default cluster to quickstart#136
Conversation
jubrad
left a comment
jubrad
left a comment
There was a problem hiding this comment.
We might want to think about this a bit more...
There are a couple of ways we could approach this, one way is to just automatically create a new role (not service account), if we're using password or sasl (or probably No auth).
The other way would be to take a list of objects that represent initial users that should be created... This would be a tuple of something like user, password, superuser, login
Yet another way would be to have a pod that reads from a secret and generates all roles in that secret.
I'm not convinced that always creating a role is the best option to choose here.
|
I am inclined towards having user provided input for generating credentials, yet I don't like the idea of exposing a lot of configuration knobs to the user. I went ahead with the service account role because it could be used by user applications via serivce account, while the user roles would only be useful for login. I want to know the reason why you suggested that we shouldn't be creating service account role. |
|
the idea behind this implementation was to provide a superuser role with credentials which can be used to further create other roles needed by the user. |
| Connect using psql with the default service account credentials: | ||
| ```bash | ||
| # Get the password (use jq -r to decode JSON-escaped characters) | ||
| terraform output -json mz_instance_service_account_credentials | jq -r '.password' |
There was a problem hiding this comment.
service_account isn't applicable in self-managed, I think this should be something like default_superuser_credentials
| locals { | ||
| secret_name = "${var.instance_name}-materialize-backend" | ||
| mz_resource_id = data.kubernetes_resource.materialize_instance.object.status.resourceId | ||
| service_account_name = "default" |
There was a problem hiding this comment.
yeah, lets not call this default...
I'd rather this just be a default_superuser variable..
variable "server_config" {
description = "Username and password for default super user"
type = tuple([string, string])
default = null
sensitive = true
}
jubrad
left a comment
jubrad
left a comment
There was a problem hiding this comment.
Definitely some changes required, here. I'd like to see this be optoinal in general rather than based being based on the type of authenticator. We can default in the examples.
Might be worth @bobbyiliev taking a look as well.
| # Create a job to create the default service account with superuser privileges | ||
| # https://materialize.com/docs/security/self-managed/access-control/manage-roles/#create-individual-userservice-account-roles | ||
| resource "kubernetes_job" "create_service_account" { | ||
| count = contains(["Password", "Sasl"], var.authenticator_kind) ? 1 : 0 |
There was a problem hiding this comment.
Thanks for working on this!
As Justin mentioned, rather than tying this to authenticator_kind, maybe we can make superuser creation explicitly optional?
Eg:
variable "superuser_credentials" {
description = "Username and password for superuser. If null, no superuser will be created."
type = object({
username = string
password = string
})
default = null
sensitive = true
}Then the job only runs when set:
resource "kubernetes_job" "create_superuser" {
count = var.superuser_credentials != null ? 1 : 0
# ...
}That way users explicitly opt-in and the username isn't hardcoded to "default".
There was a problem hiding this comment.
are these credentials useful when authenticator_kind is None? I tied it to authenticator_kind, because if auth_kind is None, then there would be no use of credentials isn't it?
Should we rather check for both conditions? i.e.
superuser_credentials != null&&authenticator_kind != None?
There was a problem hiding this comment.
Good point! As we discussed this during the call yesterday, if the authenticator kind is None the CREATE ROLE "<role>" WITH LOGIN PASSWORD '<password>'; statement will fail I believe.
| } | ||
| } | ||
|
|
||
| wait_for_completion = true |
There was a problem hiding this comment.
With wait_for_completion = true and 5m timeout, does this work reliably if balancerd isn't ready yet?
There was a problem hiding this comment.
I might as well add update = 5m so that this timeout is applied for updates as well.
|
|
||
| container { | ||
| name = "psql" | ||
| image = "postgres:16-alpine" |
There was a problem hiding this comment.
Shall we bump this to a newer Postgres version?
|
Results after addressing comments: PGwire: Console 
SuperUser is redirected to quickstart cluster |
jshiwamV
force-pushed
the
fix-default-cluster
branch
from
64c6bab to
88c9b50
Compare
|
Job Logs don't contain sensitive info: Update Secnario when ALTER ROLE command is run I have also created secret for superuser creds so that we can refer the secrets in the job and the secrets won't be visible in job spec as well. job spec |
bobbyiliev
left a comment
bobbyiliev
left a comment
There was a problem hiding this comment.
Overall looking good! The refactoring to use secrets for credentials is a nice improvement.
Would maybe still want @jubrad to take a quick look too.
Also, leaving a few extra suggestions.
| terraform output -json mz_instance_superuser_credentials | jq -r '.password' | ||
|
|
||
| psql -h <NLB_DNS> -p 6875 -U <username> |
There was a problem hiding this comment.
Should we show how to get the username too? Something like:
terraform output -json mz_instance_superuser_credentials | jq -r '.username'| # Get the password (use jq -r to decode JSON-escaped characters) | ||
| terraform output -json mz_instance_superuser_credentials | jq -r '.password' | ||
|
|
||
| psql -h <LoadBalancerIP> -p 6875 -U <username> |
There was a problem hiding this comment.
Should we show how to get the username too? Something like:
terraform output -json mz_instance_superuser_credentials | jq -r '.username'| # Get the password (use jq -r to decode JSON-escaped characters) | ||
| terraform output -json mz_instance_superuser_credentials | jq -r '.password' | ||
|
|
||
| psql -h <LoadBalancerIP> -p 6875 -U <username> |
There was a problem hiding this comment.
Should we show how to get the username too? Something like:
terraform output -json mz_instance_superuser_credentials | jq -r '.username'| -c "CREATE ROLE $SUPERUSER_USERNAME WITH SUPERUSER LOGIN PASSWORD '$SUPERUSER_PASSWORD';" | ||
| else | ||
| PGPASSWORD=$MZ_PASSWORD psql -h $MZ_HOST -p 6875 -U mz_system -d materialize \ | ||
| -c "ALTER ROLE $SUPERUSER_USERNAME PASSWORD '$SUPERUSER_PASSWORD';" | ||
| fi | ||
| EOT |
There was a problem hiding this comment.
Thanks for verifying the logs! The env vars from secrets are good. I just wonder if psql errors out, would it echo the query?
There was a problem hiding this comment.
nope psql won't echo the query, we need to pass the following flags for different scenarios in order to get querie/ output of command that's been run
Input and output options:
-a, --echo-all echo all input from script
-b, --echo-errors echo failed commands
-e, --echo-queries echo commands sent to server
-E, --echo-hidden display queries that internal commands generate
| locals { | ||
| secret_name = "${var.instance_name}-materialize-backend" | ||
| mz_resource_id = data.kubernetes_resource.materialize_instance.object.status.resourceId | ||
| create_superuser = contains(["Password", "Sasl"], var.authenticator_kind) && var.superuser_credentials != null |
There was a problem hiding this comment.
This addresses the earlier discussion nicely! Just one thing to confirm, if someone sets superuser_credentials but uses authenticator_kind = "None", should we add a validation to warn them it won't do anything?
Might be overkill though.
There was a problem hiding this comment.
that actually makes sense, here I made the change
|
I can close this PR if you don't see it as a good fit @jubrad |
3 participants
defaultservice account super user role which the user will use for their default login when password based auth is enabled.Screen.Recording.2026-01-06.at.8.53.23.PM.mov