User Management¶
Management of users is done with the KineticaUser CRD.
kubectl Usage
From the kubectl command line they are referenced by kineticausers or the short form is ku.
List Users¶
To list the users deployed to a Kinetica DB installation we can use the following from the command-line:
kubectl -n gpudb get kineticausers or kubectl -n gpudb get ku
where the namespace -n gpudb matches the namespace of the Kinetica DB installation.
This outputs
| Name | Action | Ring Name | UID | Last Name | Given Name | Display Name | LDAP | DB | Reveal |
|---|---|---|---|---|---|---|---|---|---|
| kadmin | upsert | kinetica-k8s-sample | kadmin | Account | Admin | Admin Account | OK | OK | OK |
Name¶
The name of the Kubernetes CR i.e. the metadata.name this is not necessarily the name of the user.
Action¶
There are two actions possible on a KineticaUser. The first is upsert which is for user creation or modification. The second is change-password which shows when a user password reset has been performed.
Ring Name¶
The name of the KineticaCluster the user is created in.
UID¶
The unique user id to use in LDAP & the DB to reference this user.
naming
Must contain only lowercase letters, digits, and underscores, and cannot begin with a digit. Must not match the name of another role or user.
Last Name¶
Last Name refers to last name or surname.
sn in LDAP terms.
Given Name¶
Given Name is the Firstname also called Christian name.
givenName in LDAP terms.
Display Name¶
The name shown on any UI representation.
User Principle Name¶
This is a Unique Identifier for the User account and should be formatted like an email address (user@domain.com). Required for LDAP and Reveal.
LDAP¶
Identifies if the user has been successfully created within LDAP.
- '' - if empty the user has not yet been created in LDAP
- 'OK' - shows the user has been successfully created within LDAP
- 'Failed' - shows there was a failure adding the user to LDAP
DB¶
Identifies if the user has been successfully created within the DB.
- '' - if empty the user has not yet been created in the DB
- 'OK' - shows the user has been successfully created within the DB
- 'Failed' - shows there was a failure adding the user to the DB
Reveal¶
Identifies if the user has been successfully created within Reveal.
- '' - if empty the user has not yet been created in Reveal
- 'OK' - shows the user has been successfully created within Reveal
- 'Failed' - shows there was a failure adding the user to Reveal
User Creation¶
User creation requires two Kubernetes CRs to be submitted to Kubernetes and processed by the Kinetica DB Operator.
- User Secret (Password)
- Kinetica User
Creation Sequence
It is preferable to create the User Secret prior to creating the KineticaUser.
Secret Deletion
The User Secret will be deleted once the KineticaUser is created by the operator. The users password will be stored in LDAP and not be present in Kubernetes.
User Secret¶
In this example a user Fred Smith will be created.
apiVersion: v1
kind: Secret
metadata:
name: fred-smith-secret
namespace: gpudb
stringData:
password: testpassword
KineticaUser¶
apiVersion: app.kinetica.com/v1
kind: KineticaUser
metadata:
name: user-fred-smith
namespace: gpudb
spec:
ringName: kineticacluster-sample
uid: fred
action: upsert
reveal: true
upsert:
userPrincipalName: fred.smith@example.com
givenName: Fred
displayName: FredSmith
lastName: Smith
passwordSecret: fred-smith-secret
User Deletion¶
To delete a user from the Kinetica Cluster simply delete the User CR from Kubernetes: -
Change Password¶
To change a users password we use the change-password action rather than the upsert action we used previously.
Creation Sequence
It is preferable to create the User Secret prior to creating the KineticaUser.
Secret Deletion
The User Secret will be deleted once the KineticaUser is created by the operator. The users password will be stored in LDAP and not be present in Kubernetes.
apiVersion: v1
kind: Secret
metadata:
name: fred-smith-change-pwd-secret
namespace: gpudb
stringData:
password: testpassword
apiVersion: app.kinetica.com/v1
kind: KineticaUser
metadata:
name: user-fred-smith-change-password
namespace: gpudb
spec:
ringName: kineticacluster-sample
uid: fred
action: change-password
changePassword:
passwordSecret: fred-smith-change-pwd-secret
Advanced Topics¶
Setting the Resource Group of a User¶
To limit the compute resources available to a user during execution, you should first create a Resource Group and when creating the user, specify the resource group to associate the user with by setting the option on the upsert request.
Note
The name of the resource group in the CR should be the name of the resource group in the database (not the name of the KineticaClusterResourceGroup CR)
Setting a Default Schema for the User¶
When creating the user, you can set the default schema for a user by providing it in the upsert request. The schema should already exist and can be created by creating a KineticaClusterSchema.
Note
The name of the schema in the CR should be the name of the schema in the database (not the name of the KineticaClusterSchema CR)
KiFS¶
Users can store blob data in a Kinetica managed FileSystem-like environment called KiFS.
Kifs Enablement
In order to use the Kifs user features below there is a requirement that Kifs is enabled on the Kinetica DB.
Home Directory¶
When creating a new user it is possible to create that user a 'home' directory within the Kifs filesystem by using the createHomeDirectory option.
Limit Directory Storage¶
It is possible to limit the amount of Kifs file storage the user has by adding kifsDataLimit to the user creation yaml and setting the value to a Kubernetes Quantity e.g. 2Gi