Updated on 2023-10-23 GMT+08:00

Setting Account Security Policies

Background

For data security purposes, GaussDB provides a series of security measures, such as automatically locking and unlocking accounts, manually locking and unlocking abnormal accounts, and deleting accounts that are no longer used.

Automatically Locking and Unlocking Accounts

  • If the number of incorrect password attempts (failed_login_attempts) of an account reaches the upper limit (10 by default), the system automatically locks the account. Smaller parameter values result in higher account security. However, if the value of this parameter is set too small, inconvenience may occur.
  • If the time during which a user is locked exceeds the preset value (password_lock_time, one day by default), the system automatically unlocks the user. Larger parameter values bring higher account security. However, if the value of this parameter is set too large, inconvenience may occur.
    • The integer part of the password_lock_time parameter indicates the number of days, and the decimal part can be converted into hours, minutes, and seconds. For example, password_lock_time=1.5 indicates one day and 12 hours.
    • If the failed_login_attempts parameter is set to 0, an account is never locked due to incorrect password attempts. If the password_lock_time parameter is set to 0, an account is quickly unlocked after it is locked due to incorrect password attempts. Therefore, only when both parameters are set to positive values, the following operations can be performed: password failure check, account locking, and account unlocking.
    • The default values of the two parameters meet the security requirements. You can change the parameter values as needed for higher security. You are advised to retain the default values.

Manually Locking and Unlocking Accounts

Once detecting that an account is stolen or the account is used to access the database without being authorized, administrators can manually lock the account. Administrators can manually unlock the account if the account becomes normal again.

For details about how to create a user, see Users. To manually lock and unlock user joe, run commands in the following format:

  • To manually lock the account, run the following command:
    1
    2
    openGauss=# ALTER USER joe ACCOUNT LOCK;
    ALTER ROLE
    
  • To manually unlock the account, run the following command:
    1
    2
    openGauss=# ALTER USER joe ACCOUNT UNLOCK;
    ALTER ROLE
    

Deleting Accounts That Are No Longer Used

Administrators can delete an account that is no longer used. This operation cannot be rolled back.

When an account to be deleted is in the active state, it is deleted after the session is disconnected.

For example, if you want to delete account joe, run the following command:

1
2
openGauss=# DROP USER joe  CASCADE;
DROP ROLE