This topic describes how to use your Alibaba Cloud account to create a Resource Access Management (RAM) user and authorize the RAM user to connect to and use Hologres.
Background information
By default, the system sets the Alibaba Cloud account used to purchase a Hologres instance as a superuser. A superuser has all permissions on an instance.
Other users can access an instance only after the required permission is obtained from the superuser.
- RAM permissions
RAM permissions are optional when you use a RAM user. After you grant the relevant RAM permission to a RAM user, you can log on to the Hologres console as the RAM user and purchase or delete instances, upgrade or downgrade instance specifications, modify the network configuration of instances, or view the instance details.
- Development permissions on instances
Development permissions are required when you use a RAM user. You can use a RAM user to perform data analytics operations on a Hologres instance only after the required development permissions on the instance are granted to the RAM user by using your Alibaba Cloud account.
- (Recommended) SPM
Based on the PostgreSQL authorization model, Alibaba Cloud introduced a simple permission model (SPM) to Hologres to enhance user experience. The SPM is a coarse-grained model that authorizes users by user group. For more information, see SPM Overview.
- Standard PostgreSQL authorization model
Compatible with PostgreSQL, Hologres provides a permission model that is exactly the same as the standard PostgreSQL authorization model. Based on this model, you can authorize RAM users by using the standard PostgreSQL statements. For more information, see Grant permissions by using the standard PostgreSQL authorization model.
Create a RAM user
If you have created a RAM user, skip this step.
Create an AccessKey pair for the RAM user
An AccessKey pair guarantees that the nodes created in Hologres can be run. You must create an AccessKey pair for each RAM user. To create an AccessKey pair for the RAM user, perform the following steps:
Grant permissions to the RAM user
- Grant RAM permissions to the RAM user:
After you grant the relevant RAM permission to a RAM user by using your Alibaba Cloud account, you can log on to the Hologres console as the RAM user and view, purchase, or delete instances. For more information, see Grant Hologres-related RAM permissions to a RAM user.
- Grant development permissions to the RAM user:
You can use a RAM user to perform data analytics operations on a Hologres instance only after the required development permissions on the instance are granted to the RAM user by using your Alibaba Cloud account. For more information, see Grant the development permissions on a Hologres instance to a RAM user.
Use Hologres as the RAM user
After a RAM user is granted the required permissions, you can connect to the target instance from the PostgreSQL client and perform operations on the instance as the RAM user. For more information, see Connect to Hologres from the PostgreSQL client.
PGUSER=<AccessID> PGPASSWORD=<AccessKey> psql -p <Port> -h <Endpoint> -d <Database>
View the permissions granted to the RAM user
- View the permissions granted to the RAM user in the Hologres console.
- Log on to the Hologres console. On the Instances page, click the name of the target instance. The instance details page appears.
- In the left-side navigation pane of the instance details page, click Users.
- View the value in the Type column of the target RAM user, which indicates the role assigned to the RAM user.
If you have enabled the SPM for your database, you can view the granted permissions in the following way: Click the Databases tab. On the Databases tab, find the target database and click Authorize User in the Actions column. In the right-side pane that appears, view the user group to which the target RAM user is added, which indicates the permissions that are granted to the RAM user.
- View the permissions granted to the RAM user by executing SQL statements.
Connect to the target Hologres instance from the PostgreSQL client and execute the following statements to view the granted permissions:
SELECT * FROM pg_roles WHERE rolname = 'p4_user ID'; // Query the role assigned to the specified user. SELECT rolname FROM pg_roles; SELECT user_display_name(rolname) FROM pg_roles;