Skip to content

Commit

Permalink
Merge pull request #1741 from EnterpriseDB/release/2021-08-12a
Browse files Browse the repository at this point in the history 
Release: 2021-08-12a
Former-commit-id: 8ef73f6b55648afde548d235593d821c6a7c1358
  • Loading branch information
@josh-heyer
josh-heyer authored Aug 12, 2021
2 parents e60fe00 + ca2f477 commit c35e21d
Show file tree
Hide file tree
Showing 44 changed files with 996 additions and 12 deletions.
3 changes: 2 additions & 1 deletion build-sources.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@
"pgpool": true,
"postgis": true,
"repmgr": true,
"slony": true
"slony": true,
"edbcloud": true
}
3 changes: 2 additions & 1 deletion dev-sources.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@
"pgbouncer": true,
"pgpool": true,
"postgis": true,
"slony": true
"slony": true,
"edbcloud": true
}
1 change: 1 addition & 0 deletions gatsby-config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const sourceToPluginConfig = {
bart: { name: "bart", path: "product_docs/docs/bart" },
bdr: { name: "bdr", path: "product_docs/docs/bdr" },
harp: { name: "harp", path: "product_docs/docs/harp" },
edbcloud: { name: "edbcloud", path: "product_docs/docs/edbcloud" },
efm: { name: "efm", path: "product_docs/docs/efm" },
epas: { name: "epas", path: "product_docs/docs/epas" },
eprs: { name: "eprs", path: "product_docs/docs/eprs" },
Expand Down
2 changes: 2 additions & 0 deletions gatsby-node.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ exports.createPages = async ({ actions, graphql, reporter }) => {
initializeCommand
codelanguages
}
hideVersion
displayBanner
directoryDefaults {
description
prevNext
Expand Down
111 changes: 111 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/01_portal_access.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
---
title: "Managing Portal Access"
---

EDB Cloud uses Azure Active Directory to authenticate users and role based access controls to grant users access to different parts of the application.

## Organizations

Each subscribed customer has a unique *organization*. Each organization’s database clusters are deployed and managed in the customer's cloud account. This ensures complete segregation of customer data between organizations.

Each EDB Cloud organization is associated with an Azure Active Directory (AD) tenant. Azure AD establishes the identity of users that belong to an organization. After Azure AD is linked during subscription, users that belong to that AD can login with minimum access privileges.

EDB Cloud supports role based access control policies. A user with the owner role may assign roles to other users in the same organization.

## Roles
Access to EDB Cloud is controlled by roles. Roles are sets of permissions. You use roles to manage permissions assigned to users.

* Each organization will have three default roles available:
* owner
* reader
* contributor
* These roles can be edited by changing their name or description.

### Permissions

Permissions are generally represented in the format `action:object` where `action` represents an operation that can be performed and `object` represents a category of portal functionality.

The available `actions` are: create, read, update, delete

The available `objects` are: backups, billing, databases, events, permissions, roles, tickets, users, versions

### Permissions by Role

The following are the default permission by role:

| Role | Action |backups | billing | databases | events | roles | permissions | tickets | users | versions |
|-------------|--------|--------|---------|-----------|--------|-------|-------------|---------|-------|----------|
| owner | create | x | | x | | x | x | x | x | x |
| | read | x | x | x | x | x | x | x | x | x |
| | update | x | | x | | x | x | x | x | x |
| | delete | x | | x | | x | x | x | x | x |
| contributor | create | x | | x | | | | x | | |
| | read | x | x | x | x | x | x | x | x | x |
| | update | x | | x | | | | x | | |
| | delete | x | | x | | | | x | | |
| reader | create | | | | | | | | | |
| | read | x | x | x | x | x | x | x | x | x |
| | update | | | | | | | | | |
| | delete | | | | | | | | | |


### Editing Roles

To edit roles:
1. Navigate to Admin > Roles.

3. Select the edit icon for the role in the list.

#### Changing Role Name

To change the name or description of the role:
1. Select the **Settings** tab.

2. Edit **Name** or **Description**.
3. Press **Save**.

#### Changing Role Permissions

To change permissions associated with the role:
1. Select **Permissions** tab.

2. Select the **Change Permissions** button on the top right.
3. Select the list of permissions you want to be associated with the role.
4. Press **Submit**

!!! Note
Changing role permissions will affect every user who is assigned the same role.

