Authentication
Configuring Authentication
To configure authentication for self-managed Materialize, use the spec.authenticatorKind
setting. This setting determines which authentication method is used:
None
: Disables authentication. All users are trusted based on their claimed identity without any verification.Password
: Requires users to authenticate using a password.
If spec.authenticatorKind
is not set, the default is None.
Password authentication
Public Preview This feature may have minor stability issues.
Password authentication requires users to authenticate with a password. To
use password authentication, set spec.authenticatorKind
to Password
and
configure a password for the internal mz_system
user.
Configure the password for mz_system
To configure the password for the internal mz_system
user, add an
external_login_password_mz_system
key to the Kubernetes Secret
referenced in
spec.backendSecretName
of the Materialize Kubernetes resource.
Logging in and creating users
Once password authentication is enabled, only the mz_system
user will be initially available. This user is used by the Materialize Operator for upgrades and maintenance tasks and can also be used to create additional users.
See CREATE ROLE for details on creating additional users.
Enabling RBAC
By default, role-based access control (RBAC) checks are not enabled (i.e.,
enforced) when turning on password authentication. To enable RBAC, set the
system parameter enable_rbac_checks
to 'on'
or True
. You can enable the
parameter in one of the following ways:
-
For local installations using Kind/Minikube, set
spec.enableRbac: true
option when instantiating the Materialize object. -
For Cloud deployments using Materialize’s Terraforms, set
enable_rbac_checks
in the environment CR via theenvironmentdExtraArgs
flag option. -
After the Materialize instance is running, run the following command as
mz_system
user:ALTER SYSTEM SET enable_rbac_checks = 'on';
If more than one method is used, the ALTER SYSTEM
command will take precedence
over the Kubernetes configuration.
You may view the current value for enable_rbac_checks
by running:
SHOW enable_rbac_checks;
If RBAC is not enabled, all users will behave as if they were superuser.
See Authorization for details on role based authorization.