Operation Audit
audit_operation_exec
Parameter description: Specifies whether to audit successful operations in GaussDB(DWS). Set this parameter as required.
Type: SIGHUP
Value range: a string
- none: indicates that no audit item is configured. If any audit item is configured, none becomes invalid.
- all: indicates that all successful operations are audited. This value overwrites the concurrent configuration of any other audit items. Note that even if this parameter is set to all, not all DDL operations are audited. You need to control the object level of DDL operations by referring to audit_system_object.
- login: indicates that successful logins are audited.
- logout: indicates that user logouts are audited.
- database_process: indicates that database startup, stop, switchover, and recovery operations are audited.
- user_lock: indicates that successful locking and unlocking operations are audited.
- grant_revoke: indicates that successful granting and reclaiming of a user's permission are audited.
- ddl: indicates that successful DDL operations are audited. DDL operations are controlled at a fine granularity based on operation objects. Therefore, audit_system_object is used to control the objects whose DDL operations are to be audited. (The audit function takes effect as long as audit_system_object is configured, no matter whether ddl is set.)
- select: indicates that successful SELECT operations are audited.
- copy: indicates that successful COPY operations are audited.
- userfunc: indicates that successful operations for user-defined functions, stored procedures, and anonymous blocks are audited.
- set: indicates that successful SET operations are audited.
- transaction: indicates that successful transaction operations are audited.
- vacuum: indicates that successful VACUUM operations are audited.
- analyze: indicates that successful ANALYZE operations are audited.
- explain: indicates that successful EXPLAIN operations are audited.
- specialfunc: indicates that successful calls to special functions are audited. Special functions include pg_terminate_backend and pg_cancel_backend.
- insert: indicates that successful INSERT operations are audited.
- update: indicates that successful UPDATE operations are audited.
- delete: indicates that successful DELETE operations are audited.
- merge: indicates that successful MERGE operations are audited.
- show: indicates that successful SHOW operations are audited.
- checkpoint: indicates that successful CHECKPOINT operations are audited.
- barrier: indicates that successful BARRIER operations are audited.
- cluster: indicates that successful CLUSTER operations are audited.
- comment: indicates that successful COMMENT operations are audited.
- cleanconn: indicates that successful CLEANCONNECTION operations are audited.
- prepare: indicates that successful PREPARE, EXECUTE, and DEALLOCATE operations are audited.
- constraints: indicates that successful CONSTRAINTS operations are audited.
- cursor: indicates that successful cursor operations are audited.
- discard indicates that the successful executions related to global temporary tables in the current session are audited.
Default value: login, logout, database_process, user_lock, grant_revoke, set, transaction, or cursor
- You are advised to reserve transaction. Otherwise, statements in a transaction will not be audited.
- You are advised to reserve cursor. Otherwise, the SELECT statements in a cursor will not be audited.
- The Data Studio client automatically encapsulates SELECT statements using CURSOR.
- If a user-defined function or stored procedure contains a FETCH statement, the common_text field records the corresponding CURSOR content when the FETCH statement is audited.
audit_operation_error
Parameter description: Specifies whether to audit failed operations in GaussDB(DWS). Set this parameter as required.
Type: SIGHUP
Value range: a string
- none: indicates that no audit item is configured. If any audit item is configured, none becomes invalid.
- syn_success: synchronizes the audit_operation_exec configuration. To be specific, if the audit of a successful operation is configured, the corresponding failed operation is also audited. Note that even after syn_success is configured, you can continue to configure the audit of other failed operations. If audit_operation_exec is set to all, all failed operations are audited. If audit_operation_exec is set to none, syn_success is equivalent to none, that is, no audit item is configured.
- parse: indicates that the failed command parsing is audited, including the timeout of waiting for a command execution.
- login: indicates that failed logins are audited.
- user_lock: indicates that failed locking and unlocking operations are audited.
- violation: indicates that a user's access violation operations are audited.
- grant_revoke: indicates that failed granting and reclaiming of a user's permission are audited.
- ddl: indicates that failed DDL operations are audited. DDL operations are controlled at a fine granularity based on operation objects and configuration of audit_system_object. Therefore, failed DDL operations of the type specified in audit_system_object will be audited after ddl is configured.
- select: indicates that failed SELECT operations are audited.
- copy: indicates that failed COPY operations are audited.
- userfunc: indicates that failed operations for user-defined functions, stored procedures, and anonymous blocks are audited.
- set: indicates that failed SET operations are audited.
- transaction: indicates that failed transaction operations are audited.
- vacuum: indicates that failed VACUUM operations are audited.
- analyze: indicates that failed ANALYZE operations are audited.
- explain: indicates that failed EXPLAIN operations are audited.
- specialfunc: indicates that failed calls to special functions are audited. Special functions include pg_terminate_backend and pg_cancel_backend.
- insert: indicates that failed INSERT operations are audited.
- update: indicates that failed UPDATE operations are audited.
- delete: indicates that failed DELETE operations are audited.
- merge: indicates that failed MERGE operations are audited.
- show: indicates that failed SHOW operations are audited.
- checkpoint: indicates that failed CHECKPOINT operations are audited.
- barrier: indicates that failed BARRIER operations are audited.
- cluster: indicates that failed CLUSTER operations are audited.
- comment: indicates that failed COMMENT operations are audited.
- cleanconn: indicates that failed CLEANCONNECTION operations are audited.
- prepare: indicates that failed PREPARE, EXECUTE, and DEALLOCATE operations are audited.
- constraints: indicates that failed CONSTRAINTS operations are audited.
- cursor: indicates that failed cursor operations are audited.
- blacklist: indicates that the blacklist execution failure is audited.
- discard indicates that the execution failures related to global temporary tables in the current session are audited.
Default value: login
audit_inner_tool
Parameter description: Specifies whether to audit the operations of the internal maintenance tool in GaussDB(DWS).
Type: SIGHUP
Value range: Boolean
- on: indicates that all operations of the internal maintenance tool are audited.
- off: indicates that all operations of the internal maintenance tool are not audited.
Default value: off
audit_system_object
Parameter description: Specifies whether to audit the CREATE, DROP, and ALTER operations on the GaussDB(DWS) database object. The GaussDB(DWS) database objects include databases, users, schemas, and tables. The operations on the database object can be audited by changing the value of this parameter.
Type: SIGHUP
Value range: an integer ranging from 0 to 134217727
- 0 indicates that the function of auditing the CREATE, DROP, and ALTER operations on the GaussDB(DWS) database object can be disabled.
- Other values indicate that the CREATE, DROP, and ALTER operations on a certain or some GaussDB(DWS) database objects are audited.
Value description:
The value of this parameter is calculated by 25 binary bits. The 25 binary bits represent 25 types of GaussDB(DWS) database objects. If the corresponding binary bit is set to 0, the CREATE, DROP, and ALTER operations on corresponding database objects are not audited. If it is set to 1, the CREATE, DROP, and ALTER operations are audited. For details about the audit content represented by these 25 binary bits, see Table 1.
Default value: 12303
Binary Bit |
Meaning |
Value Description |
---|---|---|
Bit 0 |
Whether to audit the CREATE, DROP, and ALTER operations on databases. |
|
Bit 1 |
Whether to audit the CREATE, DROP, and ALTER operations on schemas. |
|
Bit 2 |
Whether to audit the CREATE, DROP, and ALTER operations on users. |
|
Bit 3 |
Whether to audit the CREATE, DROP, ALTER, and TRUNCATE operations on tables. |
|
Bit 4 |
Whether to audit the CREATE, DROP, and ALTER operations on indexes. |
|
Bit 5 |
Whether to audit the CREATE, DROP, and ALTER operations on views. |
|
Bit 6 |
Whether to audit the CREATE, DROP, and ALTER operations on triggers. |
|
Bit 7 |
Whether to audit the CREATE, DROP, and ALTER operations on procedures/functions. |
|
Bit 8 |
Whether to audit the CREATE, DROP, and ALTER operations on tablespaces. |
|
Bit 9 |
Whether to audit the CREATE, DROP, and ALTER operations on resource pools. |
|
Bit 10 |
Whether to audit the CREATE, DROP, and ALTER operations on workloads. |
|
Bit 11 |
Whether to audit the CREATE, DROP, and ALTER operations on SERVER FOR HADOOP objects. |
|
Bit 12 |
Whether to audit the CREATE, DROP, and ALTER operations on data sources. |
|
Bit 13 |
Whether to audit the CREATE, DROP, and ALTER operations on Node Groups. |
|
Bit 14 |
Whether to audit the CREATE, DROP, and ALTER operations on ROW LEVEL SECURITY objects. |
|
Bit 15 |
Whether to audit the CREATE, DROP, and ALTER operations on types. |
|
Bit 16 |
Whether to audit the CREATE, DROP, and ALTER operations on text search objects (configurations and dictionaries) |
|
Bit 17 |
Whether to audit the CREATE, DROP, and ALTER operations on directories. |
|
Bit 18 |
Whether to audit the CREATE, DROP, and ALTER operations on workloads. |
|
Bit 19 |
Whether to audit the CREATE, DROP, and ALTER operations on redaction policies. |
|
Bit 20 |
Whether to audit the CREATE, DROP, and ALTER operations on sequences. |
|
Bit 21 |
Whether to audit the CREATE, DROP, and ALTER operations on nodes. |
|
Bit 21 |
Whether to audit the CREATE, DROP, and ALTER operations on MATVIEW objects. |
|
Bit 22 |
Whether to audit the CREATE, DROP, and ALTER operations on STATISTIC objects. |
|
Bit 23 |
Whether to audit the CREATE, DROP, and ALTER operations on PUBLICATION objects. |
|
Bit 24 |
Whether to audit the CREATE, DROP, and ALTER operations on SUBSCRIPTION objects. |
|
Bit 25 |
Whether to audit the CREATE, DROP, and ALTER operations on BLOCK RULE objects. |
|
enableSeparationOfDuty
Parameter description: Specifies whether the separation of permissions is enabled.
Type: POSTMASTER
Value range: Boolean
- on indicates that the separation of permissions is enabled.
- off indicates that the separation of permissions is disabled.
Default value: off
security_enable_options
Parameter description: Specifies whether grant_to_public, grant_with_grant_option, and foreign_table_options can be used in security mode. (This parameter is supported only by clusters of version 8.2.0 or later.)
Type: SIGHUP
Value range: a string
- on indicates that grant to public can be used in security mode.
- on indicates that with grant option can be used in security mode.
- foreign_table_options allows users to perform operations on foreign tables in security mode without explicitly granting the useft permission to users.
Default value: empty
- In a newly installed cluster, this parameter is left blank by default, indicating that none of grant_to_public, grant_with_grant_option, and foreign_table_options can be used in security mode.
- In upgrade scenarios, the default value of this parameter is forward compatible. If the default values of enable_grant_public and enable_grant_option are ON before the upgrade, the default value of security_enable_options is grant_to_public, grant_with_grant_option after the upgrade.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.