## Users

When you configured your Azure subscription, you also enabled EDB Cloud to authenticate users from your organization using Azure Active Directory (AD). Before users become visible in the EDB Cloud **Users** screen they need to sign in using Azure AD after receiving special emails sent by your organization. New users signed in to EDB Cloud have a minimum set of permissions until you assign them a role.

### Assigning Roles to Users
To assign appropriate roles to users:
1. Navigate to Admin > Users.

2. Select the edit icon for the user.
3. Select **Assign Roles**.
4. Select or deselect roles for the user.
5. Select **Submit**.

!!! Note
For a user's role assignment to take effect, the user needs to log out from EDB Cloud and log in again.

### Viewing Users

To view all users from your organization that have logged in at least once:

1. Navigate to Admin > Users.

2. View the list of users sorted by most recent log in.

## Example Scenario

1. The EDB Cloud organization is created, and Tom logs in and is granted the owner role.

1. Tom asks Jerry to log in, using his Azure AD account; Jerry's account in EDB Cloud is created.
1. Tom grants Sally the contributor role. Sally logs out and back in, and she can now create EDB Cloud clusters.
1. Sally asks Jerry to log in, and grants him the reader role.
1. Jerry logs out and back in, and he can now see the clusters that Sally has created.

52 changes: 52 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/02_postgres_access.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
title: "Managing Postgres Access"
---

The `edb_admin` database role and `edb_admin` database created during the _Create Cluster_ process should not be used by your application. Instead, create a new database role and a new database, which provides a high level of isolation in Postgres. If multiple applications are using the same cluster, each database can also contain multiple schemas, essentially a namespace in the database. If strict isolation is needed, use a dedicated cluster or dedicated database. If that strict isolation level is not required, a single database can be deployed with multiple schemas. Please refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/current/ddl-priv.html) on Privileges to further customize ownership and roles to your requirements.

To create a new role and database, first connect using `psql`:

```
psql -W "postgres://[email protected]:5432/edb_admin?sslmode=require"
```

## One Database with One Application

For one database hosting a single application:

1. Create a new database role. For example,
```
edb_admin=# create role app1 with password 'app1_pwd';
```

1. Create a new database to store application data. For example,
```
edb_admin=# create database app1 with owner app1;
```

Using this example, the username and database in your connection string would be `app1`.

## One Database with Multiple Schemas

If a single database is used to host multiple schemas, create a database owner and then roles and schemas for each application. The example in the following steps shows creating two database roles and two schemas. The default `search_path` for database roles in EDB Cloud is `"$user",public`. If the role name and schema match, then objects in that schema will match first, and no `search_path` changes or fully qualifying of objects are needed. The [PostgreSQL documentation](https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATH) covers the schema search path in detail.

1. Create a database owner and new database. For example,
```
edb_admin=# create user prod_admin with password 'prod_pwd';
edb_admin=# create database prod1 with owner prod_admin;
```

1. Connect to the new database. For example,
```
edb_admin=# \c prod1
```
1. Create new application roles. For example,
```
prod1=# create role app1 with password 'app1_pwd';
prod1=# create role app2 with password 'app2_pwd';
```
1. Create a new schema for each application with the AUTHORIZATION clause for the application owner. For example,
```
prod1=# create schema app1 authorization app1;
prod1=# create schema app2 authorization app2;
```
36 changes: 36 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/03_account_activity.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
title: "Reviewing Account Activity"
---
The activity log collects EDB Cloud events based on user activity within the portal. It can be used to audit activities performed by users from your organizations or research activities that may have affected your account.

## Events

Events describe actions performed by users. The available actions are:
* create
* read
* update
* delete

Events are related to the following resource types:
* database
* user
* user roles
* role permissions
* organization

!!! Note
Database events are **not** logging activity on the Postgres server. They are logging the use of the portal to create or modify database clusters.

## Viewing and Searching the Activity Log Table

To view events, navigate to the Activity Log. To search events, use the filters at the top of the page.

The following fields are in the activity log:

| Field | Description |
| ---------------------| ---------------------------------------------------------------------------- |
| **Activity Name** | Name of an event in the format _Action Resource-Type, Resource-name_ |
| **User** | User responsible for the event |
| **Date** | Date when the action was performed |
| **Resource** | Resource Type of the resource |

68 changes: 68 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/images/map1.puml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
@startuml

!pragma ratio 1
!pragma revision 1


!includeurl https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml

!define AzurePuml https://raw.githubusercontent.com/plantuml-stdlib/Azure-PlantUML/master/dist
!includeurl AzurePuml/AzureCommon.puml
!includeurl AzurePuml/AzureSimplified.puml
!includeurl AzurePuml/Databases/AzureDatabaseForPostgreSQL.puml
!includeurl AzurePuml/Identity/AzureActiveDirectoryB2C.puml
!includeurl AzurePuml/Identity/AzureActiveDirectoryDomainServices.puml
left to right direction


rectangle "EDB Cloud" as src {
rectangle "EDB Cloud Clusters" as edbclusters {
AzureDatabaseForPostgreSQL(edbcl1, "PG Cluster","DB cluster1" )
AzureDatabaseForPostgreSQL(edbcl2, "EPAS Cluster","DB cluster2" )

}

rectangle "EDB Cloud Users" {
Person(tom2, "Tom:{reader}")
Person(jerry2, "Jerry:{owner}")

}


AzureActiveDirectoryB2C(org, "EDB Cloud Organization ", "org acmebank-com")

}

rectangle Azure as tgt {

rectangle "Azure AD Members" {
Person(tom, "Tom")
Person(jerry, "Jerry")

}

rectangle "Regions" as regions {
rectangle "us-east" as k1 {
AzureDatabaseForPostgreSQL(azuredbcl1, "PG Cluster","DB cluster1" )

}
rectangle "japan-west" as k2 {
AzureDatabaseForPostgreSQL(azuredbcl2, "EPAS Cluster","DB cluster2" )
}
}

AzureActiveDirectoryDomainServices(AD, "Azure AD Tenant", "tenant acmebank.com")

}
jerry -> regions: owns
src -[hidden]d-> tgt
regions -[hidden]u-> edbclusters
org <-> AD: "1:1"
tom2<- tom
jerry2<- jerry



edbcl1 <- azuredbcl1
edbcl2 <- azuredbcl2
@enduml
3 changes: 3 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/images/org-map.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions product_docs/docs/edbcloud/beta/administering_cluster/index.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
title: "Administering Your Account"
---

In this section, account owners can find information on administrative activities for the EDB Clouud account including portal and database user access management as well as account activity reviews.
42 changes: 42 additions & 0 deletions product_docs/docs/edbcloud/beta/getting_started/01_check_resource_limits.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
title: Checking Azure Resource Limits
---

By default, Azure sets a very low limit on the number of virtual machines per region and on the number of Public IP Addresses per region that are available in a given subscription.

The default [Azure Virtual Machine limit per region](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#virtual-machines-limits---azure-resource-manager) is set to 20. You need to increase this limit to at least 50 virtual machines per region. EDB Cloud uses ESv3 Series virtual machines.

The default [Public IP address limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#publicip-address) to Public IP Addresses Basic and Public IP Addresses Standards is set to 10. You need to increase the limit of `Public IP Addresses - Basic` and `Public IP Addresses - Standard` to 100 for the regions where you plan to deploy your EDB clusters.

# Checking Current Utilization

To check if you have adequate Azure resources to provision new clusters:

1. In the Azure Portal, select **Subscription**.

1. Select your specific subscription.
2. Select Settings > **Usage + quotas**.
1. Search for "ESv3" to view virtual machines limits.
1. Search for Public IP to view networks limits.


# Increasing Network Quota

You can increase the number of public IP addresses for your account either by using Azure's portal if you have appropriate privileges or by submitting a support request. See:

- [Request Networking quota increase at subscription level using Help + support](https://docs.microsoft.com/en-us/azure/azure-portal/supportability/networking-quota-requests#request-networking-quota-increase-at-subscription-level-using-help--support)

- [Request networking quota increase at subscription level using usages + quotas](https://docs.microsoft.com/en-us/azure/azure-portal/supportability/networking-quota-requests#request-networking-quota-increase-at-subscription-level-using-usages--quotas)


# Increasing Virtual Machine Quota

You can increase the number of ESv3 Series virtual machines per region for your account either by using Azure's portal if you have appropriate privileges or by submitting a support request. See:

- [Request a quota increase by region from Help + support](https://docs.microsoft.com/en-us/azure/azure-portal/supportability/regional-quota-requests#request-a-quota-increase-by-region-from-help--support)

- [Request a quota increase by region from subscriptions](https://docs.microsoft.com/en-us/azure/azure-portal/supportability/regional-quota-requests#request-a-quota-increase-by-region-from-subscriptions)




Loading

0 comments on commit c35e21d

Please sign in to comment.