This topic describes how to use your Alibaba Cloud account to create a Resource Access Management (RAM) user and authorize the RAM user to connect to and use Hologres.

Background information

By default, the system sets the Alibaba Cloud account used to purchase a Hologres instance as a superuser. A superuser has all permissions on an instance.

Other users can access an instance only after the required permission is obtained from the superuser.

You can grant the following two types of permissions to a RAM user under your Alibaba Cloud account:
  • RAM permissions

    RAM permissions are optional when you use a RAM user. After you grant the relevant RAM permission to a RAM user, you can log on to the Hologres console as the RAM user and purchase or delete instances, upgrade or downgrade instance specifications, modify the network configuration of instances, or view the instance details.

  • Development permissions on instances

    Development permissions are required when you use a RAM user. You can use a RAM user to perform data analytics operations on a Hologres instance only after the required development permissions on the instance are granted to the RAM user by using your Alibaba Cloud account.

Hologres provides the following two permission models for you to authorize RAM users in a convenient way:
  • (Recommended) SPM

    Based on the PostgreSQL authorization model, Alibaba Cloud introduced a simple permission model (SPM) to Hologres to enhance user experience. The SPM is a coarse-grained model that authorizes users by user group. For more information, see SPM Overview.

  • Standard PostgreSQL authorization model

    Compatible with PostgreSQL, Hologres provides a permission model that is exactly the same as the standard PostgreSQL authorization model. Based on this model, you can authorize RAM users by using the standard PostgreSQL statements. For more information, see Grant permissions by using the standard PostgreSQL authorization model.

Create a RAM user

If you have created a RAM user, skip this step.

  1. Log on to the Alibaba Cloud international site (alibabacloud.com) by using your Alibaba Cloud account.
  2. Go to the RAM console.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, click Create User.
    On the Create User page, you can click Add User to create multiple RAM users at a time.
  5. In the User Account Information section, enter a logon name and display name in the Logon Name and Display Name fields respectively.
  6. In the Access Mode section, select Console Password Logon.
  7. Set the password for the RAM user.
  8. Click OK.

Create an AccessKey pair for the RAM user

An AccessKey pair guarantees that the nodes created in Hologres can be run. You must create an AccessKey pair for each RAM user. To create an AccessKey pair for the RAM user, perform the following steps:

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, click the username of the target RAM user in the User Logon Name/Display Name column.
  3. On the page that appears, click Create AccessKey in the User AccessKeys section.
  4. In the message that appears, view the AccessKey ID and AccessKey secret and click Close.
    Note
    • The AccessKey secret is displayed only when you create an AccessKey pair, and is unavailable for subsequent queries. We recommend that you save the AccessKey secret for subsequent use.
    • If the AccessKey pair is disclosed or lost, you must create a new one. You can create a maximum of two AccessKey pairs.

Grant permissions to the RAM user

  • Grant RAM permissions to the RAM user:

    After you grant the relevant RAM permission to a RAM user by using your Alibaba Cloud account, you can log on to the Hologres console as the RAM user and view, purchase, or delete instances. For more information, see Grant Hologres-related RAM permissions to a RAM user.

  • Grant development permissions to the RAM user:

    You can use a RAM user to perform data analytics operations on a Hologres instance only after the required development permissions on the instance are granted to the RAM user by using your Alibaba Cloud account. For more information, see Grant the development permissions on a Hologres instance to a RAM user.

Use Hologres as the RAM user

After a RAM user is granted the required permissions, you can connect to the target instance from the PostgreSQL client and perform operations on the instance as the RAM user. For more information, see Connect to Hologres from the PostgreSQL client.

For example, you can execute the following statement:
PGUSER=<AccessID> PGPASSWORD=<AccessKey> psql -p <Port> -h <Endpoint> -d <Database>

View the permissions granted to the RAM user

You can view the permissions granted to the RAM user in the following ways:
  • View the permissions granted to the RAM user in the Hologres console.
    1. Log on to the Hologres console. On the Instances page, click the name of the target instance. The instance details page appears.
    2. In the left-side navigation pane of the instance details page, click Users.
    3. View the value in the Type column of the target RAM user, which indicates the role assigned to the RAM user.

    If you have enabled the SPM for your database, you can view the granted permissions in the following way: Click the Databases tab. On the Databases tab, find the target database and click Authorize User in the Actions column. In the right-side pane that appears, view the user group to which the target RAM user is added, which indicates the permissions that are granted to the RAM user.

  • View the permissions granted to the RAM user by executing SQL statements.
    Connect to the target Hologres instance from the PostgreSQL client and execute the following statements to view the granted permissions:
    SELECT * FROM pg_roles WHERE rolname = 'p4_user ID'; // Query the role assigned to the specified user.
    SELECT rolname FROM pg_roles;
    SELECT user_display_name(rolname) FROM pg_roles;