Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Cyber Security

Updated on 2024-12-06 GMT+08:00

Configuring Database Account Security

Account description

When setting up a GaussDB(DWS) cluster, the system will create the following accounts to provide comprehensive background operations and maintenance services for databases:

  • dbadmin: system administrator account used for the initial login to the GaussDB(DWS) database. It is responsible for creating service databases, managing common users, and assigning permissions.
  • If separation of duties is enabled, additional accounts such as security administrator and audit administrator will be generated. The names of these accounts can be customized by the user. For details, see .
  • Ruby: default O&M account, which cannot be used by O&M personnel of non-cloud service providers.
  • om_user_First eight digits of the cluster ID: Other O&M accounts with preset permissions such as gs_role_analyze_any, gs_role_vacuum_any, gs_role_read_all_stats, and gs_role_signal_backend. These accounts are used for fault locating and cannot be used by O&M personnel of non-cloud service providers. For details, see Authorizing a GaussDB(DWS) Cluster O&M Account.

Password complexity requirements

  • Other common database users are also required to maintain a certain level of complexity in their passwords.
    • The password should contain 8 to 32 characters.
    • The password should contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
    • The password cannot be the same as the user name or the user name in reverse order, case insensitive.
    • The password cannot be the current password or the current password in reverse order.
    NOTICE:

    To prevent your database password from being cracked, set a strong password and periodically change it.

User-defined password policy

You can modify default password policies. For details, see Creating a Custom Password Policy for GaussDB(DWS).

Configuring policies for account locking and password expiration

  • Database user password validity: password_effect_time determines how long a database user password remains valid. When the password expires, the system prompts the user to change it.
  • Maximum incorrect password attempts: failed_login_attempts sets the limit for the maximum number of incorrect password attempts. If this limit is exceeded, the account is automatically locked and can only be unlocked by the system administrator.
  • Automatic account unlocking time: password_lock_time specifies the duration after which an account is automatically unlocked if it has been locked.

You can set these parameters on the GaussDB(DWS) console. For details, see Modifying GUC Parameters of the GaussDB(DWS) Cluster.

Resetting a password

  • If the password of system administrator dbadmin is locked or forgotten, you can reset it using the GaussDB(DWS) console.
  • The password of a common user can be reset by system administrator dbadmin by running SQL commands in the background. The following command is an example. For details, see Creating a Custom Password Policy for GaussDB(DWS).
    1
    ALTER USER joe IDENTIFIED BY 'password';
    

Configuring Security Groups

A security group is a collection of access control rules for instances, such as cloud servers, containers, and databases, that have the same security requirements and that are mutually trusted within a VPC. You can define different access control rules for a security group, and these rules are then applied to all the instances added to this security group.

Each security group can have inbound and outbound rules to control the traffic to and from instances. For inbound rules, you need to specify the source, port, and protocol. For outbound rules, you need to specify the destination, port, and protocol.

Enabling the EIP function for your database may expose your EIP DNS and database port to potential hacking risks. To protect information such as your EIP, DNS, database port, database account, and password, you are advised to set the range of source IP addresses in the GaussDB(DWS) security group to ensure that only trusted source IP addresses can access your DB instances.

When setting up a GaussDB(DWS) cluster, you can choose to configure a security group or use the default one. The default security group allows only port 8000 by default. After creating the cluster, you can modify the security group rules or switch to a different one.

Unbinding an EIP from an External Link

EIP offers public IP addresses and bandwidth for Internet access, making external access easier but also increasing the risk of network-wide attacks. EIPs are susceptible to external DoS/DDoS attacks.

If you do not require public network access, it is best to consider the database as an internal component and use an internal IP address for accessing it. In this case, it is advised to detach the EIP from the database.

Unbinding procedure

  1. Log in to the GaussDB(DWS) console and choose Dedicated Clusters > Clusters.
  2. In the cluster list, click the name of the target cluster. The cluster details page is displayed.
  3. Click Edit in the Connection area. On the displayed page, click Unbind.

    NOTE:

    To meet high availability requirements, if a cluster is bound to an ELB, you only need to unbind the EIP from the ELB. For details, see the ELB user guide.

SSL-encrypted Data Transmission

GaussDB(DWS) supports the standard SSL. As a highly secure protocol, SSL authenticates bidirectional identification between the server and client using digital signatures and digital certificates to ensure secure data transmission. To support SSL connection, GaussDB(DWS) has obtained the formal certificates and keys for the server and client from the CA certification center. It is assumed that the key and certificate for the server are server.key and server.crt respectively; the key and certificate for the client are client.key and client.crt respectively, and the name of the CA root certificate is cacert.pem.

The SSL mode delivers higher security than the common mode. By default, the SSL function is enabled in a cluster to allow SSL or non-SSL connections from the client. For security purposes, you are advised to enable SSL connection. The server certificate, private key, and root certificate have been configured in GaussDB(DWS) by default.

For details, see Establishing Secure TCP/IP Connections in SSL Mode.

Using DBSS (Recommended)

Database Security Service (DBSS) is an intelligent database security service. Based on the machine learning mechanism and big data analytics technologies, it can audit your databases, detect SQL injection attacks, and identify high-risk operations.

It is advised to use DBSS for enhanced data security capabilities. For details, see Database Security Service.

Advantages

  • DBSS can help you meet security compliance requirements.
    • DBSS can help you comply with DJCP (graded protection) standards for database audit.
    • DBSS can help you comply with security laws and regulations, and provide compliance reports that meet data security standards (such as Sarbanes-Oxley).
  • DBSS can back up and restore database audit logs and meet the audit data retention requirements.
  • DBSS can monitor risks, sessions, session distribution, and SQL distribution in real time.
  • DBSS can report alarms for risky behavior and attacks and respond to database attacks in real time.
  • DBSS can locate internal violations and improper operations and keep data assets secure.

Deployed in bypass pattern, database audit can perform flexible audits on the database without affecting user services.

  • Database audit monitors database logins, operation types (data definition, operation, and control), and operation objects based on risky operations to effectively audit the database.
  • Database audit analyzes risks and sessions, and detects SQL injection attempts so you can stay apprised of your database status.
  • Database audit provides a report template library to generate daily, weekly, or monthly audit reports according to your configurations. It sends real-time alarm notifications to help you obtain audit reports in a timely manner.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback