Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Security Configuration

Updated on 2024-06-03 GMT+08:00

enable_security_policy

Parameter description: Specifies whether the unified audit and dynamic data masking policies take effect.
NOTE:

Unified audit: The unified audit mechanism is a technology that implements efficient security audit management by customizing audit policies. After the administrator defines the audit object and audit behaviors, if the task executed by a user is associated with an audit policy, the corresponding audit behavior is generated and the audit log is recorded. For details, see "Database Security > Unified Audit" in Feature Description.

Dynamic data masking: The dynamic data masking mechanism is a technology that protects privacy data by customizing masking policies. It can effectively prevent unauthorized users from accessing sensitive information while retaining original data. For details, see "Database Security > Dynamic Data Masking" in Feature Description.

Parameter type: Boolean.

Unit: none

Value range:

on: The security policy is enabled.

off: The security policy is disabled.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value. Set this parameter to on when a security policy is required. However, this occupies system resources and affects system performance.

use_elastic_search

Parameter description: Specifies whether to send unified audit logs to Elasticsearch. If enable_security_policy and this parameter are enabled, unified audit logs are sent to Elasticsearch through HTTP or HTTPS (used by default). After this parameter is enabled, ensure that the Elasticsearch service corresponding to elastic_search_ip_addr can be properly connected. Otherwise, the process fails to be started.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean.

on: Unified audit logs are sent to Elasticsearch.

off: Unified audit logs are not sent to Elasticsearch.

Default value: off

elastic_search_ip_addr

Parameter description: Specifies the IP address of the Elasticsearch system. If HTTPS is used, the format is https://ip:port:username. If HTTP is used, the format is http://ip:port. In the preceding command, ip indicates the IP address of the Elasticsearch server. port indicates the listening port for Elasticsearch HTTP communication, and the value ranges from 9200 to 9299. username indicates the username used for registering an Elasticsearch account. The initial user is elastic. If HTTPS is used, related certificates need to be configured. For details, see "Unified Auditing" in the Security Hardening Guide.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: a string.

Default value: ''

is_sysadmin

Parameter description: Specifies whether the current user is an initial user.

This is a fixed INTERNAL parameter. It can be viewed but cannot be modified.

Value range: Boolean.

on indicates that the user is an initial user.

off indicates that the user is not an initial user.

Default value: off

enable_tde

Parameter description: Specifies whether to enable the TDE function. Before creating an encrypted table, set this parameter to on and set the tde_key_info parameter to configure the key information.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean.

on: The TDE function is enabled.

off: The TDE function is disabled.

Default value: off

NOTICE:
  • If this parameter is set to on, ensure that the key information in the tde_key_info parameter is correctly configured and the key service can be accessed properly. Otherwise, the database cannot be started properly.
  • After this parameter is set to on and an encrypted table is created, if this parameter is set to off again, data in the existing encrypted table cannot be encrypted or decrypted. As a result, the database is abnormal.

tde_key_info

Parameter description: If TDE is enabled, transparent data needs to access the external key service to implement key management. This parameter is used to configure information about the key service, such as the service address, identity authentication information, and project information.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: a string. For details, see "Security Management > Configuring TDE" in Administrator Guide.

Default value: ""

tde_index_default_encrypt

Parameter description: After this parameter is enabled, if you create an index whose base table is an encrypted table, the database automatically sets the index as an encrypted index, copies encryption parameters such as the encryption algorithms and keys of the base table for the index, and encrypts the data of the index before storing it.

Parameter type: Boolean.

Unit: none

Value range:

on: Encryption parameters are automatically set for indexes of encrypted tables.

off: Encryption parameters are not automatically set for indexes in encrypted tables.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

block_encryption_mode

Parameter description: Specifies the block encryption mode used by the aes_encrypt and aes_decrypt functions for encryption and decryption.

This is a USERSET parameter. Set it based on instructions provided in Table 1.

Value range: enumerated values. Valid values are aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-cfb1, aes-192-cfb1, aes-256-cfb1, aes-128-cfb8, aes-192-cfb8, aes-256-cfb8, aes-128-cfb128, aes-192-cfb128, aes-256-cfb128, aes-128-ofb, aes-192-ofb, and aes-256-ofb. aes indicates the encryption or decryption algorithm. 128, 192, and 256 indicate the key length (unit: bit). cbc, cfb1, cfb8, cfb128, and ofb indicate the block encryption or decryption mode.

Default value: aes-128-cbc

enable_mac_check

Parameter description: Specifies whether label-based mandatory access control takes effect.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: Boolean.

on indicates that label-based mandatory access control takes effect.

off indicates that label-based mandatory access control does not take effect.

Default value: off

enable_rls_match_index

Parameter description: Specifies whether indexes of a base table can be scanned based on target predicate conditions in row-level security scenarios. Target scenario: The row level security (RLS) policies are set and enabled in the base table, and the query predicate contains the unleakproof system function or like operator.

Value range: Boolean.

on: Base table indexes can be scanned in the target scenario.

off: Base table indexes cannot be scanned in the target scenario.

Default value: off

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value. If hotspot query statements belong to the target scenario and there are few row-level access policies in the base table, enabling this function significantly improves query performance.

NOTE:
  • The modification of this parameter affects the generation of the execution plan in the target scenario. You can manually invalidate the cache plan by reconnecting to the system or creating operators.
  • If this parameter is enabled, the generation of the bitmap scanning operator is affected, and the RLS policy predicate is inserted into the Recheck filter condition. Therefore, when the operator is switched to the lossy mode and there are many RLS policies, the performance is affected.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback