This page covers the essential concepts related to access management (authorization) in CockroachDB Cloud. Procedures for managing access are covered in Managing Users, Roles, and Service Accounts in CockroachDB Cloud.
Overview of the CockroachDB Cloud authorization model
The CockroachDB Cloud console, found at https://cockroachlabs.cloud/
, is a 'single pane of glass' for managing users, billing, and all functions for administering clusters in CockroachDB Cloud. When accessing the console, users must sign in to a CockroachDB Cloud organization (or create a new one).
You can also execute many administrative commands using the ccloud
command-line utility and the CockroachDB Cloud API:
ccloud
allows human users to authenticate their terminal via a browser token from the CockroachDB Cloud console.- The CockroachDB Cloud API allows service accounts to authenticate via API keys, which are issued through the console.
- You can use Terraform to provision users and other aspects of your CockroachDB Cloud clusters. However, note that currently Terraform can only be used to provision admin SQL users, as this is a current limitation of the API, on which Terraform depends.
In CockroachDB Cloud, an organization corresponds to an authorization hierarchy linked to a billing account. Within each CockroachDB Cloud organization, the unit of database functionality is the CockroachDB cluster, which corresponds to a networked set of CockroachDB cluster nodes. SQL operations and data storage are distributed over a cluster. Every cluster belongs to an organization.
CockroachDB Cloud has a hierarchical authorization model, where roles can be assigned at different scopes:
- Organization: Each CockroachDB Cloud organization has a set of roles defined on it, which allow users to perform administrative tasks relating to the management of clusters, organization users, SQL users, and billing.
Folder: roles can be assigned on folders. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources.
Tip:Organizing clusters using folders is available in Preview. To learn more, refer to Organize Clusters Using Folders.
Cluster: Each CockroachDB cluster defines its own set of SQL users and roles which manage permission to execute SQL statements on the cluster.
The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.
For the main pages covering users and roles at the SQL level within a specific database cluster, refer to:
- Overview of Cluster Users/Roles and Privilege Grants in CockroachDB
- Managing Cluster User Authorization
Organization user roles
When a user or service account is first added to an organization, they are granted the default role, Org Member, which grants no permission and only indicates membership in the organization. Org or Cluster Administrators may edit the roles assigned to organization users in the CockroachDB Cloud console's Access Management page, or using the CockroachDB Cloud API or Terraform Provider.
The user who creates a new organization is assigned the following roles at the organization scope:
Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
To learn more, refer to Manage organization users.
The following CockroachDB Cloud organization roles can be granted:
Organization Member
This default role is granted to all organization users when they are invited or provisioned. It grants no permissions to perform cluster or organization actions.
Org Administrator
Org Administrators can:
- Invite users to join that organization.
- Create service accounts.
- Grant and revoke roles for both users and service accounts.
Org Administrators automatically receive email alerts about planned cluster maintenance and when CockroachDB Cloud detects that a cluster is overloaded or experiencing issues. In addition, Org Administrators can subscribe other members to the email alerts, and can configure how alerts work for the organization.
This role can be granted only at the scope of the organization.
Billing Coordinator
Users with this role in an organization can manage billing for that organization through the CockroachDB Cloud console billing page at https://cockroachlabs.cloud/billing/overview
.
Cluster Operator
Cluster Operators can perform a variety of cluster functions:
Users with this role can perform the following console operations:
- View a cluster's Overview page, which displays its configuration, attributes and statistics, including cloud provider, region topography, and available and maximum storage and request units.
- Manage a cluster's databases from the Databases Page.
- Scale a cluster's nodes.
- View and configure a cluster's authorized networks from the Networking Page.
- Manage network authorization for a cluster.
- View backups in a cluster's Backup and Restore Page.
- Restore a cluster from a backup.
- View a cluster's Jobs from the Jobs page.
- View a cluster's Metrics from the Metrics page.
- View a cluster's Insights from the Insights page.
- Upgrade a cluster's CockroachDB version.
- View a cluster's PCI-readiness status (Advanced clusters with Security add-on only).
- Send a test alert from the Alerts Page.
- Configure single sign-on (SSO) enforcement.
- Access the DB Console.
- Configure a cluster's maintenance window.
Service accounts with this role can perform the following API operations:
This role can be considered a more restricted alternative to Cluster Administrator, as it grants all of the permissions of that role, except that it does not allow users to:
- Manage cluster-scoped roles on organization users.
- Manage SQL users from the cloud console.
- Create or delete a cluster.
This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Administrator
Cluster Administrators can perform all of the Cluster Operator actions, as well as:
- Provision SQL users for a cluster using the console.
- Create Service Accounts.
- Edit cluster-scope role assignments (specifically, the Cluster Administrator, Cluster Operator, and Cluster Developer roles) on users, and service accounts.
- Edit or delete a cluster.
- Cluster Administrators for the whole organization (rather than scoped to a single cluster) can create new clusters.
- Access the DB Console.
- Configure a cluster's maintenance window.
This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Creator
Cluster Creators can create clusters in an organization. A cluster's creator is automatically granted the Cluster Administrator role for that cluster upon creation.
This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Developer
Users with this role can view cluster details and access the DB Console, allowing them to export a connection string from the cluster page UI, although they will still need a Cluster Administrator to provision their SQL credentials for the cluster.
This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Folder Admin
A Folder Admin can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.
A user with the Org Administrator role can grant themselves, another user, or a service account the Folder Admin role.
To create or manage clusters in a folder, a Folder Admin also needs the Cluster Administrator or Cluster Creator role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance.
Folder Mover
A Folder Mover can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as Cluster Creator or Cluster Operator).
A user with the Org Administrator or Folder Admin role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.
Service accounts
Service accounts authenticate with API keys to the CockroachDB Cloud API, rather than to the CockroachDB Cloud Console UI.
Service accounts operate under a unified authorization model with organization users, and can be assigned all of the same organization roles as users, but note that some actions are available in the console but not the API, or vice versa (For example, in the Cluster Operator Role).
Refer to Manage Service Accounts.
Cluster roles for organization users using Cluster SSO
Cluster Single Sign-On (SSO) for CockroachDB Cloud allows authorized organization users to directly access clusters within the organization via ccloud
, the CockroachDB Cloud command line interface.
However, because organization users and cluster SQL users are logically separate, a corresponding SQL user must be created for each SSO organization user, on each particular cluster.
This correspondence lies in the SQL user name, which must be in the format sso_{email_name}
. Replace (email_name}
with the portion of the user's email address before @
. For example, the SQL username of a user with the email address docs@cockroachlabs.com
is sso_docs
. If the role is not set up correctly, ccloud
prompts you to create or add it. Only an SQL admin can manage SQL users.