Manage users in Percona Everest¶
Percona Everest provides user management capabilities, enabling you to securely log in through either the Percona Everest UI or the API.
Local user management involves administering Percona Everest users to ensure secure access to database resources. This encompasses tasks such as creating and deleting users, updating their passwords, etc.
When you install Percona Everest, an admin
user is automatically created, granting full access to the system.
Note
We strongly recommend using Single Sign-On (SSO) integration for the production environment.
Overview¶
All user accounts are stored in the YAML format within the everest-accounts
Secret in the everest-system
namespace:
User accounts: YAML format
apiVersion: v1
kind: Secret
metadata:
name: everest-accounts
namespace: everest-system
data:
users.yaml: YWRtaW46CiAgcGFzc3dvcmRIYXNoOiBhZG1pbgogIGVuYWJsZWQ6IHRydWUKICBjYXBhYmlsaXRpZXM6CiAgICAtIGxvZ2lu
Decoding the base64 encoded value will yield a YAML that appears as follows:
YAML after decoding
admin:
passwordHash: <password>
enabled: true
capabilities:
- login
User management commands¶
This section provides a list of CLI commands for managing users in Percona Everest.
Retrieve password¶
You can retrieve the password for the admin
user by running the following command:
everestctl accounts initial-admin-password
Note
The passwords in this Secret are stored as hashes. However, the initial admin user has the password stored as plain text for convenient retrieval later on. We strongly recommend that you update the admin password after installation.
Update the password¶
To update the password for an existing user:
everestctl accounts set-password -u <username>
You will be prompted to update the password.
Example
? Enter new password **********
? Re-enter new password **********
Create a new user¶
To create a new user:
everestctl accounts create -u <username>
Example
? Enter new password **********
P2024-06-27T08:11:34Z info cli/accounts.go:141 User 'rasika' has been created {"component": "accounts"}
Important
For Percona Everest versions 1.0.0 and later, new users have full access to the system. However, once RBAC support is in place, an admin user will be able to manage permissions for users, granting them fine-grained control over database resources.
For detailed information on granting permissions to new users, see assign permissions to a new user section.
List the users¶
To list all the users in Percona Everest:
everestctl accounts list
Delete a user¶
To delete an existing user:
everestctl accounts delete -u <username>
JSON Web Token (JWT) and keys¶
When you log in from the UI, Percona Everest issues a JSON Web Token to authenticate the requests. By default, this token is valid for 24 hours, after which you are expected to log in again.
Important
Since JWT authentication is stateless, it is currently impossible to explicitly revoke specific tokens. Therefore, even a deleted user may continue to request the API as long as they have a valid token.
The Everest API uses the RSA algorithm to sign and verify the JWT. The RSA key pair used for this is automatically generated upon installation and stored in the everest-jwt
Secret in the everest-system
namespace.
apiVersion: v1
data:
id_rsa: <PRIVATE KEY>
id_rsa.pub: <PUBLIC KEY>
kind: Secret
metadata:
name: everest-jwt
namespace: everest-system
type: Opaque
To reset the key pair:
everestctl accounts reset-jwt-keys
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.