Find out how to secure, manage and automate access to Datasentinel platform

post-thumb
Datasentinel employs a multi-layered approach to secure user access to its platform and control who can access monitored PostgreSQL instances.
Firstly, authentication is enforced through a secure login process that requires users to provide valid credentials before accessing the platform.

Additionally, the platform supports integration with LDAP and Active Directory, allowing for centralized user management and authentication.

In this article, we delve into the ways in which Datasentinel enables organizations to customize user access based on their unique needs through the use of its Role-Based Access (RBAC) feature.

With the association of tags with each monitored instance (Refer to How to use TAGs efficiently), administrators can easily identify and manage user access according to specific criteria such as access to activity statistics of clusters attached to an application or access to non-production instances (the selection criteria for user access is limitless).


The users

Datasentinel has a default account called “datasentinel” that is granted administrator access when the platform is installed.

This account can be used by administrators to configure roles and users, simplifying the platform administration process.

1. There are two user profiles available in Datasentinel, which enables administrators to restrict access to specific dashboards

Profile Description
developer Limited access to Top queries, Session History, Top tables / indexes dashboards
as well as the corresponding reporting in PDF format
data admin Access to all dashboards as well as reporting in PDF format

Default profile: data admin

2. There are 3 privileges:

Privilege Description
read Read only access to the platform
read write read privilege + possibility of kill sessions / backends from the GUI
admin read write privilege + platform administration

Default privilege: admin

3. Accessibility to the Live360 feature (Direct access to instances) can also be configured. (Enabled by default).


User dashboard:

Users

The roles

Roles in Datasentinel are created by associating tags with a collection of values, which can be customized by the administrator.
The roles enable the administrator to restrict user access to specific PostgreSQL clusters in Datasentinel by associating them with users.

Role management can be performed both through the platform’s interface and its available API

You can associate multiple tags to the same role and combine AND/OR conditions. See Documentation

Role Based Access Multi

When creating one or more roles in Datasentinel through the graphical user interface or API, the tags must already be associated with the monitored instances


API management example

To create a user with access only to PostgreSQL instances associated with the sales application in Datasentinel, an administrator account must first generate an access token.

An example is provided as follows.

curl -sk -u datasentinel:$PASSWORD -X POST https://$DATASENTINEL_HOST/ds-api/user-token
# Answer
{
  "user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjY3OTg1MjIsImlhdCI6MTYyNjcxMjExNywiZGF0YWJhc2UiOiJkcy1kYXRhIiwiZW1haWwiOiJjb250YWN0QGRhdGFzZW50aW5lbC5pbyIsInVzZXIiOiJkYXRhc2VudGluZWwifQ.YhKtqrx0O3_gw63dIFCW30ScI8yS-_QY1dss3rRNZNI"
}

The access token is valid for 24 hours.


Declaration of a Postgres instance to monitor.

The sales value is associated with the application tag in the tags property.

TMP_JSON_FILE=/tmp/connection.json
CONNECTION_NAME=pg-sales-production

cat > $TMP_JSON_FILE <<EOF
{
  "host": "51.158.70.115",
  "port": 9342,
  "user": "datasentinel",
  "password": "sentinel",
  "tags": "application=sales"
}
EOF

curl -sk --header "user-token: $ACCESS_TOKEN" --header 'Content-Type: application/json' -X POST https://$DATASENTINEL_HOST/ds-api/pool/pg-instances/$CONNECTION_NAME -d @$TMP_JSON_FILE
# Answer
{
  "status": "Connection created and connected!"
}

The example above involves managing the instance in Agentless mode .

When using local agents, the instance declaration is performed at the agent level.
More information on this can be found in the Documentation.

Creating a role

The role “sales-role” is created with a tag named “application” and a value of “sales” as its filters.

For more complex role management, such as associating multiple tags with a role, the administrator can refer to the Documentation

TMP_JSON_FILE=/tmp/role.json
ROLE_NAME="sales-role"

cat > $TMP_JSON_FILE <<EOF
{
    "access": [
        {
            "filters": [
                {
                    "tag": "application",
                    "value": "sales"
                }
            ]
        }
    ]
}
EOF

curl -sk --header "user-token: $ACCESS_TOKEN" --header 'Content-Type: application/json' -X POST https://$DATASENTINEL_HOST/ds-api/roles/$ROLE_NAME -d @$TMP_JSON_FILE
# Answer
{
  "status": "Role sales-role created successfully"
}

Creating a user with access restriction

A user is created using its email address, and the role previously created is associated with the user to restrict the access to instances with the tag “application” equal to “sales”.

For complete management, refer to the Documentation

TMP_JSON_FILE=/tmp/user.json
ROLE_NAME="sales-role"
USER_EMAIL="jean.lapioffe@company.com"

cat > $TMP_JSON_FILE <<EOF
    {
        "password": "myPassword",
        "role": "$ROLE_NAME"
    }
EOF

curl -sk --header "user-token: $ACCESS_TOKEN" --header 'Content-Type: application/json' -X POST https://$DATASENTINEL_HOST/ds-api/users/$USER_EMAIL -d @$TMP_JSON_FILE
# Answer
{
  "status": "User with login jean.lapioffe created successfully"
}

The newly created user can access the platform using its email address. The user’s access is restricted to instances with the tag “application” equal to “sales”. **

Datasentinel home page:

Role Based Access User


Find the complete API usage documentation. (See Documentation)

Full examples of API usage are also available. (Cf Datasentinel Toolkit)

Conclusion

Datasentinel provides a platform for managing user access with restrictions, which can be done through an API for automation.

Its user-friendly GUI and unique features make it easy for users to quickly and precisely analyze the workload of all their PostgreSQL instances, whether high availability or not.

Stay connected!

If you’re an AWS customer, get started quickly with Datasentinel’s presence on the AWS marketplace.

About Datasentinel


Datasentinel is a powerful platform designed for monitoring and analyzing the performance of your PostgreSQL clusters.

With its user-friendly interface and advanced features, Datasentinel enables you to quickly and accurately analyze the activity of your clusters, identify resource-intensive processes, set up automatic alerts, generate customized reports, and more.

Experience the benefits of efficient cluster performance management with Datasentinel.

Request trial