Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

Security Functions

Updated on 2024-05-07 GMT+08:00

Security Functions

  • gs_encrypt_aes128(encryptstr,keystr)

    Description: Encrypts encryptstr strings using keystr as the encryption password and returns encrypted strings. The value of keystr ranges from 8 to 16 bytes and contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    Return type: text

    Length of the return value: At least 92 bytes and no more than (4*[Len/3]+68) bytes, where Len indicates the length of the data before encryption (unit: byte).

    Example:

    1
    2
    3
    4
    5
    6
    gaussdb=# SELECT gs_encrypt_aes128('MPPDB','Asdf1234');
    
                                   gs_encrypt_aes128
    -------------------------------------------------------------------------------------
    jRLOH2cqywwbAeiQQ9KuujGhJVGfp317wsdKbUC+AcWX7NLZAUPmITDJhuu/6164qOrLA8uvCRA60QNX6MF3yOPViWc=
    (1 row)
    
    NOTE:

    A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.

  • gs_encrypt(encryptstr,keystr, encrypttype)

    Description: Encrypts encryptstr strings using keystr as the encryption password and returns encrypted strings based on encrypttype. The value of keystr contains 8 to 16 bytes and at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. The value of encrypttype can be aes128 or sm4.

    Return type: text

    Example:

    gaussdb=#  SELECT gs_encrypt('MPPDB','Asdf1234','sm4'); 
             gs_encrypt         
     ------------------------------
     ZBzOmaGA4Bb+coyucJ0B8AkIShqc
    (1 row)
    NOTE:

    A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.

  • gs_decrypt_aes128(decryptstr,keystr)

    Description: Decrypts decrypt strings using keystr as the decryption password and returns decrypted strings. The keystr used for decryption must be consistent with that used for encryption. keystr cannot be empty.

    NOTE:

    This parameter needs to be used with the gs_encrypt_aes128 encryption function.

    Return type: text

    Example:

    1
    2
    3
    4
    5
    gaussdb=# SELECT gs_decrypt_aes128('jRLOH2cqywwbAeiQQ9KuujGhJVGfp317wsdKbUC+AcWX7NLZAUPmITDJhuu/6164qOrLA8uvCRA60QNX6MF3yOPViWc=','Asdf1234');
     gs_decrypt_aes128 
    -------------------
     MPPDB
    (1 row)
    
    NOTE:

    A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.

  • gs_decrypt(decryptstr,keystr,decrypttype)

    Description: Decrypts decrypt strings using keystr as the decryption password and returns decrypted strings based on decrypttype. The decrypttype and keystr used for decryption must be consistent with encrypttype and keystr used for encryption. keystr cannot be empty. The value of decrypttype can be aes128 or sm4.

    This function needs to be used with the gs_encrypt encryption function.

    Return type: text

    Example:

    gaussdb=# SELECT gs_decrypt('ZBzOmaGA4Bb+coyucJ0B8AkIShqc','Asdf1234','sm4');
     gs_decrypt 
    ------------
     MPPDB
    (1 row)
    NOTE:

    A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.

  • aes_encrypt(str, key_str, init_vector)

    Description: Encrypts the string str using the key string key_str and initialization vector init_vector based on the AES algorithm.

    Parameters in the command above are as follows:
    • str: character string to be encrypted. If str is set to NULL, the function returns NULL.
    • key_str: key character string. If key_str is set to NULL, the function returns NULL. For security purposes, you are advised to use a 128-bit, 192-bit, or 256-bit secure random number as the key character string if the key length is 128 bits, 192 bits, or 256 bits (determined by the value of block_encryption_mode).
    • init_vector: An initialization variable is provided for the required block encryption mode. The length is greater than or equal to 16 bytes. Bytes greater than 16 bytes are automatically ignored. If neither str nor key_str is NULL, this parameter cannot be NULL. Otherwise, an error is reported. For security purposes, you are advised to ensure that the IV value for each encryption is unique in OFB mode and that the IV value for each encryption is unpredictable in CBC or CFB mode.

    Return type: text

    Example:

    gaussdb=# SELECT aes_encrypt('huwei123','123456vfhex4dyu,vdaladhjsadad','1234567890123456');
     aes_encrypt
    -------------
     u*8\x05c?0
    (1 row)
    NOTE:
    • This function is valid only when GaussDB is compatible with the MY type (that is, sql_compatibility is set to 'B').
    • A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.
    • Do not call this function during operations related to stored procedures, preventing the risk of sensitive information disclosure. In addition, when using the stored procedure that contains the function, you are advised to filter the parameter information of the function before providing the information for external maintenance personnel to locate the fault. Delete the logs after using them.
    • Do not call the function when debug_print_plan is set to on, preventing the risk of sensitive information disclosure. You are advised to filter parameter information of the function in the log files generated when debug_print_plan is set to on before providing the log files to external maintenance engineers for fault locating. After you finish using the logs, delete them as soon as possible.
    • The SQL_ASCII setting performs quite differently from other settings. If the character set of the server is SQL_ASCII, the server interprets the byte values 0 to 127 according to the ASCII standard. The byte values 128 to 255 are regarded as the characters that cannot be parsed. If this parameter is set to SQL_ASCII, no code conversion occurs. When this function calls the third-party OpenSSL library, the returned data is non-ASCII data. Therefore, when the character set of the database server is set to SQL_ASCII, the encoding of the client must also be set to SQL_ASCII. Otherwise, an error is reported. The database does not convert or verify non-ASCII characters.
  • aes_decrypt(pass_str, key_str, init_vector)

    Description: Decrypts the string str using the key string key_str and initialization vector init_vector based on the AES algorithm.

    Parameters in the command above are as follows:
    • pass_str: character string to be decrypted. If pass_str is set to NULL, the function returns NULL.
    • key_str: key character string. If key_str is set to NULL, the function returns NULL. For security purposes, you are advised to use a 128-bit, 192-bit, or 256-bit secure random number as the key character string if the key length is 128 bits, 192 bits, or 256 bits (determined by the value of block_encryption_mode).
    • init_vector: An initialization variable is provided for the required block decryption mode. The length is greater than or equal to 16 bytes. Bytes greater than 16 bytes are automatically ignored. If neither pass_str nor key_str is NULL, this parameter cannot be NULL. Otherwise, an error is reported. For security purposes, you are advised to ensure that the IV value for each encryption is unique in OFB mode and that the IV value for each encryption is unpredictable in CBC or CFB mode.

    Return type: text

    Example:

    gaussdb=# SELECT aes_decrypt(aes_encrypt('huwei123','123456vfhex4dyu,vdaladhjsadad','1234567890123456'),'123456vfhex4dyu,vdaladhjsadad','1234567890123456');
     aes_decrypt
    -------------
     huwei123
    (1 row)
    NOTE:
    • This function is valid only when GaussDB is compatible with the MY type (that is, sql_compatibility is set to 'B').
    • A decryption password is required during the execution of this function. For security purposes, the gsql tool does not record the SQL statements containing the function name in the execution history. That is, the execution history of this function cannot be found in gsql by paging up and down.
    • Do not call this function during operations related to stored procedures, preventing the risk of sensitive information disclosure. In addition, when using the stored procedure that contains the function, you are advised to filter the parameter information of the function before providing the information for external maintenance personnel to locate the fault. Delete the logs after using them.
    • Do not call the function when debug_print_plan is set to on, preventing the risk of sensitive information disclosure. You are advised to filter parameter information of the function in the log files generated when debug_print_plan is set to on before providing the log files to external maintenance engineers for fault locating. After you finish using the logs, delete them as soon as possible.
    • To ensure successful decryption, ensure that the values of block_encryption_mode, key_str and IV are the same as those during encryption.
    • Due to encoding differences, encrypted data cannot be directly copied from the gsql client for decryption. In this scenario, the decryption result may not be the character string before encryption.
    • The SQL_ASCII setting performs quite differently from other settings. If the character set of the server is SQL_ASCII, the server interprets the byte values 0 to 127 according to the ASCII standard. The byte values 128 to 255 are regarded as the characters that cannot be parsed. If this parameter is set to SQL_ASCII, no code conversion occurs. When this function calls the third-party OpenSSL library, the returned data is non-ASCII data. Therefore, when the character set of the database server is set to SQL_ASCII, the encoding of the client must also be set to SQL_ASCII. Otherwise, an error is reported. The database does not convert or verify non-ASCII characters.
  • gs_digest(input_string, hash_algorithm)

    Description: Hashes the input string using the specified hash algorithm and returns a hexadecimal number.

    Parameters in the command above are as follows:
    • input_string: character string to be hashed. The value cannot be NULL.
    • hash_algorithm: specifies the hash algorithm. Currently, SHA-256, SHA-384, SHA-512, and SM3 are supported. Both uppercase and lowercase letters are supported. If an unsupported hash algorithm is used, an error is reported.

    Return type: text

    Example:

    1
    2
    3
    4
    5
    gaussdb=# SELECT pg_catalog.gs_digest('gaussdb', 'sha256');
                                gs_digest
    ------------------------------------------------------------------
     4dc50d746f4e04f9b446986b34a0050e358fbfb8bc1fba314c54b52a417b0b8e
    (1 row)
    
  • gs_password_deadline

    Description: Indicates the number of remaining days before the password of the current user expires.

    Return type: interval

    Example:

    1
    2
    3
    4
    5
    gaussdb=# SELECT gs_password_deadline();
      gs_password_deadline   
    -------------------------
     83 days 17:44:32.196094
    (1 row)
    
  • gs_password_notifytime()

    Description: Specifies the number of days prior to password expiration that a user will receive a reminder.

    Return type: int32

  • login_audit_messages(BOOLEAN)

    Description: Queries login information about a login user.

