will tend to favour the node that
 is further ahead. Clock skew between nodes can be managed using the
 parameters `bdr.maximum_clock_skew` and `bdr.maximum_clock_skew_action`.
 
-Row origins are only available if track_commit_timestamps = on.
+Row origins are only available if track_commit_timestamp = on.
 
 Conflicts are initially detected based upon whether the replication
 origin has changed or not, so conflict triggers will be called in

product_docs/docs/biganimal/release/administering_cluster/01_portal_access.mdx

@@ -1,6 +1,7 @@
 ---
 title: "Managing portal access"
-redirects:
+description: "Authenticate users and grant users access to different parts of the application"
+redirects: 
     - 01_user_access
 ---
 

product_docs/docs/biganimal/release/administering_cluster/01a_superset_access.mdx

@@ -1,5 +1,6 @@
 ---
 title: Managing Superset access
+description: "Control access to Superset data sources using Superset roles and permissions"
 ---
 
 You control access to Superset data sources by using Superset roles and permissions. 

product_docs/docs/biganimal/release/administering_cluster/03_account_activity.mdx

@@ -1,5 +1,6 @@
 ---
 title: "Reviewing account activity"
+description: "Use the activity log to audit user activities or research account activities"
 ---
 
 The activity log collects BigAnimal events based on user activity in the portal. You can use the log to audit activities performed by users from your organizations or research activities that might have affected your account.

product_docs/docs/biganimal/release/administering_cluster/04_customizing_policy_definitions.mdx

