CREATE SECURITY LABEL

Description

CREATE SECURITY LABEL creates a security label for the specified security policy in the current database.

Precautions

An initial user, a user with the SYSADMIN permission, or a user who inherits permissions of the built-in role gs_role_seclabel can create security labels.

Syntax

    
         CREATE SECURITY LABEL label_name 'label_content';

Click to enlarge

Parameters

label_name
Security label name, which must be unique in the database.

Value range: a string. It must comply with Identifier Naming Conventions and contain a maximum of 63 characters. If the value contains more than 63 characters, the database truncates it and retains the first 63 characters as the security label name. If a security label name contains uppercase letters, the database automatically converts the uppercase letters into lowercase letters. To create a security label name that contains uppercase letters, enclose the security label name with double quotation marks ("").

The identifier must be lowercase letters, uppercase letters, underscores (_), digits (0–9), or dollar signs ($) and must start with a letter or underscore (_).
label_content
Security label content. The requirements are as follows:
A security label consists of only one level and at least one range, which are separated by a colon (:). The format is "level:range", for example, "L1:G2,G41,G6-G27".
- There are 1024 levels named Li, where 1 ≤ i ≤ 1024. The levels meet a partial order relationship (if i ≤ j, then Li ≤ Lj). For example, L1 is lower than L3.
- There are 1024 ranges named Gi, where 1 ≤ i ≤ 1024. You cannot compare sizes between ranges, but you can perform set operations. Multiple ranges are separated by commas (,), and a hyphen (-) is used to specify the interval. For example, {G2-G5} indicates {G2,G3,G4,G5}. {G1} is a subset of {G1, G6}.
- The letters L and G must be capitalized and followed by at least one non-zero digit. Other characters are not allowed. In the {Gxxx-Gyyy} format, yyy must be greater than or equal to xxx.
- If the input levels and ranges do not meet the requirements, the system reports an error.
  Example: gaussdb=# CREATE SECURITY LABEL sec_label3 'L3:'; // The label must contain at least one content range category. ERROR: in label text "L3:", there at least have one level and one group

Examples

    
     
       
       
         -- Create a security label sec_label.
gaussdb=# CREATE SECURITY LABEL sec_label 'L1:G4';

-- Create security label sec_label with the content of 'L1:G2,G4'.
gaussdb=# CREATE SECURITY LABEL sec_label 'L1:G2,G4';                     
ERROR:  security label "sec_label" already exists  
-- Create security label sec_label1 with the content of 'L1:G2,G4'.
gaussdb=# CREATE SECURITY LABEL sec_label1 'L1:G2,G4';

-- Create security label sec_label2 with the content of 'L3:G1-G5'.
gaussdb=# CREATE SECURITY LABEL sec_label2 'L3:G1-G5';

-- View the security labels created in the system.
gaussdb=# SELECT * FROM gs_security_label;
 label_name | label_content 
------------+---------------
 sec_label  | L1:G4
 sec_label1 | L1:G2,G4
 sec_label2 | L3:G1-G5
(3 rows)

-- Delete the existing security labels sec_label, sec_label1, and sec_label2.
gaussdb=# DROP SECURITY LABEL sec_label;
gaussdb=# DROP SECURITY LABEL sec_label1;
gaussdb=# DROP SECURITY LABEL sec_label2;

-- View the security labels created in the system again.
gaussdb=# SELECT * FROM gs_security_label;
 label_name | label_content 
------------+---------------
(0 rows)

        

      

    
   