Administrator’s Manual

Installation

Get the archive with the necessary files and unpack it:

tar xf example_client.tar.gz
cd example_client

example_client/
├── client.crt
├── client.key
├── install.sh
└── license.txt

1 directory, 4 files

Run the script to install the certificate, configuration file, and APT repository:
```
sudo ./install.sh
```

Install the packages:

Only Tengri
```
sudo apt install tengri
```
Tengri with local S3 (MinIO)
```
sudo apt install tengri tengri-minio
```

Once installed, Tengri will be ready to run on the 3000 port.
The default login and password are admin / admin.
The tengri-minio package will install local MinIO with default settings. See MinIO documentation for further configuration details.

Configuration settings

Additional configuration settings for Tengri can be specified in the /etc/tengri/tengri/tengri.conf file (by default, there is no file).

Full list of possible settings in the tengri.conf file

# TNGRi configuration parameters

# =========
# Licencing
# =========
#
TNGRI_LICENSE_FILE=/opt/tengri/license.txt

# ===========================
# S3 configuration parameters
# ===========================
#
#
# Access key id and secret key of user that will connect to S3
# rename SECRET_ACCESS_KEY to SECRET_KEY
TNGRI_S3_ACCESS_KEY_ID=minioadmin
TNGRI_S3_SECRET_ACCESS_KEY=minioadmin
#
# Region to send to S3 server. Generally you don't need to change that, just make
# sure that target S3 has this same region
TNGRI_S3_REGION=eu-central-1
TNGRI_S3_DEFAULT_REGION=eu-central-1
#
# API endpoint URL for target S3. Must be in FQDN form
#     TNGRI_S3_ENDPOINT_URL=http://example.com
TNGRI_S3_ENDPOINT_URL=http://127.0.0.1:9002
#
# Bucket name to use. Must exist before start, so make sure that it exists and
# has full access rights for this bucket. Must be in full form, i.e.
#     TNGRI_S3_BUCKET_NAME=s3://example:9000
TNGRI_S3_BUCKET_NAME=prostore

# =======================
# TNGRi server parameters
# =======================
#
#
# Iceberg catlog path in S3 bucket
TNGRI_WAREHOUSE_PATH=s3://prostore/iceberg/
#
# Name for the default schema in TNGRi.
TNGRI_DEFAULT_SCHEMA=public
#
# URI for catalog endpoint. Must be either PostgreSQL or SQLite connection string, i.e.
#     TNGRI_CATALOG_URI=postgresql://user:password@example.com/database
TNGRI_CATALOG_URI=postgresql://prostore:prostore@127.0.0.1:5432/prostore
#
# Path to writable directory where cached files will be placed.
#
# WARNING: Should be placed on SSD storage. Tngri uses aggressive caching strategies
# to reduce S3 load
#
TNGRI_CACHE_DIR=/var/lib/tengri/cache
#
# Path to writable directory where python kernels will be stored.
TNGRI_KERNEL_DIR=/var/lib/tengri/kernels
#
# If set to false then no agent is required to process queries.
# Must be true for production environments
TNGRI_REMOTE_SESSIONS=true
#
# Set to true for more log output
TNGRI_DEBUG=false
#
# Host to bind main server to
TNGRI_HOST=0.0.0.0
#
# Port to bind PostgreSQL protocol implementation to
TNGRI_PORT=5433
#
# Host to bind RPC server for communication between agent and server
TNGRI_RPC_HOST=0.0.0.0
#
# Port to bind RPC server for communication between agent and server
TNGRI_RPC_PORT=57776

# =============================
# Web application configuration
# =============================
#
#
# SSL configuration. If set then Web communication will be done over SSL, otherwise
# it will be plaintext.
#
# Path to SSL key.
# TNGRI_SSL_KEY=
#
# Path to SSL certificate file.
# TNGRI_SSL_CERT=
#
# Enables TNGRi web app.
TNGRI_ENABLE_WEBSOCKET=true
#
# Path to static files for web app.
TNGRI_WEBAPP_DIR=/usr/share/tengri-web
#
# Host to bind HTTP server to
TNGRI_WEBAPP_HOST=0.0.0.0
#
# Port to bind HTTP server to
TNGRI_WEBAPP_PORT=3000
#
# Host to bind Websocket server to. It is used extensively by webapp and python clients
TNGRI_WEBSOCKET_HOST=0.0.0.0
#
# Port to bind Websocket server to
TNGRI_WEBSOCKET_PORT=3001
#
# Host to bind PyLSP server to. It is used by webapp to provide code completion
TNGRI_PYLSP_HOST=0.0.0.0
#
# Port to bind PyLSP server to
TNGRI_PYLSP_PORT=3003
#
# Host to bind CRUD. Used by webapp to send messages in chats, manage scheduled
# notebooks and manage external catalogs
TNGRI_CRUD_HOST=0.0.0.0
#
# Port to bind CRUD to
TNGRI_CRUD_PORT=3004

# ============================
# TNGRi services configuration
# ============================
#
# Enable TNGRi's Iceberg REST catalog API provider
TNGRI_ENABLE_REST_CATALOG=true

# Host to bind REST catalog server to
TNGRI_REST_CATALOG_HOST=0.0.0.0

# Port to bind REST catalog to
TNGRI_REST_CATALOG_PORT=3005

# Enable compaction daemon
TNGRI_ENABLE_COMPACTION=true

# Enable notebook CRON daemon
TNGRI_ENABLE_CRON=true

# ============================
# TNGRi deployment information
# ============================
#
# Needed for external clients to connect to TNGRi services. For example, python clients
# connecting from user's local machines. Set these to the values that point to this
# installation, for example, if using reverse proxy for HTTP or Postgres protocol.
#
# Change the name of site deployment
# TNGRI_SITE_NAME=tngri
#
# Websocket address to connect to. Must be in FQDN form, i.e.
#     TNGRI_SITE_WS_ADDR=ws://example.com:3001
TNGRI_SITE_WS_ADDR=ws://0.0.0.0:3001
#
# Postgres protocol address to connect to, i.e.
#     TNGRI_SITE_PSQL_ADDR=example.com:5433
# TNGRI_SITE_PSQL_ADDR=
#
# S3 address to connect to. Must be in FQDN form, i.e.
#     TNGRI_SITE_S3_ADDR=http://example.com:9000
# TNGRI_SITE_S3_ADDR=
#
# S3 access key for public usage (Stage only)
# TNGRI_SITE_PUBLIC_LOADER_ACCESS_KEY=public_loader
#
# S3 secret key for public usage (Stage only)
# TNGRI_SITE_PUBLIC_LOADER_SECRET_KEY=public_loader
#

Additional MinIO configuration settings can be specified in the /etc/default/tengri-minio file according to MinIO documentation.

After updating the MinIO configuration file, it is necessary to execute:
```
sudo systemctl daemon-reload
sudo systemctl restart minio
```

Resetting the administrator password

In case you have lost access to the administrator password, you can reset it.

To do this, run the command on the server where the package was installed:

sudo -u tengri bash -c 'export $(egrep -v "^#|^$|.*#" /var/lib/tengri/tengri.defaults | xargs); prostore reset-admin-password'"

After that the current administrator password will be reset and the new automatically generated password will be shown in the output log.

Setting up roles for users

Creating roles for users

To create the analyst role, run the query:

CREATE ROLE analyst;

Read more on role creation.

Assigning roles to users

To assign the tengri_user user the analyst role, run the query:

GRANT ROLE analyst TO tengri_user;

Read more on role assignment.

Granting privileges to roles

To grant the analyst role read and write privileges inside the analytical_sandbox schema, run the query:

GRANT
    USAGE,
    MODIFY,
    CREATE TABLE,
    CREATE VIEW
ON SCHEMA analytical_sandbox
TO ROLE analyst;

After that, all users with the analyst role will have read and modify privileges for tables and views within the analytical_sandbox schema.

If necessary, adjust the list of granted privileges for this role.

Read more about granting privileges.

Revoking privileges from roles

To revoke the analyst role’s privilege to write inside the analytical_sandbox schema, we run a query:

REVOKE
    MODIFY
ON SCHEMA analytical_sandbox
FROM ROLE analyst;

If necessary, adjust the list of revoked privileges for this role.

Read more about revoking privileges.

Revoking roles from users

To revoke the analyst role from the user tengri_user, run the query:

REVOKE ROLE analyst FROM tengri_user;

Read more on role revoke.