@@ -0,0 +1,207 @@
+---
+title: "Customizing Azure policy definitions"
+description: "Customize default Azure policies to match BigAnimal's resource configurations"
+---
+
+Azure Policies help you monitor, identify, and remediate non-compliant resources. Azure automatically assigns a default set of policies to each subscription. If required by your organization, you can further customize these default Azure policies to match BigAnimal's resource configurations. 
+
+!!! Note
+    BigAnimal does not customize your Azure policies to prevent conflicts with external workloads.
+
+### Customize default policy definitions in Azure
+
+In each of your BigAnimal-enabled Azure subscriptions, manually perform the following steps:
+
+!!! Note
+    You require Microsoft.Authorizations/PolicyAssignments/write permissions to be able to update policy initiatives (sets of policies) in Azure.
+
+
+1. In the Azure portal, enter **Policy** in the search box at the top and open the Policy service.
+
+1. Select **Compliance** on the left side of the Policy page. 
+
+1. On the Compliance page, set the Scope by selecting the ellipsis and then selecting all subscriptions. Click the **Select** button at the bottom of the Scope page to add your selection.
+
+1. You can see a list of all the policy initiatives (sets of policies) automatically assigned by Azure's onboarding process. The policy initiative for each subscription is labeled as *ASC Default (subscription: <Subscription_ID>)*
+
+1. Select a policy initiative in the list and click **Edit assignment**.  
+
+1. On the Edit Initiative Assignment page, click the **Parameters** tab.
+
+1. Clear the **Only show parameters that need input or review** check box.
+
+1. Configure your default ASC policy parameters to only allow BigAnimal's specific configurations. Use the parameter values specified in [Customizable policy definition parameters](#customizable-policy-definition-parameters) to update the parameters.
+
+1. Select the **Review + create** tab at the top of the wizard.
+
+1. Review your selections, then select **Create** at the bottom of the page.
+
+You're now ready to monitor, identify, and remediate non-compliant resources to improve the compliance state of the resources in your subscription.
+
+#### Customizable policy definition parameters
+
+While customizing Azure policies, refer to the following list of recommended parameters and values that are based on BigAnimal's resource configurations. 
+
+Use the values below each parameter while configuring the default ASC policy of a subscription. 
+
+!!! Note
+
+    JSON values are provided wherever applicable.
+
+
+- **Allowed service ports list in Kubernetes cluster**:
+
+BigAnimal runs services on several ports in Kubernetes clusters in your cloud account in order to provide the BigAnimal services. The following ports must be allowed:
+
+ ```js
+ ["5432",  "9402",  "443", "8080",
+   "9090",  "3000",  "8443",  "9443",  "9100", "9201", "8088"]
+ ```
+
+
+- **Allowed AppArmor profiles**:
+
+BigAnimal requires the `runtime/default` AppArmor security profile to properly function:
+
+ ```js
+ ["runtime/default"]
+ ```
+
+
+- **Allowed capabilities**: 
+
+Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. 
+BigAnimal generally runs containers with very limited capability to limit the attack surface of Kubernetes clusters, but requires some capabilities to function:
+
+ ```js
+ ["FOWNER"]
+ ```
+
+- **Allowed host paths for pod in Kubernetes cluster**:
+
+BigAnimal requires the following `HostPath` mounts to function properly: 
+
+ ```js
+ {
+  "paths": [
+    {
+      "pathPrefix": "/var/log",
+      "readOnly": false
+    },
+    {
+      "pathPrefix": "/var/lib/docker/containers",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/sys",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/proc",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/var/run/docker.sock",
+      "readOnly": false
+    },
+    {
+      "pathPrefix": "/run/containerd/containerd.sock",
+      "readOnly": false
+    },
+    {
+      "pathPrefix": "/dev",
+      "readOnly": false
+    },
+    {
+      "pathPrefix": "/boot",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/lib/modules",
+      "readOnly": false
+    },
+    {
+      "pathPrefix": "/usr",
+      "readOnly": true
+    },
+    {
+      "pathPrefix": "/etc",
+      "readOnly": true
+    }
+  ]
+ }
+
+ ```
+
+### Other recommendations from Microsoft Defender for Cloud 
+
+Microsoft Defender for Cloud (which now includes Azure Secure Center and Azure Defender) analyzes the configurations of your Azure resources to identify potential vulnerabilities.
+
+You might still see recommendations from Microsoft Defender for Cloud even after customizing your policies and remediating non-compliant resources. See the following sections to understand why Microsoft raises the following recommendations.  
+
+#### Restrict unauthorized network access
+
+- **Usage of host networking and ports should be restricted**
+
+ BigAnimal runs containers that use the node network namespace to monitor network traffic statistics of Kubernetes cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, BigAnimal has removed all security capabilities for those containers. 
+
+- **Virtual networks should be protected by Azure Firewall**
+
+ BigAnimal does not enable the Azure Firewall. Instead, BigAnimal uses Azure Network Security Group allowlists to specify permissible inbound and outbound traffic.
+
+ If your organization requires an Azure Firewall for compliance purposes, contact [[email protected]](mailto:[email protected]).
+
+#### Manage access and permissions
+
+- **Privileged containers should be avoided**
+
+ Running containers as root user should be avoided, but to achieve some management functionality like securing and monitoring the application, it is necessary for BigAnimal to run some containers in privileged mode.
+
+- **Immutable (read-only) root filesystem should be enforced for containers**
+
+ Running containers with a read-only root filesystem should be avoided, but for BigAnimal to achieve some control plane functionality, it is necessary. For example, for BigAnimal to use system calls to secure and monitor the BigAnimal application it is necessary to run containers with a read-only root filesystem.
+
+- **Running containers as root user should be avoided**
+
+ BigAnimal must run some containers as the root user to provide some aspects of control plane functionality, such as logging. BigAnimal tightly restricts the use of the root user, and no containers running as root expose network connectivity.
+
+- **Containers sharing sensitive host namespaces should be avoided**
+
+ BigAnimal must run some containers that can share the host process ID namespace to monitor network traffic statistics for cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, BigAnimal has removed *all* security capabilities for those containers.
+
+- **Container with privilege escalation should be avoided**
+
+ To enable some monitoring capabilities for Kubernetes, BigAnimal must run some containers that may allow privilege escalation. 
+
+#### Implement security best practices
+
+- **Kubernetes clusters should disable automounting API credentials**
+
+ Microsoft recommends disabling automounting API credentials to prevent a potentially compromised pod from running API commands against a Kubernetes cluster. 
+
+ BigAnimal creates service accounts and roles with the least privileges for Kubernetes operators and operands to prevent this scenario.
+
+#### Enable auditing and logging
+
+Microsoft recommends enabling diagnostic logs in Kubernetes services, Key Vault, and Virtual Machine Scale Sets.
+
+BigAnimal does not enable diagnostic logs for Kubernetes services and Key Vault, but it does enable diagnostic logs for Virtual Machine Scale Sets. Resources managed by BigAnimal are logged in Virtual Machine Scale Sets logs. If you must enable other logs for compliance purposes, contact [[email protected]](mailto:[email protected]).
+
+#### Enable enhanced security features
+
+Microsoft Defender for Cloud now includes the capabilities of Microsoft Defender for open-source relational databases. 
+
+BigAnimal does not enable any of the following capabilities:
+- Microsoft Defender for servers
+- Microsoft Defender for Storage
+- Microsoft Defender for Key Vault
+- Microsoft Defender for Containers
+- Microsoft Defender for Kubernetes Service clusters
+- Microsoft Defender for Resources Manager
+- Microsoft Defender for DNS 
+
+If you have questions about enabling any of those capabilities for BigAnimal, contact [[email protected]](mailto:[email protected]).

product_docs/docs/biganimal/release/administering_cluster/index.mdx

@@ -1,7 +1,8 @@
 ---
 title: "Administering your account"
+indexCards: simple
 ---
 
-Administrative activities for the BigAnimal account include portal and database user access management as well as account activity reviews.
+Administrative activities for the BigAnimal account include portal and database user access management as well as account activity reviews and customizing Azure policy definitions.
 
 If you coordinated with [BigAnimal Support](../overview/support) to enable the Apache Superset feature, see [Managing Superset access](01a_superset_access) for information on setting up roles and permission for access to the Superset data sources.

product_docs/docs/biganimal/release/getting_started/02_connect_cloud_account.mdx

@@ -108,6 +108,9 @@ If you receive the following error message, you need to request admin consent fo
 Error: Please request Azure AD Global Administrator or Privileged Role Administrator to grant admin consent permissions for Service Principal hello-s(77bbxxxx-xxxx-xxxx-xxxx-xxxxxxxx7c54)
 ```
 
+To grant admin consent you, or another user with the Azure AD Global Administrator or Privileged Role Administrator role, go to  [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal and select **API permissions**.
+
+
 ## Connect your cloud account
 
 Connect your cloud account with your Azure subscription.

product_docs/docs/biganimal/release/overview/03_security.mdx → product_docs/docs/biganimal/release/overview/03_security/index.mdx

@@ -15,4 +15,4 @@ BigAnimal runs in your own cloud account, isolates your data from other users, a
 -   **Database logging and auditing:** Functionality to track and analyze database activities is enabled automatically. For PostgreSQL, the PostgreSQL Audit Extension (pgAudit) is enabled for you when deploying a Postgres cluster. For EDB Postgres Advanced Server, the EDB Audit extension (edbAudit) is enabled for you. 
     -   **pgAudit:** The classes of statements being logged for pgAudit are set globally on a cluster with `pgaudit.log = 'write,ddl'`. The following statements made on tables are logged by default when the cluster type is PostgreSQL: `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, AND `COPY`. All `DDL` is logged. 
 
--   **Database cluster permissions** The edb_admin account created during the *create cluster* process includes the `CREATEDB` and `CREATEROLE` database roles. EDB recommends using the edb_admin account to create a new application user and new application database for further isolation. See [Managing Postgres access](../using_cluster/01_postgres_access) for more information.
+-   **Database cluster permissions** The edb_admin account created during the *create cluster* process includes the `CREATEDB` and `CREATEROLE` database roles. EDB recommends using the edb_admin account to create a new application user and new application database for further isolation. See [Managing Postgres access](../using_cluster/01_postgres_access) for more information.

product_docs/docs/biganimal/release/using_cluster/04_backup_and_restore.mdx

@@ -12,7 +12,7 @@ BigAnimal retains backups for 30 days by default.
 
 ### Restores
 
-If a restore is necessary—for example, in case of an accidental `DROP TABLE` statement—you can restore clusters to any point in time as long as backups are retained in Azure Blob Storage. Currently BigAnimal does not age out backups, so you can restore clusters to any time since cluster creation.
+If a restore is necessary—for example, in case of an accidental `DROP TABLE` statement—you can restore clusters to any point within the backup retention period.
 
 Cluster restores aren't performed "in-place" on an existing cluster. Instead, a new cluster is created and initialized with data from the backup archive. Restores must replay the transaction logs between the most recent full database backup and the target restore point. Thus restore times (that is, RTO) are dependent on the write activity in the source cluster.
 

product_docs/docs/odbc_connector/13/01_odbc_rel_notes/03_odbc_13.1.0.01_rel_notes.mdx

@@ -7,7 +7,7 @@ EDB ODBC Connector 13.01.0000.01 includes the following upstream merge:
 
 | Type              | Description                                                                                                                                                 |
 | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | 
-| Upstream Merge    | Merged with the upstream community driver version 13.01.0000. See the community [Release notes](https://odbc.postgresql.org/docs/release.html) for details. |
+| Upstream merge    | Merged with the upstream community driver version 13.01.0000. See the community [Release notes](https://odbc.postgresql.org/docs/release.html) for details. |
 
 
 

product_docs/docs/odbc_connector/13/01_odbc_rel_notes/05_odbc_13.0.0.01_rel_notes.mdx

@@ -6,4 +6,4 @@ EDB ODBC Connector 13.00.0000.01 includes the following upstream merge:
 
 | Type              | Description                                                                                                                                                 |
 | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | 
-| Upstream Merge    | Merged with the upstream community driver version 13.00.0000. See the community [Release notes](https://odbc.postgresql.org/docs/release.html) for details. |
+| Upstream merge    | Merged with the upstream community driver version 13.00.0000. See the community [Release notes](https://odbc.postgresql.org/docs/release.html) for details. |

product_docs/docs/odbc_connector/13/01_odbc_rel_notes/index.mdx

@@ -1,12 +1,12 @@
 ---
-title: "Release Notes"
+title: "Release notes"
 ---
 
 The ODBC JDBC connector documentation describes version 13 of the ODBC JDBC connector. 
 
-Release notes describe what is new in a release. When a minor or patch release introduces new functionality, indicators in the content identify which version introduced the new feature.
+Release notes describe what's new in a release. When a minor or patch release introduces new functionality, indicators in the content identify the version that introduced the new feature.
 
-| Version                                   | Release Date | 
+| Version                                   | Release date | 
 | ----------------------------------------- | ------------ | 
 | [13.01.0000.02](01_odbc_13.1.0.02_rel_notes) | 2021 Dec 12  |
 | [13.01.0000.01](03_odbc_13.1.0.01_rel_notes) | 2021 Sep 14  |

product_docs/docs/odbc_connector/13/02_requirements_overview.mdx

@@ -1,11 +1,11 @@
 ---
-title: "Requirements Overview"
+title: "Requirements overview"
 
 ---
 
 This table lists the latest ODBC Connector versions and their supported corresponding EDB Postgres Advanced Server (EPAS) versions. See [Product Compatibility](https://www.enterprisedb.com/platform-compatibility#epas) for details.
 
-| JDBC Connector                            | EPAS 14 | EPAS 13 | EPAS 12 | EPAS 11 | EPAS 10 | 
+| ODBC Connector                            | EPAS 14 | EPAS 13 | EPAS 12 | EPAS 11 | EPAS 10 | 
 | ----------------------------------------- | ------- | ------- | ------- | ------- | ------- |
 | [13.01.0.02](01_odbc_13.1.0.02_rel_notes) | Y       | Y       | Y       | Y       | Y       |
 | [13.01.0.01](03_odbc_13.1.0.01_rel_notes) | N       | Y       | Y       | Y       | Y       |