Best Practices of Privileged Account
<p>This article describes the functions of a privileged account of RDS PostgreSQL and its best practice in different scenarios.</p>
<p><span style="font-size:18px"><strong>Overview</strong></span></p>
<p>RDS PostgreSQL supports a privileged account. When you create an RDS PostgreSQL instance, the account that is automatically created by the system is the privileged account. You can create and manage multiple business accounts and database with the privileged account to realize privilege separation and data separation in an instance.</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110229-1d6b45f19ba5.png" style="height:23px; margin:0px; width:90px" />: Default database of the privileged account created by the system is postgres and also the system database. It is not applicable for creating business database. Therefore, we recommend that you create a business account and use it to create business database.</p>
<p>1. Permission separation of multiple accounts</p>
<p>In many scenarios, you may hope that different functional staff have different operation permissions of database. For example, some accounts can create database and tables, while some accounts can add, delete, modify, and view data, and some accounts can only read data. You can create multiple business accounts and authorize these accounts with different operation permissions by using the privileged account to realize permission separation.</p>
<p>2. Multiple applications that are separated by database share instance resource</p>
<p>To save costs, you can deploy multiple applications in a database instance and separate these applications with different business databases. Different applications can share RDS PostgreSQL resources such as CPU, memory, and storage resource. For multiple applications, you only need to maintain a database instance.</p>
<p><span style="font-size:18px"><strong>Prerequisites</strong></span></p>
<p>You have successfully created an RDS PostgreSQL instance.For more information, see <a href="http://yun.pingan.com/ssr/help/database/RDS/User_Guide_RDS_PostgreSQL.Instance_Management.Create_Instance.Create_Common_Instance" target="_blank">Create a General Instance</a>.</p>
<p><span style="font-size:18px"><strong>Permission Separation: Create Business Database and Account</strong></span></p>
<p><strong>Solution 1: The business account is the owner of the business database and has all permissions of the business database.</strong></p>
<p>1. The privileged account creates a business account that has login permission by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa">
<p><span style="font-family:Consolas">CREATE USER <em>Newuser-Name</em> LOGIN PASSWORD '<em>Password</em>';</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Newuser-Name</em>: Name of a business account.</p>
<p> • <em>Password</em>: Password of a business account.</p>
<p>2. Create business database for a business account by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa">
<p><span style="font-family:Consolas">GRANT <em>Newuser-Name </em>to <em>Rootuser-Name</em>;</span></p>
<p><span style="font-family:Consolas">CREATE DATABASE<em> Newdb-Name</em> OWNER<em> Newuser-Name</em>;</span></p>
<p><span style="font-family:Consolas">REVOKE <em>Newuser-Name </em>from <em>Rootuser-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Rootuser-Name</em>: Name of the privileged account that is created when you create an RDS PostgreSQL instance.</p>
<p> • <em>Newdb-Name</em>: Name of the business database.</p>
<p>3. A business account can access the business database and create a table by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa">
<p><span style="font-family:Consolas">psql -U <em>Newuser-Name r</em> -h <em>Domain-Name</em> -p <em>Port</em> <em>Newdb-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Domain-Name</em>: Access domain name of an RDS PostgreSQL instance. For more information, see <a href="http://yun.pingan.com/ssr/help/database/RDS/User_Guide_RDS_PostgreSQL.Instance_Management.View_Instance.View_Common_Instance" target="_blank">the basic information of the instance</a>.</p>
<p> • <em>Port</em>: Connecting port of an RDS PostgreSQL instance. For more information, see <a href="http://yun.pingan.com/ssr/help/database/RDS/User_Guide_RDS_PostgreSQL.Instance_Management.View_Instance.View_Common_Instance" target="_blank">the basic information of the instance</a>.</p>
<p><strong>Solution 2: The privileged account is the owner of the business database and authorizes database permission to the business accounts.</strong></p>
<p>1. The privileged account creates a business account that has login permission by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE USER <em>Newuser-Name</em> LOGIN PASSWORD <em>'Password'</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Newuser-Name</em>: Name of a business account.</p>
<p> • <em>Password</em>: Password of a business account.</p>
<p>2. Create business database by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE DATABASE <em>Newdb-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />: <em>Newdb-Name</em>: Name of the business database.</p>
<p>3. The business account authorizes the business database with relevant permission by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">GRANT ALL ON DATABASE <em>Newdb-Name</em> TO <em>Newuser-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p>4. The business account accesses the business database and creates a table by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">psql -U <em>Newuser-Name</em> -h <em>Domain-Name</em> -p <em>Port Newdb-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Domain-Name</em>: Access domain name of an RDS PostgreSQL instance. For more information, see the basic information of the instance.</p>
<p> • <em>Port</em>: Connecting port of an RDS PostgreSQL instance. For more information, see the basic information of the instance.</p>
<p><strong>Data Separation: Permission Separation of Business Database</strong></p>
<p>1. Create business database by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE DATABASE <em>Newdb-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />: <em>Newdb-Name</em>: Name of the database being created.</p>
<p>2. Create a DDL account and authorize the DDL account with all permissions of the business database by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE USER <em>Deployuser-Name</em> LOGIN PASSWORD '<em>Password-ddl</em>';</span></p>
<p><span style="font-family:Consolas">GRANT ALL ON DATABASE <em>Newdb-Name</em> TO <em>Deployuser-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Deployuser-Name</em>: Name of the DDL account.</p>
<p> • <em>Password-ddl</em>: Password of the DDL account.</p>
<p> • <em>Newdb-Name</em>: Name of the business database.</p>
<p>3. Create a DML account and authorize the DML account with permissions of adding, deleting, modifying, and viewing all tables in the designated business database.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE USER <em>Dmluser-Name</em> LOGIN PASSWORD '<em>Password-dml</em>';</span></p>
<p><span style="font-family:Consolas">GRANT CONNECT ON DATABASE <em>Newdb-Name</em> TO <em>Dmluser-Name</em>;</span></p>
<p><span style="font-family:Consolas">\c <em>Newdb-Name</em>;</span></p>
<p><span style="font-family:Consolas">GRANT INSERT,UPDATE,DELETE,SELECT ON ALL TABLES IN SCHEMA public TO <em>Dmluser-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Dmluser-Name</em>: Name of the DML account.</p>
<p> • <em>Password-dml</em>: Password of the DML account.</p>
<p>4. Create a read-only account and authorize the read-only account with query permission of all tables in the business database by executing the following command.</p>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="background-color:#f7f8fa; vertical-align:top">
<p><span style="font-family:Consolas">CREATE USER <em>Readonlyuser-Name</em> LOGIN PASSWORD '<em>Password-readonly</em>';</span></p>
<p><span style="font-family:Consolas">GRANT CONNECT ON DATABASE <em>newdb</em> TO <em>readonlyuser</em>;</span></p>
<p><span style="font-family:Consolas">\c <em>Newdb-Name</em>;</span></p>
<p><span style="font-family:Consolas">GRANT SELECT ON ALL TABLES IN SCHEMA public TO <em>Readonlyuser-Name</em>;</span></p>
</td>
</tr>
</tbody>
</table>
<p> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20200707110735-16349b2b9ab4.png" style="height:23px; margin:0px; width:90px" />:</p>
<p> • <em>Readonlyuser-Name</em>: Name of the read-only account.</p>
<p> • <em>Password-readonly</em>: Password of the read-only account.</p>
Did the above content solve your problem?
Yes
No
Submitted successfully! Thank you for your feedback, we will try our best to do better and better!