Security Configuration

enable_security_policy

Parameter description: Specifies whether the unified audit and dynamic data masking policies take effect.

Unified audit: The unified audit mechanism is a technology that implements efficient security audit management by customizing audit policies. After the administrator defines the audit object and audit behaviors, if the task executed by a user is associated with an audit policy, the corresponding audit behavior is generated and the audit log is recorded. For details, see "Database Security > Unified Audit" in Feature Description.

Dynamic data masking: The dynamic data masking mechanism is a technology that protects privacy data by customizing masking policies. It can effectively prevent unauthorized users from accessing sensitive information while retaining original data. For details, see "Database Security > Dynamic Data Masking" in Feature Description.

Parameter type: Boolean

Unit: none

Value range:

on: The security policy is enabled.

off: The security policy is disabled.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value. Set this parameter to on when a security policy is required. However, this occupies system resources and affects system performance.

use_elastic_search

Parameter description: Specifies whether to send unified audit logs to Elasticsearch. If enable_security_policy and this parameter are enabled, unified audit logs are sent to Elasticsearch through HTTP or HTTPS (used by default). After this parameter is enabled, ensure that the Elasticsearch service corresponding to elastic_search_ip_addr can be properly connected. Otherwise, the process fails to be started.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

on: Unified audit logs are sent to Elasticsearch.

off: Unified audit logs are not sent to Elasticsearch.

Default value: off

elastic_search_ip_addr

Parameter description: Specifies the IP address of the Elasticsearch system. If HTTPS is used, the format is https://ip:port:username. If HTTP is used, the format is http://ip:port. In the preceding command, ip indicates the IP address of the Elasticsearch server. port indicates the listening port for Elasticsearch HTTP communication, and the value ranges from 9200 to 9299. username indicates the username used for registering an Elasticsearch account. The initial user is elastic. If HTTPS is used, related certificates need to be configured. For details, see "Unified Auditing" in the Security Hardening Guide.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: a string.

Default value: ''

is_sysadmin

Parameter description: Specifies whether the current user is an initial user.

This is a fixed INTERNAL parameter. It can be viewed but cannot be modified.

Value range: Boolean

on indicates that the user is an initial user.

off indicates that the user is not an initial user.

Default value: off

enable_tde

Parameter description: Specifies whether to enable the TDE function. Before creating an encrypted table, set this parameter to on and set the tde_key_info parameter to configure the key information.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean.

on: The TDE function is enabled.

off: The TDE function is disabled.

Default value: off

• If this parameter is set to on, ensure that the key information in the tde_key_info parameter is correctly configured and the key service can be accessed properly. Otherwise, the database cannot be started properly.
• After this parameter is set to on and an encrypted table is created, if this parameter is set to off again, data in the existing encrypted table cannot be encrypted or decrypted. As a result, the database is abnormal.

tde_key_info

Parameter description: If TDE is enabled, transparent data needs to access the external key service to implement key management. This parameter is used to configure information about the key service, such as the service address, identity authentication information, and project information.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: a string. For details, see "Security Management > Configuring TDE" in Administrator Guide.

Default value: ""

tde_index_default_encrypt

Parameter description: After this parameter is enabled, if you create an index whose base table is an encrypted table, the database automatically sets the index as an encrypted index, copies encryption parameters such as the encryption algorithms and keys of the base table for the index, and encrypts the data of the index before storing it.

Parameter type: Boolean

Unit: none

Value range:

on: Encryption parameters are automatically set for indexes of encrypted tables.

off: Encryption parameters are not automatically set for indexes in encrypted tables.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

block_encryption_mode

Parameter description: Specifies the block encryption mode used by the aes_encrypt and aes_decrypt functions for encryption and decryption.

This is a USERSET parameter. Set it based on instructions provided in Table 1.

Value range: enumerated values. Valid values are aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-cfb1, aes-192-cfb1, aes-256-cfb1, aes-128-cfb8, aes-192-cfb8, aes-256-cfb8, aes-128-cfb128, aes-192-cfb128, aes-256-cfb128, aes-128-ofb, aes-192-ofb, and aes-256-ofb. aes indicates the encryption or decryption algorithm. 128, 192, and 256 indicate the key length (unit: bit). cbc, cfb1, cfb8, cfb128, and ofb indicate the block encryption or decryption mode.

Default value: aes-128-cbc

enable_mac_check

Parameter description: Specifies whether label-based mandatory access control takes effect.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: Boolean.

on indicates that label-based mandatory access control takes effect.

off indicates that label-based mandatory access control does not take effect.

Default value: off

enable_rls_match_index

Parameter description: Specifies whether indexes of a base table can be scanned based on target predicate conditions in row-level security scenarios. Target scenario: The row level security (RLS) policies are set and enabled in the base table, and the query predicate contains the unleakproof system function or like operator.

Value range: Boolean.

on: Base table indexes can be scanned in the target scenario.

off: Base table indexes cannot be scanned in the target scenario.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value. If hotspot query statements belong to the target scenario and there are few row-level access policies in the base table, enabling this function significantly improves query performance.

• The modification of this parameter affects the generation of the execution plan in the target scenario. You can manually invalidate the cache plan by reconnecting to the system or creating operators.
• If this parameter is enabled, the generation of the bitmap scanning operator is affected, and the RLS policy predicate is inserted into the Recheck filter condition. Therefore, when the operator is switched to the lossy mode and there are many RLS policies, the performance is affected.