[docs][cloud] Added info about superuser (#11435)

yugabyte · Feb 14, 2022 · 8e8a192 · 8e8a192
1 parent 5a07972
commit 8e8a192
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 17 deletions.
diff --git a/docs/content/latest/yugabyte-cloud/cloud-basics/create-clusters-free.md b/docs/content/latest/yugabyte-cloud/cloud-basics/create-clusters-free.md
@@ -54,12 +54,16 @@ Set the following options:
 
 ### Database Admin Credentials
 
-The admin credentials are required to connect to the YugabyteDB database that is installed on the cluster. (You can [add more users](../../cloud-secure-clusters/add-users/) after the cluster is provisioned.)
-
-![Add Cluster Wizard - Admin Settings](/images/yb-cloud/cloud-addcluster-admin.png)
+The admin credentials are required to connect to the YugabyteDB database that is installed on the cluster.
 
 You can use the default credentials generated by Yugabyte Cloud, or add your own.
 
+For security reasons, the admin user does not have YSQL superuser privileges, but does have sufficient privileges for most tasks. For more information on database roles and privileges in Yugabyte Cloud, refer to [Database authorization in Yugabyte Cloud clusters](../../cloud-secure-clusters/cloud-users/).
+
+After the cluster is provisioned, you can [add more users](../../cloud-secure-clusters/add-users/).
+
+![Add Cluster Wizard - Admin Settings](/images/yb-cloud/cloud-addcluster-admin.png)
+
 Download the credentials, and click **Create Cluster**.
 
 {{< warning title="Important" >}}

diff --git a/docs/content/latest/yugabyte-cloud/cloud-basics/create-clusters.md b/docs/content/latest/yugabyte-cloud/cloud-basics/create-clusters.md
@@ -85,12 +85,16 @@ Standard clusters support both horizontal and vertical scaling; you can change t
 
 ### Database Admin Credentials
 
-The admin credentials are required to connect to the YugabyteDB database that is installed on the cluster. (You can [add more users](../../cloud-secure-clusters/add-users/) after the cluster is provisioned.)
-
-![Add Cluster Wizard - Admin Settings](/images/yb-cloud/cloud-addcluster-admin.png)
+The admin credentials are required to connect to the YugabyteDB database that is installed on the cluster.
 
 You can use the default credentials generated by Yugabyte Cloud, or add your own.
 
+For security reasons, the admin user does not have YSQL superuser privileges, but does have sufficient privileges for most tasks. For more information on database roles and privileges in Yugabyte Cloud, refer to [Database authorization in Yugabyte Cloud clusters](../../cloud-secure-clusters/cloud-users/).
+
+After the cluster is provisioned, you can [add more users](../../cloud-secure-clusters/add-users/).
+
+![Add Cluster Wizard - Admin Settings](/images/yb-cloud/cloud-addcluster-admin.png)
+
 Download the credentials, and click **Create Cluster**.
 
 {{< warning title="Important" >}}

diff --git a/docs/content/latest/yugabyte-cloud/cloud-secure-clusters/cloud-users.md b/docs/content/latest/yugabyte-cloud/cloud-secure-clusters/cloud-users.md
@@ -42,29 +42,31 @@ The following table describes the default YSQL roles and users in Yugabyte Cloud
 
 | Role | Description |
 | --- | --- |
-| admin | The default user for your cluster. If you added your own credentials during cluster creation, the user name will be the one you entered. Although not a Superuser, this role is a member of yb_superuser, and you can use it to perform database operations, create other yb_superuser users, create extensions, and manage your cluster. |
+| [admin](#admin-and-yb-superuser) | The default user for your cluster. If you added your own credentials during cluster creation, the user name will be the one you entered. Although not a superuser, this role is a member of yb_superuser, and you can use it to perform database operations, create other yb_superuser users, create extensions, and manage your cluster. |
 | postgres | Superuser role created during database creation. Not available to cloud users. |
-| yb_extension | Role that allows non-Superuser users to create PostgreSQL extensions. |
-| yb_superuser | Yugabyte Cloud only role. This role is assigned to the default cluster user (that is, admin) to perform all the required operations on the database, including creating other yb_superuser users. For security reasons, yb_superuser does not have YugabyteDB Superuser privileges. |
+| [yb_extension](#yb-extension) | Role that allows non-superuser users to create PostgreSQL extensions. |
+| [yb_superuser](#admin-and-yb-superuser) | Yugabyte Cloud only role. This role is assigned to the default cluster user (that is, admin) to perform all the required operations on the database, including creating other yb_superuser users. For security reasons, yb_superuser doesn't have YugabyteDB superuser privileges. |
 | yugabyte | Superuser role used during database creation, by Yugabyte support to perform maintenance operations, and for backups (ysql_dumps). Not available to cloud users. |
 
 ### Admin and yb_superuser
 
-When creating a YugabyteDB cluster in Yugabyte Cloud, you set up the credentials for your admin user. For security reasons, this user does not have YugabyteDB Superuser privileges; it is instead a member of `yb_superuser`, a role specific to Yugabyte Cloud clusters. `yb_superuser` is the highest privileged user you have access to in Yugabyte Cloud. You can create other users with the `yb_superuser` role.
+When creating a YugabyteDB cluster in Yugabyte Cloud, you set up the credentials for your admin user. For security reasons, this user does not have YugabyteDB superuser privileges; it is instead a member of `yb_superuser`, a role specific to Yugabyte Cloud clusters.
 
-You can't delete, change the passwords, or login using the `postgres` or `yugabyte` Superuser roles.
+Although not a superuser, `yb_superuser` includes sufficient privileges to perform all the required operations on a database, including creating other yb_superuser users, as follows:
 
-The `yb_superuser` role is created with the following options: `INHERIT`, `CREATEROLE`, `CREATEDB`, and `BYPASSRLS`.
+- Has the following role options: `INHERIT`, `CREATEROLE`, `CREATEDB`, and `BYPASSRLS`.
 
-Additionally `yb_superuser` is also a member of the following roles: `pg_read_all_stats`, `pg_signal_backend`, and `yb_extension`.
+- Member of the following roles: `pg_read_all_stats`, `pg_signal_backend`, and [yb_extension](#yb-extension).
+
+`yb_superuser` is the highest privileged role you have access to in Yugabyte Cloud. You can't delete, change the passwords, or login using the `postgres` or `yugabyte` superuser roles.
 
 ### yb_extension
 
-The `yb_extension` role allows non-Superuser roles to [create extensions](../../cloud-clusters/add-extensions/). A user granted this role can create all the extensions that are bundled in YugabyteDB. `yb_superuser` and, by extension, the default admin user, is a member of `yb_extension`.
+The `yb_extension` role allows non-superuser roles to [create extensions](../../cloud-clusters/add-extensions/). A user granted this role can create all the extensions that are bundled in YugabyteDB. `yb_superuser` and, by extension, the default admin user, is a member of `yb_extension`.
 
 ## YCQL default roles and users
 
-In YCQL, there is a single Superuser called `cassandra` used during database creation. The default user (by default, `admin`) added when you created the cluster has Superuser privileges in YCQL. As a Superuser, you can delete the cassandra user if you choose to.
+In YCQL, there is a single superuser called `cassandra` used during database creation. The default user (by default, `admin`) added when you created the cluster has superuser privileges in YCQL. As a superuser, you can delete the cassandra user if you choose to.
 
 ## Learn more
 

diff --git a/docs/content/latest/yugabyte-cloud/cloud-troubleshoot.md b/docs/content/latest/yugabyte-cloud/cloud-troubleshoot.md
@@ -69,15 +69,15 @@ The database admin credentials are separate from your Yugabyte Cloud credentials
 
 If you are a database user who was added to the database by an administrator, ask them to either re-send your credentials or reset your database password.
 
-If you are the database admin and are unable to locate your database admin credentials file, contact [Yugabyte Support](https://support.yugabyte.com/hc/en-us/requests/new?ticket_form_id=360003113431).
+If you are the database admin and are unable to locate your database admin credentials file, contact {{<support-cloud>}}.
 
 ### VPC networking
 
 If you have set up a VPC network and are unable to connect, verify the following.
 
 #### VPC status is Failed
 
-If you are unable to successfully create the VPC, contact [Yugabyte Support](https://support.yugabyte.com/hc/en-us/requests/new?ticket_form_id=360003113431).
+If you are unable to successfully create the VPC, contact {{<support-cloud>}}.
 
 #### Peering connection status is Pending
 
@@ -95,6 +95,19 @@ Select the peering request to display the **Peering Details** sheet and check th
 
 Add the application VPC CIDR address to the [cluster IP allow list](../cloud-secure-clusters/add-connections/). Even with connectivity established between VPCs, the cluster cannot accept connections until the application VPC IP addresses are added to the IP allow list.
 
+## Database management
+
+### Permission denied, must be superuser
+
+If you execute a YSQL command and receive the following error:
+
+```output
+ERROR:  permission denied to [...]
+HINT:  Must be superuser to [...].
+```
+
+For security reasons, the database admin user is not a superuser. The admin user is a member of yb_superuser, which does allow most operations. For more information on database roles and privileges in Yugabyte Cloud, refer to [Database authorization in Yugabyte Cloud clusters](../cloud-secure-clusters/cloud-users/). If you need to perform an operation that requires superuser privileges, contact {{<support-cloud>}}.
+
 ## Cluster management
 
 ### You are editing your cluster infrastructure and are unable to reduce disk size per node