    Return type: tuple

    Example:

    • Check the date, time, and IP address of the last successful login.
      1
      2
      3
      4
      5
      gaussdb=> SELECT * FROM login_audit_messages(true);
       username | database |       logintime        |    mytype     | result | client_conninfo
      ----------+----------+------------------------+---------------+--------+-----------------
       omm      | testdb | 2020-06-29 21:56:40+08 | login_success | ok     | gsql@[local]
      (1 row)
      
    • Check the number, date, and time of failed attempts since the previous successful login.
      1
      2
      3
      4
      5
      6
      gaussdb=>  SELECT * FROM login_audit_messages(false);
       username | database |       logintime        |    mytype    | result |  client_conninfo
      ----------+----------+------------------------+--------------+--------+-------------------
       omm      | testdb | 2020-06-29 21:57:55+08 | login_failed | failed | [unknown]@[local]
       omm      | testdb | 2020-06-29 21:57:53+08 | login_failed | failed | [unknown]@[local]
      (2 rows)
      
  • login_audit_messages_pid

    Description: Queries login information about a login user. Different from login_audit_messages, this function queries login information based on backendid. Information about subsequent logins of the same user does not alter the query result of previous logins and cannot be found using this function.

    Return type: tuple

    NOTE:

    When the thread pool is enabled, the backendid obtained in the same session may change due to thread switchover. As a result, the return values are different when the function is called for multiple times. You are advised not to call this function when the thread pool is enabled.

    Example:

    • Check the date, time, and IP address of the last successful login.
      1
      2
      3
      4
      5
      gaussdb=> SELECT * FROM login_audit_messages_pid(true);
       username | database |       logintime        |    mytype     | result | client_conninfo |    backendid
      ----------+----------+------------------------+---------------+--------+-----------------+-----------------
       omm      | testdb | 2020-06-29 21:56:40+08 | login_success | ok     | gsql@[local]    | 139823109633792
      (1 row)
      
    • Check the number, date, and time of failed attempts since the previous successful login.
      1
      2
      3
      4
      5
      6
      gaussdb=> SELECT * FROM login_audit_messages_pid(false);
       username | database |       logintime        |    mytype    | result |  client_conninfo  |    backendid
      ----------+----------+------------------------+--------------+--------+-------------------+-----------------
       omm      | testdb | 2020-06-29 21:57:55+08 | login_failed | failed | [unknown]@[local] | 139823109633792
       omm      | testdb | 2020-06-29 21:57:53+08 | login_failed | failed | [unknown]@[local] | 139823109633792
      (2 rows)
      
  • inet_server_addr

    Description: Displays the server IP address.

    Return type: inet

    Example:

    1
    2
    3
    4
    5
    gaussdb=# SELECT inet_server_addr();
     inet_server_addr
    ------------------
     10.10.0.13
    (1 row)
    
    NOTE:
    • The client IP address 10.10.0.50 and server IP address 10.10.0.13 are used as an example.
    • If the database is connected to the local PC, the value is empty.
  • inet_client_addr

    Description: Displays the client IP address.

    Return type: inet

    Example:

    1
    2
    3
    4
    5
    gaussdb=# SELECT inet_client_addr();
     inet_client_addr
    ------------------
     10.10.0.50
    (1 row)
    
    NOTE:
    • The client IP address 10.10.0.50 and server IP address 10.10.0.13 are used as an example.
    • If the database is connected to the local PC, the value is empty.
  • pg_query_audit

    Description: Views audit logs of the primary database node.

    Return type: record

    The following table describes return fields.

    Name

    Type

    Description

    time

    timestamp with time zone

    Operation time

    type

    text

    Operation

    result

    text

    Operation result

    userid

    oid

    User ID

    username

    text

    Name of the user who performs the operation

    database

    text

    Database name

    client_conninfo

    text

    Client connection information

    object_name

    text

    Object name

    detail_info

    text

    Operation details

    node_name

    text

    Node name

    thread_id

    text

    Thread ID

    local_port

    text

    Local port

    remote_port

    text

    Remote port

  • pg_delete_audit

    Description: Deletes audit logs in a specified period.

    Return type: void

  • alldigitsmasking

    Description: Specifies the internal function of the masking policy, which is used to anonymize all characters.

    Parameter: col text, letter character default '0'

    Return type: text

  • creditcardmasking

    Description: Specifies the internal function of the masking policy, which is used to anonymize all credit card information.

    Parameter: col text, letter character default 'x'

    Return type: text

  • randommasking

    Description: Specifies the internal function of the masking policy. The random policy is used.

    Parameter: col text

    Return type: text

  • fullemailmasking

    Description: Specifies the internal function of the masking policy, which is used to anonymize the text (except @) before the last period (.).

    Parameter: col text, letter character default 'x'

    Return type: text

  • basicemailmasking

    Description: Specifies the internal function of the masking policy, which is used to anonymize the text before the first at sign (@).

    Parameter: col text, letter character default 'x'

    Return type: text

  • shufflemasking

    Description: Specifies the internal function of the masking policy, which is used to sort characters out of order.

    Parameter: col text

    Return type: text

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback