Skip to content

Commit

Permalink
Merge pull request #2602 from EnterpriseDB/release/2022-05-04
Browse files Browse the repository at this point in the history 
Release: 2022-05-02
  • Loading branch information
@drothery-edb
drothery-edb authored May 2, 2022
2 parents cbb2bd6 + 191ef14 commit d1f2954
Show file tree
Hide file tree
Showing 52 changed files with 1,278 additions and 516 deletions.
84 changes: 59 additions & 25 deletions product_docs/docs/biganimal/release/administering_cluster/01_portal_access.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,17 @@ redirects:
- 01_user_access
---

BigAnimal uses Azure Active Directory (AD) to authenticate users and role-based access controls to grant users access to different parts of the application.
BigAnimal authenticates users using your organization's identity provider. If you purchased through Azure Marketplace, BigAnimal authenticates users using Azure Active Directory (AD).

BigAnimal uses role-based access controls to grant users access to different parts of the application.

## Organizations

Each subscribed customer has a unique *organization*. Each organization’s database clusters are deployed and managed in the customer's cloud account. This approach ensures complete segregation of customer data between organizations.

Each BigAnimal organization is associated with an Azure AD tenant. Azure AD establishes the identity of users that belong to an organization. After Azure AD is linked during subscription, users that belong to that AD can log in with minimum access privileges.
Each BigAnimal organization is associated with an identity provider, set up by the customer. Your identity provider establishes the identity of users that belong to an organization. After an organization's identity provider is set up, users added to the identity provider can log in with minimum access privileges.

For Azure Marketplace accounts, each BigAnimal organization is associated with an Azure AD tenant. Azure AD establishes the identity of users that belong to an organization. After Azure AD is linked during subscription, users that belong to that AD can log in with minimum access privileges.

BigAnimal supports role-based access control policies. A user with the owner role can assign roles to other users in the same organization.

Expand All @@ -21,9 +25,9 @@ Access to BigAnimal is controlled by roles. Roles are sets of permissions. You u

Each organization has three default roles available:

- owner
- reader
- account owner
- contributor
- reader


### Permissions
Expand All @@ -32,7 +36,7 @@ Permissions are generally represented in the format *action*:*object* where *act

- The available actions are: create, read, update, and delete.

- The available objects are: backups, billing, clusters, events, permissions, roles, users, and versions.
- The available objects are: cloud accounts, backups, billing, clusters, events, identity providers, permissions, roles, users, and versions.

!!! Note
Not every object supports all the actions. For example, versions objects are always read-only.
Expand All @@ -41,26 +45,42 @@ Permissions are generally represented in the format *action*:*object* where *act

The following are the default permissions by role:

| Role | Action | backups | billing | clusters | events | roles | permissions | users | versions |
| ----------- | ------ | ------- | ------- | -------- | ------ | ----- | ----------- | ----- | -------- |
| owner | create | x | | x | | | | | |
| | read | x | x | x | x | x | x | x | x |
| | update | x | | x | | | | x | |
| | delete | x | | x | | | | | |
| contributor | create | x | | x | | | | | |
| | read | x | x | x | x | x | x | x | x |
| | update | x | | x | | | | | |
| | delete | x | | x | | | | | |
| reader | create | | | | | | | | |
| | read | x | x | x | x | x | x | x | x |
| | update | | | | | | | | |
| | delete | | | | | | | | |

| Role | Object | Permissions |
| ------------- | ----------------- | ----------- |
| account owner | backups | create, read, update, and delete |
| | billing | read, update |
| | cloud account | create, read, and update |
| | clusters | create, read, update, and delete |
| | events | read |
| | identity provider | read |
| | permissions | read |
| | roles | read |
| | users | read, update |
| | versions | read |
| contributor | backups | create, read, update, and delete |
| | cloud account | create, read, and update |
| | clusters | create, read, update, and delete |
| | events | read |
| | permissions | read |
| | roles | read |
| | users | read, update |
| | versions | read |
| reader | backups | read |
| | cloud account | read |
| | clusters | read |
| | events | read |
| | permissions | read |
| | roles | read |
| | users | read |
| | versions | read |
## Users

If you purchased BigAnimal through Azure Marketplace, when you configured your Azure subscription, you also enabled BigAnimal to authenticate users from your organization using Azure AD. Before users become visible in the BigAnimal Users screen, they need to sign in using Azure AD after receiving special emails from your organization.

## Users
If you are using your own account, you enabled BigAnimal to authenticate users from your organization using your identity provider. Before users become visible in the BigAnimal Users screen, they need to log in.

When you configured your Azure subscription, you also enabled BigAnimal to authenticate users from your organization using Azure AD. Before users become visible in the BigAnimal **Users** screen, they need to sign in using Azure AD after receiving special emails from your organization. New users signed in to BigAnimal have a minimum set of permissions until you assign them a role.
New users signed in to BigAnimal have a minimum set of permissions until you assign them a role.


### Assign roles to users

Expand All @@ -87,12 +107,26 @@ You can view all users from your organization who have logged in at least once.

## Example scenario

1. The BigAnimal organization is created, and Tom logs in and is granted the owner role.
1. Tom is the first user and sets up the identity provider. He is granted the account owner role.

2. Tom invites Jerry and Sally to log in through the organizations identity provider. Both of their accounts in BigAnimal are automatically created with the role of reader.

3. Tom connects the organization's cloud account to BigAnimal.

3. Tom grants Sally the contributor role. She can now create BigAnimal clusters.

4. Sally asks Jerry to log in and grants him the contributor role.

5. Jerry can now see the clusters that Sally created and can create clusters.

## Example scenario for Azure Marketplace

1. The BigAnimal organization is created, and Tom logs in and is granted the account owner role.

2. Tom asks Jerry to log in, using his Azure AD account. Jerry's account in BigAnimal is created.

3. Tom grants Sally the contributor role. Sally logs out and back in. She can now create BigAnimal clusters.
3. Tom grants Sally the contributor role. Sally can now create BigAnimal clusters.

4. Sally asks Jerry to log in and grants him the contributor role.

5. Jerry logs out and back in. He can now see the clusters that Sally created and can create clusters.
5. Jerry can now see the clusters that Sally created and can create clusters.
2 changes: 1 addition & 1 deletion product_docs/docs/biganimal/release/administering_cluster/01a_superset_access.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ The Superset roles map to BigAnimal permissions. You can add the Superset BigAni
| Alpha | All Superset Gamma privileges, plus the ability to add or modify data sources | Contributor |
| Admin | All Superset Alpha privileges, plus access to SQL Lab and the ability to grant or revoke access to data to other users | Owner |

To assign Superset permissions to the BigAnimal user role, see [Changing role permissions](01_portal_access/#changing-role-permissions).
To assign Superset permissions to the BigAnimal user role, see [Changing role permissions](01_portal_access/#assign-roles-to-users).
15 changes: 15 additions & 0 deletions ...nimal/release/administering_cluster/customizing_compliance/aws_config_rules.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
title: "Customizing AWS Config rules"
description: "Customize default AWS configuration settings to match BigAnimal's resource configurations"
---

AWS Config rules represent desired configuration settings for AWS resources and help you monitor, identify, and remediate noncompliant ones. AWS Security Hub leverages AWS Config by introducing dedicated sets of AWS Config security rules associated with several security standards. It aggregates findings from rule violations and other AWS or third party services.

For more information, see:
- [What Is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html)
- [What is AWS Security Hub?](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)

BigAnimal doesn’t customize your AWS Config rules to prevent conflicts with external workloads.



8 changes: 5 additions & 3 deletions ...ter/04_customizing_policy_definitions.mdx → ...g_compliance/azure_policy_definitions.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
title: "Customizing Azure policy definitions"
description: "Customize default Azure policies to match BigAnimal's resource configurations"
redirects:
- /biganimal/release/administering_cluster/04_customizing_policy_definitions
---


Expand Down Expand Up @@ -160,7 +162,7 @@ You might see recommendations from Microsoft Defender for Cloud even after custo

BigAnimal doesn't enable the Azure Firewall. Instead, BigAnimal uses Azure Network Security Group allowlists to specify allowed inbound and outbound traffic.

If your organization requires an Azure Firewall for compliance purposes, contact [Big Animal support](../overview/support).
If your organization requires an Azure Firewall for compliance purposes, contact [Big Animal support](/biganimal/release/overview/support).

### Manage access and permissions

Expand Down Expand Up @@ -196,7 +198,7 @@ You might see recommendations from Microsoft Defender for Cloud even after custo

Microsoft recommends enabling diagnostic logs in Kubernetes services, Key Vault, and Virtual Machine Scale Sets.

BigAnimal doesn't enable diagnostic logs for Kubernetes services and Key Vault, but it does enable diagnostic logs for Virtual Machine Scale Sets. Resources managed by BigAnimal are logged in Virtual Machine Scale Sets logs. If you must enable other logs for compliance purposes, contact [BigAnimal support](../overview/support).
BigAnimal doesn't enable diagnostic logs for Kubernetes services and Key Vault, but it does enable diagnostic logs for Virtual Machine Scale Sets. Resources managed by BigAnimal are logged in Virtual Machine Scale Sets logs. If you must enable other logs for compliance purposes, contact [BigAnimal support](/biganimal/release/overview/support).

### Enable enhanced security features

Expand All @@ -212,5 +214,5 @@ BigAnimal doesn't enable any of the following capabilities:
- Microsoft Defender for Resources Manager
- Microsoft Defender for DNS

If you have questions about enabling any of those capabilities for BigAnimal, contact [BigAnimal support](../overview/support).
If you have questions about enabling any of those capabilities for BigAnimal, contact [BigAnimal support](/biganimal/release/overview/support).

7 changes: 7 additions & 0 deletions ...s/docs/biganimal/release/administering_cluster/customizing_compliance/index.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
title: "Customizing compliance rules and policies"
indexCards: simple
description: "Customize your CSP's default policies and rules to match BigAnimal's resource configurations"
---

Your cloud provider has rules and policies to help you to monitor, identify, and remediate noncompliant resources. You can customize the default policies and rules to match BigAnimal's resource configurations.
2 changes: 1 addition & 1 deletion .../biganimal/release/free_trial/detail/create_a_cluster/create_cluster_portal.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ indexCards: none

## Navigating to the Create Cluster page

1. Navigate to the [BigAnimal portal](https://portal.biganimal.com/). (Sign in with [your account](../create_account) if you need to).
1. Navigate to the [BigAnimal portal](https://portal.biganimal.com/). (Sign in with [your account](../create_an_account) if you need to).

2. Select the **Clusters** link on the left to navigate to the [Clusters](https://portal.biganimal.com/clusters) page.

Expand Down
2 changes: 1 addition & 1 deletion product_docs/docs/biganimal/release/free_trial/detail/create_a_cluster/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The BigAnimal free trial allows one active cluster. If you want to try another c

When you create a cluster, there are two flavors of PostgreSQL to choose from:

- All supported versions of [open-source PostgreSQL](supported-open-source/postgresql/), including [PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/).
- All supported versions of [open-source PostgreSQL](/supported-open-source/postgresql/), including [PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/).
- [EDB Postgres Advanced Server](/epas/latest/), which augments open-source PostgreSQL with [Oracle compatibility](/epas/latest/epas_compat_ora_dev_guide/), among other features.

We'll demonstrate two methods of creating a cluster:
Expand Down
99 changes: 99 additions & 0 deletions ...se/getting_started/02_connecting_to_your_cloud/01_connecting_your_own_cloud.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
---
title: Connecting your own cloud account
navTitle: Connecting your own cloud
description: "Use BigAnimal with your own cloud account"
---

You can connect BigAnimal to your own Azure subscription or AWS account and enable BigAnimal to deploy and manage your clusters in the cloud.

To connect to your cloud account, EDB provides a command that:

1. Ensures your cloud account is prepared to meet your clusters' requirements and resource limits.

1. Sets up and connects to your cloud account.

## Setting up your cloud service provider

Set up your cloud account before connecting it to BigAnimal. The setup that you perform ensures that your AWS account or Azure subscription is prepared to meet your clusters' requirements and resource limits.

**Prerequisites**:

Before setting up your cloud account, ensure that:

- **If connecting to an AWS account:**

You are assigned the following AWS managed policies (or an equivalent custom policy granting full access to resources):

- arn:aws:iam::aws:policy/IAMFullAccess

- arn:aws:iam::aws:policy/ServiceQuotasFullAccess

- **If connecting to an Azure subscription:**

You are assigned either of the following roles in Azure AD:

- Global Administrator

- Privileged Role Administrator

- In [Azure Cloud Shell](https://shell.azure.com/) or [AWS Cloud Shell](https://console.aws.amazon.com/cloudshell), your environment is running:

- bash shell version 4.0 or above.

- [jq](https://stedolan.github.io/jq/) JSON parser.
- BigAnimal CLI version 1.4 or later. For detailed steps, see [Installing the CLI](../../reference/cli/#installing-the-cli).

- The BigAnimal login user running the CLI is assigned either the owner or the contributor role.

Perform the following steps:

1. Open the [Azure Cloud Shell](https://shell.azure.com/) or the [AWS Cloud Shell](https://console.aws.amazon.com/cloudshell) in your browser.

1. Log in to BigAnimal as a user with either the owner or the contributor role.

```
biganimal create-credential --name <UserLogin> --address portal.biganimal.com --port 443
```

1. Run the `setup-csp` command to set up your cloud provider. The synatx is:

```
setup-csp --provider
{--account-id | --subscription-id}
--region
[--instance-type --high-availability --networking | --skip-preflight]
[--run]
```

Here is an example of setting up an AWS account:

```
biganimal setup-csp --provider aws --account-id 123456789102 --region us-east-1 --instance-type aws:r5.large --high-availability --networking private --run
```

Here is an example if setting up an Azure account:
```
biganimal setup-csp --provider azure --subscription-id abc12345-1234-1234-abcd-12345678901 --region eastus --instance-type azure:Standard_E4s_v3 --high-availability --networking private --run
```

For more information on the command arguments, run the following command:

```
biganimal setup-csp --help
```

Alternatively, you can enable the CLI interactive mode to have the CLI guide you through the process:
```
biganimal config set interactive_mode on
biganimal setup-csp
```

1. The command checks for cloud account readiness and displays the results. If requirements are not met and you need more information about the requirements, see [Preparing your Azure subscription](../preparing_cloud_account/01_preparing_azure/#configure-your-azure-subscription) or [Preparing your AWS account](../preparing_cloud_account/02_preparing_aws/#configure-your-aws-account).


1. If the cloud readiness checks pass, your cloud account is successfully set up. Connect your cloud account to BigAnimal with following command.
```
biganimal connect-csp --provider <cloud-service-provider>
```

Once your cloud account is successfully connected to BigAnimal, you and other users can log in using your identity provider credentials.
10 changes: 5 additions & 5 deletions ...ting_started/02_connect_cloud_account.mdx → ...g_to_your_cloud/02_azure_market_setup.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
title: "Connecting your BigAnimal account"
title: "Connecting your Azure Marketplace account"
description: "Use your Azure Marketplace account to connect to BigAnimal"
---

Set up your BigAnimal account on Azure Marketplace. Your Azure subscription for BigAnimal is where you create and manage Postgres clusters.

## Before you connect your cloud account
Your Azure subscription for BigAnimal is where you create and manage Postgres clusters.
Set up your BigAnimal account on Azure Marketplace, as follows:

1. Ensure you have an active Microsoft Azure subscription. If you need to create one, see [Create an additional Azure subscription](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription).

Expand Down Expand Up @@ -166,7 +166,7 @@ If you filled in the parameters correctly, you can now log in to your BigAnimal

### Invite users

You can invite new users by sharing the link to the BigAnimal portal and having them log in with their Microsoft Azure Active Directory account. New users are not assigned any roles by default. After they log in the first time, you see them in the User list and can assign them a role with permissions to BigAnimal. See [Assign roles to users](../administering_cluster/01_portal_access/#assign-roles-to-users) for instructions.
You can invite new users by sharing the link to the BigAnimal portal and having them log in with their Microsoft Azure Active Directory account. New users are not assigned any roles by default. After they log in the first time, you see them in the User list and can assign them a role with permissions to BigAnimal. See [Assign roles to users](/biganimal/release/administering_cluster/01_portal_access/#assign-roles-to-users) for instructions.

!!! Note
Azure AD email domain is likely different from the email domain regularly used by your organization.
Loading

0 comments on commit d1f2954

Please sign in to comment.