Authentication

Configuring Authentication

To configure authentication for self-managed Materialize, use the spec.authenticatorKind setting. This setting determines which authentication method is used:

  • None: Disables authentication. All users are trusted based on their claimed identity without any verification.
  • Password: Requires users to authenticate using a password.

If spec.authenticatorKind is not set, the default is None.

Password authentication

Public Preview This feature may have minor stability issues.

Password authentication requires users to authenticate with a password. To use password authentication, set spec.authenticatorKind to Password and configure a password for the internal mz_system user.

Configure the password for mz_system

To configure the password for the internal mz_system user, add an external_login_password_mz_system key to the Kubernetes Secret referenced in spec.backendSecretName of the Materialize Kubernetes resource.

Logging in and creating users

Once password authentication is enabled, only the mz_system user will be initially available. This user is used by the Materialize Operator for upgrades and maintenance tasks and can also be used to create additional users.

See CREATE ROLE for details on creating additional users.

Enabling RBAC

By default, role-based access control (RBAC) checks are not enabled (i.e., enforced) when turning on password authentication. To enable RBAC, set the system parameter enable_rbac_checks to 'on' or True. You can enable the parameter in one of the following ways:

If more than one method is used, the ALTER SYSTEM command will take precedence over the Kubernetes configuration.

You may view the current value for enable_rbac_checks by running:

SHOW enable_rbac_checks;

If RBAC is not enabled, all users will behave as if they were superuser.

See Authorization for details on role based authorization.

Back to top ↑