Security and Authentication
This section describes parameters about client-to-server authentication.
authentication_timeout
Parameter description: Specifies the longest duration to wait before the client authentication times out. If a client is not authenticated by the server within the period, the server automatically disconnects from the client so that the client does not occupy connection resources.
Parameter type: integer.
Unit: second
Value range: 1–600
Default value: 60
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1. For example, if the value is 600 without a unit, authentication_timeout indicates 600s. If the value is 10min, authentication_timeout indicates 10 minutes. If the unit is required, the value must be s, min, h, or d.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If the value is too small, connection failures may occur frequently, affecting user experience. If the value is too large, security risks increase and resources are wasted.
auth_iteration_count
Parameter description: Specifies the number of iterations during the generation of encryption information for authentication.
Parameter type: integer.
Unit: none
Value range: 2048–134217728
Default value: 10000
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set the number of iterations based on actual hardware conditions. You are advised to retain the default value.
Risks and impacts of improper settings: If the number of iterations is too small, the password storage security is reduced. If the number of iterations is too large, the performance deteriorates in scenarios involving password encryption, such as authentication and user creation.
session_authorization
Parameter description: Specifies the user ID of the current session. The value of this parameter can be queried only by running the SHOW statement.
Parameter type: string.
Unit: none
Value range: a valid user ID.
Default value: ""
Setting method: This parameter is a USERSET parameter. Set it based on the syntax described in "SQL Reference" > "SQL Syntax" > "S" > "SET SESSION AUTHORIZATION" in Developer Guide. If you directly set the value, it can only be set to DEFAULT.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
session_timeout
Parameter description: Specifies the longest duration allowed when no operations are performed on a client after it is connected to the server. If this parameter is not set to 0 and a user does not perform any operation for a period longer than the value of this parameter, the server is disconnected.
Parameter type: integer
Unit: second
Value range: 0–86400 (1 day)
- The value 0 indicates that the timeout setting is disabled.
- A positive number indicates the maximum duration in which no operation is performed after the connection to the server is set up. When the value of this parameter is exceeded, the client is disconnected from the server.
Default value: 1800
Setting method: This is a USERSET parameter. Set it based on instructions provided in Table 1. For example, if the value is 600 without a unit, session_timeout indicates 600s. If the value is 10min, session_timeout indicates 10 minutes. If the unit is required, the value must be s, min, h, or d.
Setting suggestion: Set this parameter based on service security requirements. A smaller value indicates higher security but more inconvenient use.
Risks and impacts of improper settings: If the value is too small, persistent connections in the service connection pool may become invalid, causing service failures.
The gsql client of GaussDB has an automatic reconnection mechanism. For local connection of initialized users, the client reconnects to the server if the connection breaks after the timeout.
idle_in_transaction_timeout
Parameter description: Specifies the maximum idle duration of a transaction after the connection to the server is established and the transaction is started. If this parameter is not set to 0, the transaction is idle, and no operation is performed for a period longer than the value of this parameter, the server is disconnected.
Parameter type: integer
Unit: second
Value range: 0–86400 (1 day)
- The value 0 indicates that the timeout setting is disabled.
- The positive number indicates the maximum idle duration of a transaction after the connection to the server is established and the transaction is started. When the value of this parameter is exceeded, the client is disconnected from the server.
Default value: 300 (5 minutes)
Setting method: This is a USERSET parameter. Set it based on instructions provided in Table 1. For example, if the value is 600 without a unit, idle_in_transaction_timeout indicates 600s. If the value is 10min, idle_in_transaction_timeout indicates 10 minutes. If the unit is required, the value must be s, min, h, or d.
Setting suggestion: Set this parameter based on service security requirements. A smaller value indicates higher security but more inconvenient use.
Risks and impacts of improper settings: If the value is too small, the client application may not send new requests in a timely manner after a transaction is started. As a result, the session times out and exits, affecting user experience.
- The gsql client of GaussDB has an automatic reconnection mechanism. For local connection of initialized users, the client reconnects to the server if the connection breaks after the timeout.
- If both idle_in_transaction_timeout and session_timeout are enabled, the timeout interval takes effect regardless of whether the transaction is idle. The smaller timeout interval prevails.
- For a newly delivered instance, the value of this parameter is 300. For an upgraded instance, the value of this parameter is 0 by default.
- After an idle transaction times out, the transaction start time, thread ID, application name, and query information is recorded in logs. This log file is used to locate the problem that an idle transaction exits due to timeout. The log file does not contain the prefix format log_line_prefix.
ssl
Parameter description: Specifies whether to enable the SSL connection on the server. Before using this option, read "Database Quick Start" > "Connecting to a Database" > "Using gsql to Connect to a Database" in Developer Guide.
Parameter type: Boolean
Unit: none
Value range:
- on: The SSL connection is enabled on the server. Whether SSL encrypted transmission is used during actual communication depends on the client configuration.
- off: The SSL connection is disabled on the server.
Default value: on (for CNs) or off (for DNs)
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: If high security is required, you are advised to enable this function. If high performance is required, you are advised to disable this function. GaussDB supports SSL when a client connects to a CN. You are advised to enable SSL connections only on CNs. The default value is off on DNs.
Risks and impacts of improper settings: Before enabling this parameter, ensure that the parameters ssl_cert_file, ssl_key_file, and ssl_ca_file are correctly set. If SM cryptographic algorithms are used, ensure that the parameters ssl_enc_cert_file and ssl_enc_key_file are correctly set. Incorrect settings may cause cluster startup failures.
comm_ssl
Parameter description: Specifies whether to enable the SSL connection between primary DNs. Before using this option, read "Database Quick Start" > "Connecting to a Database" > "Using gsql to Connect to a Database" in Developer Guide.
Parameter type: Boolean
Unit: none
Value range:
- on: The SSL connection is enabled between primary DNs.
- off: The SSL connection is disabled between primary DNs.
Default value: off
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: You are advised to enable this parameter only on DNs. The default value is off on CNs.
Risks and impacts of improper settings: To enable SSL connections, you also need to ensure that parameters such as ssl_cert_file, ssl_key_file, and ssl_ca_file are configured correctly. Incorrect configurations may cause startup failure of the cluster.
require_ssl
Parameter description: Specifies whether the server requires SSL connections. This parameter is valid only when ssl is set to on. Before using this option, read "Database Quick Start" > "Connecting to a Database" > "Using gsql to Connect to a Database" in Developer Guide.
Parameter type: Boolean
Unit: none
Value range:
- on: The server requires SSL connections.
- off: The server does not require SSL connections.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: GaussDB supports SSL when a client connects to a CN. It is recommended that the SSL connection be enabled only on CNs.
Risks and impacts of improper setting: If SSL-related parameters are incorrectly configured, enabling this parameter may cause communication connection setup failures or even cluster startup failures.
ssl_ciphers
Parameter description: Specifies the list of encryption algorithms supported by SSL. Only the SYSADMIN user can access the list.
Parameter type: string.
Unit: none
Value range: a string. Separate multiple encryption algorithms by semicolons (;).
Default value: "ALL", indicating that all supported encryption algorithms (excluding ADH, LOW, EXP, and MD5) can be used for the peer end.
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the specifications. You are advised not to specify the insecure algorithms DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384.
Risks and impacts of improper setting: If ssl_ciphers is incorrectly set, the database cannot be started.
ssl_renegotiation_limit
Parameter description: Specifies the allowed traffic volume over an SSL-encrypted channel before the session key is renegotiated. The renegotiation mechanism reduces the probability that attackers use the password analysis method to crack the key based on a huge amount of data but causes big performance losses. The traffic indicates the sum of transmitted and received traffic.
Parameter type: integer.
Unit: KB
Value range: 0 to 2147483647. 0 indicates that the renegotiation mechanism is disabled.
Default value: 0
Setting method: This is a USERSET parameter. Set it based on instructions provided in Table 1. For example, if the value is 1024 without a unit, ssl_renegotiation_limit indicates 1024 KB. If the value is 1MB, ssl_renegotiation_limit indicates 1 MB. The unit must be KB, MB, or GB if required.
Setting suggestion: Retain the default value. The SSL renegotiation mechanism has been disabled because of potential risks. This parameter is reserved for version compatibility and does not take effect.
Risks and impacts of improper settings: Changing the value of this parameter may cause unexpected results in the cluster. Retain the default value.
ssl_cert_file
Parameter description: Specifies the name of the file that contains the SSL server certificate. The path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name, which must end with .crt.
Default value: "server.crt"
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: When configuring the file path, ensure that the file path matches other SSL-related certificate and private key configuration files.
Risks and impacts of improper settings: If the file path is incorrect, the SSL connection cannot be established between the client and the database node, and the database cluster nodes cannot communicate with each other in SSL mode. As a result, data leakage may occur.
ssl_key_file
Parameter description: Specifies the name of the file that contains the SSL private key. The path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name, which must end with .key.
Default value: "server.key"
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: When configuring the file path, ensure that the file path matches other SSL-related certificate and private key configuration files.
Risks and impacts of improper settings: If the file path is incorrect, the SSL connection cannot be established between the client and the database node, and the database cluster nodes cannot communicate with each other in SSL mode. As a result, data leakage may occur.
ssl_enc_cert_file
Parameter description: Specifies the name of the SSL server certificate file that is encrypted using SM cryptographic algorithms. The path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name, which must end with .crt.
Default value: ""
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: When configuring the file path, ensure that the file path matches other certificates and private key configuration files related to SSL that uses SM cryptographic algorithms.
Risks and impacts of improper settings: If the file path is incorrect, the SSL connection that uses SM cryptographic algorithms cannot be established between the client and the database node, and the cluster nodes of the database instance cannot communicate with each other in SSL that uses SM cryptographic algorithms. As a result, data leakage may occur.
ssl_enc_key_file
Parameter description: Specifies the name of the SSL server certificate file (with the private key) that is encrypted using SM cryptographic algorithms. The path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name, which must end with .key.
Default value: ""
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: When configuring the file path, ensure that the file path matches other certificates and private key configuration files related to SSL that uses SM cryptographic algorithms.
Risks and impacts of improper settings: If the file path is incorrect, the SSL connection that uses SM cryptographic algorithms cannot be established between the client and the database node, and the cluster nodes of the database instance cannot communicate with each other in SSL that uses SM cryptographic algorithms. As a result, data leakage may occur.
ssl_ca_file
Parameter description: Specifies the name of the root certificate that contains CA information. Its path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name, which must end with .pem. An empty character string indicates that no CA file is loaded and client certificate verification is not performed.
Default value: "cacert.pem"
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: If client certificate verification is required, configure the file path correctly.
Risks and impacts of improper settings: If the file path is incorrect, the database cannot verify the client certificate, reducing communication security.
ssl_crl_file
Parameter description: Specifies the name of the file that contains the certificate revocation list (CRL). If a client certificate is in the list, the certificate is invalid. The path is relative to the data directory.
Parameter type: string.
Unit: none
Value range: valid file name. An empty string indicates that there is no CRL.
Default value: ""
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If the file name in the CRL is incorrectly configured, invalid client certificates may be used to establish SSL connections, causing data leakage risks. Valid client certificates are considered revoked and SSL connections cannot be established.
enable_shared_sslctx
Parameter description: Specifies whether to enable global SSL certificate loading and SSL context sharing. This parameter is valid only when SSL is set to on.
Parameter type: Boolean
Unit: none
Value range:
- on: Global SSL certificate loading is enabled and the SSL context is initialized only once when the database is started.
- off: Global SSL certificate loading is disabled and the SSL context is initialized each time a session is established.
Default value: off
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: You are advised to disable this function. You are advised to enable this function only when high performance is required in SSL non-two-way authentication scenarios.
Risks and impacts of improper settings: After the global SSL certificate loading function takes effect, the new certificate cannot take effect in real time. You need to restart the database.
If the SSL global context fails to be initialized during database startup, this parameter is automatically set to off, and the session-level SSL certificate is loaded.
ssl_cert_notify_time
Parameter description: Specifies the number of days prior to SSL server certificate expiration that a user will receive a reminder. When the SSL certificate is initialized during connection establishment, if the duration from the current time to the certificate expiration time is shorter than the specified value, an expiration notification is recorded in the log.
Parameter type: integer.
Unit: day
Value range: 7–180
Default value: 90
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1. The unit must be d if required.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If the value is too small, the server certificate expiration may not be detected in advance. As a result, the certificate cannot be replaced in a timely manner. If the value is too large, alarms may be frequently generated.
krb_server_keyfile
Parameter description: Specifies the location of the main configuration file of the Kerberos service. Only the SYSADMIN user can access the file.
Parameter type: string
Unit: none
Value range: valid file path.
Default value: ""
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: For details, see "Database Configuration > Security Authentication > Configuring Internal Kerberos Authentication on the Server" in Security Hardening Guide.
Risks and impacts of improper settings: If this parameter is incorrectly set, nodes in the cluster cannot use the Kerberos authentication function.
krb_srvname
Parameter description: Specifies the Kerberos service name.
Parameter type: string
Unit: none
Value range: a string.
Default value: "postgres"
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
krb_caseins_users
Parameter description: Specifies whether the Kerberos username is case-sensitive.
Parameter type: Boolean
Unit: none
Value range:
- on: It is case-insensitive.
- off: It is case-sensitive.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
modify_initial_password
Parameter description: After GaussDB is installed, there is only one initial user account (whose UID is 10) in the database. When a user logs in to the database using this initial account for the first time, this parameter specifies whether the password of the initial account needs to be modified.
If the initial user password is not specified during the installation, the initial user password is empty by default after the installation. Before performing other operations, you need to set the initial user password using the gsql client. This parameter no longer takes effect and is reserved only for compatibility with upgrade scenarios.
Parameter type: Boolean
Unit: none
Value range:
- on: The password of the initial account needs to be modified upon the first login after the cluster is installed.
- off: The password of the initial account does not need to be modified after the cluster is installed.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
password_policy
Parameter description: Specifies whether to check the password complexity when you run the CREATE ROLE/USER or ALTER ROLE/USER command to create or modify the GaussDB account.
Parameter type: integer
Unit: none
Value range: 0 or 1
- 0: No password complexity policy is enabled.
- 1: The default password complexity policy is enabled.
Default value: 1
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: For security purposes, do not disable the password complexity policy.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
password_reuse_time
Parameter description: Specifies whether to check the reuse interval of the new password when you run the ALTER USER or ALTER ROLE command to change a user password.
When you change the password, the system checks the values of password_reuse_time and password_reuse_max.
- If the values of password_reuse_time and password_reuse_max are both positive numbers, an old password can be reused when it meets either of the reuse restrictions.
- If the value of password_reuse_time is 0, password reuse is restricted based on the number of reuse times, and not on the reuse interval.
- If the value of password_reuse_max is 0, password reuse is restricted based on the reuse interval, and not on the number of reuse times.
- If the values of both password_reuse_time and password_reuse_max are 0, password reuse is not restricted.
Parameter type: floating-point.
Unit: day
Value range: 0 to 3650
- 0 indicates that the password reuse interval is not checked.
- A positive number indicates that a new password cannot be chosen from passwords in history that are newer than the specified number of days.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter based on service security requirements. A larger value indicates higher security but more inconvenient use.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
password_reuse_max
Parameter description: Specifies whether to check the reuse times of the new password when you run the ALTER USER or ALTER ROLE command to change a user password. Only the SYSADMIN user can access this parameter.
When you change the password, the system checks the values of password_reuse_time and password_reuse_max.
- If the values of password_reuse_time and password_reuse_max are both positive numbers, an old password can be reused when it meets either of the reuse restrictions.
- If the value of password_reuse_time is 0, password reuse is restricted based on the number of reuse times, and not on the reuse interval.
- If the value of password_reuse_max is 0, password reuse is restricted based on the reuse interval, and not on the number of reuse times.
- If the values of both password_reuse_time and password_reuse_max are 0, password reuse is not restricted.
Parameter type: integer.
Unit: none
Value range: 0 to 1000
- 0 indicates that the password reuse times are not checked.
- A positive number indicates that the new password cannot be the one whose reuse times exceed the specified number.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter based on service security requirements. A larger value indicates higher security but more inconvenient use.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
password_lock_time
Parameter description: Specifies the duration before a locked account is automatically unlocked.
The account locking and unlocking functions take effect only when the values of password_lock_time and failed_login_attempts are positive numbers.
Parameter type: floating-point.
Unit: day
Value range: 0 to 365. The integer part of the value indicates the number of days, and the decimal part can be converted into hours, minutes, and seconds. For example, password_lock_time=1.5 indicates one day and 12 hours.
- 0 indicates that an account is not automatically locked if the password verification fails.
- A positive number indicates the duration after which a locked account is automatically unlocked.
Default value: 1
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1. The unit must be d if required.
Setting suggestion: Retain the default value. The automatic unlock time should not be too long. This parameter and failed_login_attempts should be set within a proper range.
Risks and impacts of improper settings: If the value of failed_login_attempts is too small and the automatic unlock time is too long, the account cannot be used for a long time due to incorrect input, affecting user experience.
failed_login_attempts
Parameter description: If the number of incorrect password attempts reaches the value of failed_login_attempts, the current account is locked. The account is automatically unlocked after the time specified by password_lock_time. During this period, only the SYSADMIN user can access the account. If you fail to enter the password during login or fail to change the password when running the ALTER USER command, the system considers that the entered password is incorrect.
The account locking and unlocking functions take effect only when the values of failed_login_attempts and password_lock_time are positive numbers.
Parameter type: integer.
Unit: none
Value range: 0 to 1000.
- 0 indicates that the automatic locking function does not take effect.
- A positive number indicates that an account is locked when the number of incorrect password attempts reaches the specified number.
Default value: 10
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: You are advised to set it to a value ranging from 5 to 10.
Risks and impacts of improper settings: If this parameter is set to a large value that allows too many incorrect password attempts (less than the maximum value of 1000), but no security measure is taken, security risk occurs. If this parameter is set to a small value (greater than 0 and less than 10), the account may be locked due to failed password attempts, affecting normal use.
enable_lock_account
Parameter description: If failed_login_attempts is set to 0, the automatic lock function is disabled. In this setting, the system cannot record the number of login failures of an account. If enable_lock_account is set to disable the automatic lock function, the account will not be automatically locked after the number of consecutive login failures using incorrect passwords reaches the value of failed_login_attempts. In this case, the system reports an alarm to ensure account security. For details, see "ALM_AI_SecurityAccountFailedAttempt" in Alarm Reference. Manual locking by administrators is not controlled by parameters.
Parameter type: Boolean
Unit: none
Value range:
- on: An account is automatically locked when the number of consecutive login failures using incorrect passwords reaches the value of failed_login_attempts.
- off: An account is not automatically locked when the number of consecutive login failures using incorrect passwords reaches the value of failed_login_attempts.
Default value: on
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: For security purposes, do not disable the automatic account locking function if the alarm function is not enabled.
Risks and impacts of improper settings: If it is set to off, account security deteriorates.
password_encryption_type
Parameter description: Specifies the encryption type of a user password. Changing the value of this parameter does not automatically trigger the change of the password encryption type of an existing user. Only the password of a new user or the password changed by an existing user is encrypted using the new encryption type.
Parameter type: integer.
Unit: none
Value range: 0, 1, 2, or 3
- 0 indicates that passwords are encrypted with MD5.
- 1 indicates that passwords are encrypted with SHA-256 and MD5.
- 2 indicates that passwords are encrypted with SHA-256.
- 3 indicates that the passwords are encrypted with SM3.
Default value: 2
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impact of improper settings: The MD5 encryption algorithm is not recommended and has low security. If this parameter is set to 0 or 1, security risks exist.
password_min_length
Parameter description: Specifies the minimum length of an account password. Only the SYSADMIN user can access this parameter.
Parameter type: integer.
Unit: none
Value range: 6 to 999
Default value: 8
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value greater than password_max_length, accounts cannot be created.
password_max_length
Parameter description: Specifies the maximum length of an account password. Only the SYSADMIN user can access this parameter.
Parameter type: integer.
Unit: none
Value range: 6 to 999
Default value: 32
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value smaller than password_min_length, accounts cannot be created.
password_min_uppercase
Parameter description: Specifies the minimum number of uppercase letters that an account password must contain. Only the SYSADMIN user can access this parameter.
Parameter type: integer.
Unit: none
Value range: 0 to 999.
- 0: no limit.
- 1 to 999: minimum number of uppercase letters required in a password when you create an account.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value greater than password_max_length, accounts cannot be created.
password_min_lowercase
Parameter description: Specifies the minimum number of lowercase letters that an account password must contain. Only the SYSADMIN user can access this parameter.
Parameter type: integer.
Unit: none
Value range: 0 to 999.
- 0: no limit.
- 1 to 999: minimum number of lowercase letters required in a password when you create an account.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value greater than password_max_length, accounts cannot be created.
password_min_digital
Parameter description: Specifies the minimum number of digits that an account password must contain. Only the SYSADMIN user can access this parameter.
Parameter type: integer.
Unit: none
Value range: 0 to 999.
- 0: no limit.
- 1 to 999: minimum number of digits required in a password when you create an account.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value greater than password_max_length, accounts cannot be created.
password_min_special
Parameter description: Specifies the minimum number of special characters that an account password must contain. Only the SYSADMIN user can access the page.
Parameter type: integer
Unit: none
Value range: 0 to 999.
- 0: no limit.
- 1 to 999: minimum number of special characters required in a password when you create an account.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set this parameter according to the actual situations. You are advised to use the default value.
Risks and impact of improper settings: If this parameter is set to a value greater than password_max_length, accounts cannot be created.
password_effect_time
Parameter description: Specifies the validity period of an account password.
Parameter type: floating-point.
Unit: day
Value range: 0 to 999. The integer part indicates the number of days, and the decimal part can be converted into hours, minutes, and seconds. For example, password_effect_time=0.5 indicates 0 days and 12 hours.
- 0: The validity period restriction of an account password is disabled.
- 1 to 999: The number of days for which an account password is valid. When the password is about to expire or has expired, the system prompts the user to change the password.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: You are advised to set the password validity period based on service security requirements. A smaller value indicates higher security.
Risks and impact of improper settings: If this parameter is set to 0, security risks exist if the password is not changed for a long time.
password_notify_time
Parameter description: Specifies how many days in advance a user is notified before a password expires.
Parameter type: integer.
Unit: day
Value range: 0 to 999.
- 0: The reminder is disabled.
- 1 to 999: number of days prior to password expiration that a user will receive a reminder.
Default value: 7
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impact of improper settings: If this parameter is set to 0, password expiration is not reminded in advance.
enable_innertool_cert
Parameter description: Specifies whether internal tools use certificate authentication.
Parameter type: Boolean
Unit: none
Value range:
- on: Internal tools use certificate-based authentication.
- off: Internal tools do not use certificate-based authentication.
- This parameter takes effect only when both this parameter and ssl are enabled.
- By default, the certificate in the $GAUSSHOME/share/sslcert/gsql directory is used. Common Name of the certificate must be the same as the initial user. Otherwise, the authentication fails.
- After this parameter is enabled, the initial user uses certificate-based authentication, and other users use password-based authentication.
- After this parameter is enabled, the initial user can remotely connect to the database using certificate-based authentication.
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: The default value is recommended. If you have high security requirements, you are advised to enable this parameter and correctly configure related certificates.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
