A Guide to Namespace Access to Managed Databases from OpenShift
October 3, 2022 | by
Tommy Hughes, Aron Gunn & Veda Shankar
tl;dr:Red Hat OpenShift Database Access (RHODA) improves on the self-service of managed databases by allowing developers to import Database-as-a-Service (DBaaS) Provider Accounts directly into their application namespace without any administrative intervention and share with fellow developers.
This blog explains the new multi-tenancy feature in RHODA, a cloud service that makes it easier to discover, provision, connect and control access to managed databases from Red Hat OpenShift. The tenancy feature is built around native OpenShift rule-based access control and namespaces with a single DBaaS policy per namespace.
After installing the OpenShift Database Access add-on, the RHODA operator creates a new DBaaS policy object in the operator’s installation namespace, typically this namespace isredhat-dbaas-operatororopenshift-dbaas-operator.
Policies are set at the namespace level through the use of aDBaaSPolicyobject, which then becomes the default policy for anyDBaaSInventorycreated in that namespace. This default policy can be overridden on a per-inventory basis.
Disables provisioning in the provider account inventory, defaults tofalse.
A list of other namespaces that are allowed a connection to a policy’s inventories. Instead of listing namespaces, you can use an asterisks (‘*’), which allows a connection from all namespaces available in the OpenShift cluster.
The RHODA operator only allows one policy per namespace, and watches for inventory object changes as defined in the policy. The RHODA operator then configures the appropriate access requirements.
Here is theDBaaSPolicyobject created in the Operator namespace during installation.
# by default, all authenticated cluster users can connect/provision against # inventory objects in the operator's install namespace. They can do so from # any namespace in which they have perms to create DBaaSConnections/Instances. apiVersion: dbaas.redhat.com/v1alpha1 kind: DBaaSPolicy metadata: name: cluster namespace: <operator install namespace> spec: connectionNamespaces: - '*'
The default policy in the installation namespace allows all authenticated users to haveViewaccess to anyDBaaSInventorydatabase instances.
RHODA allows non-admin users, such as developers, to import provider accounts for 3rd party managed database services into their application namespaces provided they have created a DBaaS policy in that namespace. By default, the DBaaS policy restricts access to the database inventories to only the given namespace. A policy’s default values can be overridden on a per-inventory basis. Below is an example of theDBaaSPolicyobject, with the optionalspecfields. In this policy example,User1shares the provider account inventories in their namespace,user1-project, with another namespace,user2-projectbelonging toUser2.
tl;dr: Red Hat OpenShift Database Access (RHODA) improves on the self-service of managed databases by allowing developers to import Database-as-a-Service (DBaaS) Provider Accounts directly into their ...