Overview

This section describes the internals of a9s PostgreSQL.

Credentials

The a9s PostgreSQL service instance has a special user called cfuser. Every user (e.g., created with cf bind-service or cf create-service-key) inherits its privileges and capabilities from the cfuser, which means that every user in a credential has access to two roles: its own and the cfuser. The default role used when connecting is the cfuser.

All objects in the default database must belong to the cfuser. Otherwise, other users are not able to access them. When changing the user role using SET ROLE or ALTER ROLE, one must be careful about the ownership and accessibility of tables, sequences, views, and other objects. When deleting a credential, all objects belonging to the user being deleted have the ownership transferred to cfuser.

It is possible to configure the cfuser privileges via custom parameters during instance creation (cf create-service and cf update-service) and the user that inherits from cfuser during credentials creation (cf bind-service or cf create-service-key), check the documentation to know how.