Security Configuration
enable_security_policy
- Unified audit: The unified audit mechanism is a technology that implements efficient security audit management by customizing audit policies. After the administrator defines the audit object and audit behaviors, if the task executed by a user is associated with an audit policy, the corresponding audit behavior is generated and the audit log is recorded. For details, see "Database Security > Unified Audit" in Feature Description.
- Dynamic data masking: The dynamic data masking mechanism is a technology that protects privacy data by customizing masking policies. It can effectively prevent unauthorized users from accessing sensitive information while retaining original data. For details, see "Database Security > Dynamic Data Masking" in Feature Description.
Parameter type: Boolean.
Unit: none
Value range:
- on: The security policy is enabled.
- off: The security policy is disabled.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to on, system resources will be occupied and system performance will be affected.
use_elastic_search
Parameter description: Specifies whether to send unified audit logs to Elasticsearch. If enable_security_policy and this parameter are enabled, unified audit logs are sent to Elasticsearch through HTTP or HTTPS (used by default).
Parameter type: Boolean.
Unit: none
Value range:
- on: Unified audit logs are sent to Elasticsearch.
- off: Unified audit logs are not sent to Elasticsearch.
Default value: off
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value. This parameter is enabled when unified audit logs need to be sent to the Elasticsearch system.
Risks and impacts of improper settings: If this parameter enabled, you need to ensure that Elasticsearch specified by elastic_search_ip_addr can be properly connected. Otherwise, the process fails to be started.
elastic_search_ip_addr
Parameter description: Specifies the IP address of the Elasticsearch system. If HTTPS is used, the format is https://ip:port:username. If HTTP is used, the format is http://ip:port. In the preceding command, ip indicates the IP address of the Elasticsearch server. port indicates the listening port for Elasticsearch HTTP communication, and the value ranges from 9200 to 9299. username indicates the username used for registering an Elasticsearch account. The initial user is elastic. If HTTPS is used, related certificates need to be configured. For details, see "Unified Auditing" in the Security Hardening Guide.
Parameter type: string.
Unit: none
Value range: valid IP address string or empty string.
Default value: ""
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value. This parameter is set when unified audit logs need to be sent to the Elasticsearch system and use_elastic_search is set to on.
Risks and impacts of improper settings: You need to ensure that the specified Elasticsearch can be properly connected. Otherwise, the process fails to be started.
is_sysadmin
Parameter description: Specifies whether the current user is an initial user.
Parameter type: Boolean.
Unit: none
Value range:
- on: The user is an initial user.
- off: The user is not an initial user.
Default value: off
Setting method: This is a fixed INTERNAL parameter. It can be viewed but cannot be modified.
Setting suggestion: This parameter can only be viewed.
Risks and impacts of improper settings: none
tde_index_default_encrypt
Parameter description: After this parameter is enabled, if you create an index whose base table is an encrypted table, the database automatically sets the index as an encrypted index, copies encryption parameters such as the encryption algorithms and keys of the base table for the index, and encrypts the data of the index before storing it.
Parameter type: Boolean.
Unit: none
Value range:
- on: Encryption parameters are automatically set for indexes of encrypted tables.
- off: Encryption parameters are not automatically set for indexes in encrypted tables.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: If indexes of all encrypted tables need to be encrypted, enable this parameter. You do not need to manually set indexes to encrypted indexes.
Risks and impacts of improper settings: If this parameter is set to on, indexes created in encrypted tables are automatically encrypted, affecting index query performance.
block_encryption_mode
Parameter description: Specifies the block encryption mode used by the aes_encrypt and aes_decrypt functions for encryption and decryption.
Value type: enumerated type
Unit: none
Value range: aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-cfb1, aes-192-cfb1, aes-256-cfb1, aes-128-cfb8, aes-192-cfb8, aes-256-cfb8, aes-128-cfb128, aes-192-cfb128, aes-256-cfb128, aes-128-ofb, aes-192-ofb, and aes-256-ofb. aes indicates the encryption or decryption algorithm. 128, 192, and 256 indicate the key length (unit: bit). cbc, cfb1, cfb8, cfb128, and ofb indicate the block encryption or decryption mode.
Default value: aes-128-cbc
Setting method: This is a USERSET parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value or adjust the value based on service requirements.
Risks and impacts of improper settings: The use of the aes_encrypt and aes_decrypt functions is affected.
enable_mac_check
Parameter description: Specifies whether label-based mandatory access control takes effect.
Parameter type: Boolean.
Unit: none
Value range:
- on: Label-based mandatory access control takes effect.
- off: Label-based mandatory access control does not take effect.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value or adjust the value based on service requirements.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
enable_rls_match_index
Parameter description: Specifies whether indexes of a base table can be scanned based on target predicate conditions in row-level security scenarios. Target scenario: The row level security (RLS) policies are set and enabled in the base table, and the query predicate contains the unleakproof system function or like operator.
Parameter type: Boolean.
Unit: none
Value range:
- on: Base table indexes can be scanned in the target scenario.
- off: Base table indexes cannot be scanned in the target scenario.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value. If hotspot query statements belong to the target scenario and there are few row-level access policies in the base table, enabling this function significantly improves query performance.
Risks and impacts of improper settings: If this parameter is set to on, the bitmap scanning operator is switched to the lossy mode, and there are a large number of RLS policies, filtering predicates will be executed repeatedly, affecting performance.
- The modification of this parameter affects the generation of the execution plan in the target scenario. You can manually invalidate the cache plan by reconnecting to the system or creating operators.
- If this parameter is enabled, the generation of the bitmap scanning operator is affected, and the RLS policy predicate is inserted into the Recheck filter condition. Therefore, when the operator is switched to the lossy mode and there are many RLS policies, the performance is affected.
restrict_nonsystem_relation_kind
Parameter description: Specifies whether the relationship object types created by users can be accessed.
Parameter type: string.
Unit: none
- "": There is no restriction.
- "view": The access to views created by the user is disabled.
- "foreign-table": The access to foreign tables created by the user is disabled.
Default value: ""
Setting method: This is a USERSET parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
When gs_dump is used to export data, access to views and foreign tables created by users must be disabled to prevent malicious attacks. The tool sets this parameter to 'view, foreign-table' at the session level. You do not need to manually configure this parameter.
tde_dkcache_remain_time
Parameter description: Specifies the validity period of the TDE key cache.
Parameter type: integer.
Unit: hour
Value range: 0 to 1440
Default value: 1
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 0 or a large value, the TDE key cache that is not used may remain in the database memory for a long time.
- If this parameter is set to 0, the TDE key cache takes effect permanently and is not cleared from the memory.
- If this parameter is set to a non-zero value, the TDE key cache is cleared from the memory only when it is not used for more than tde_dkcache_remain_time hours. (The cache is cleared every hour.)
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
