Roles and permissions required for Db2 or Db2 Warehouse
To install and use the Db2 or Db2 Warehouse service on Red Hat OpenShift and Kubernetes, you must have certain roles and permissions on the Red Hat OpenShift platform.
The following roles and permissions are needed:
- Install the Db2 operator
- To install the Db2 operator, which is required to install Db2 or Db2 Warehouse, you need the Red Hat® OpenShift® cluster administrator role.
- Create a Db2 instance
- To create a Db2 instance, you need the OpenShift Project Administrator role.
- Use Db2 or Db2 Warehouse databases
- To use Db2 or Db2 Warehouse databases, you need different roles depending on the task. Table 1 shows the role descriptions and names and
the permissions that they include. To learn more about the authorities for database user and
database administrator, see GRANT (database authorities) statement and Authorities overview.
Table 1. Required roles for database operations Role Name Permission Database user User CONNECT, CREATETAB, LOAD, BINDADD, IMPLICIT_SCHEMA Database administrator Admin SECADM, DBADM WITH DATAACCESS, CREATE_EXTERNAL_ROUTINE Custom definition UserDefined None by default 1 - The UserDefined role grants no authorities to the user be default. Database administrators can perform Db2 or Db2 Warehouse GRANT statements to give users who have this role the required authorities.
Role-binding access control
The db2u ServiceAccount and associated db2u-role Role are necessary for pod-to-pod control and communication for a successful deployment. The resources and verbs are outlined in the following example:
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec"]
verbs: ["get", "list", "patch", "watch", "update", "create"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs", "deployments"]
verbs: ["get", "list", "watch", "patch"]Hostpath requirements
The /proc volume must be mounted into an init container to either set or validate the required IPC kernel parameters for Db2 or Db2 Warehouse. Hostpath volumes are also supported for single-node Db2 or Db2 Warehouse deployments.