Roles and permissions required for Db2 Warehouse

To install and use the Db2 Warehouse service on IBM Software Hub, you must have certain roles and permissions on the IBM Software Hub platform.

The following roles and permissions are needed:

Install the Db2 Warehouse service

To install the Db2 Warehouse service, you need the OpenShift® instance administrator role. For more details, see Installation roles and personas.

Create a Db2 Warehouse instance

To create a Db2 Warehouse service instance, you need the Create service instances permission in IBM Software Hub. For more details, see Predefined roles and permissions.

Use Db2 Warehouse databases

To use Db2 Warehouse databases, you need different roles depending on the task. Table 1 shows the role descriptions and names and the permissions that they include. To learn more about the authorities for database user and database administrator, see GRANT (database authorities) statement and Authorities overview.

Table 1. Required roles for database operations
Role	Name	Permission
Database user	User	CONNECT, CREATETAB, LOAD, BINDADD, IMPLICIT_SCHEMA
Database administrator	Admin	SECADM, DBADM WITH DATAACCESS, CREATE_EXTERNAL_ROUTINE
Custom definition	UserDefined	None by default ¹

The UserDefined role grants no authorities to the user be default. Database administrators can perform Db2 GRANT statements to give users who have this role the required authorities.

Role-binding access control

The db2u ServiceAccount and associated db2u-role Role are necessary for pod-to-pod control and communication for a successful deployment. The resources and verbs are outlined in the following example:

rules:
- apiGroups: [""]
  resources: ["pods", "pods/log", "pods/exec"]
  verbs: ["get", "list", "patch", "watch", "update", "create"]

- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]

- apiGroups: ["batch", "extensions"]
  resources: ["jobs", "deployments"]
  verbs: ["get", "list", "watch", "patch"]

Hostpath requirements

Attention: Starting with IBM Software Hub 4.6.0, support for hostPath is deprecated and will be discontinued in a future release.

The /proc and /proc/sys volumes must be mounted into an init container to either set or validate the required IPC kernel parameters for Db2 Warehouse. Hostpath volumes are also supported for single-node Db2 Warehouse deployments.