vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/umn/dws_01_0074.html
Lu, Huayi 95132e24fc DWS UMN 830.201_new version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2024-05-27 11:54:34 +00:00

86 lines
19 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001658895330"></a><a name="EN-US_TOPIC_0000001658895330"></a>
<h1 class="topictitle1">Configuring Separation of Permissions</h1>
<div id="body8662426"><div class="section" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_section43782126162722"><h4 class="sectiontitle">Scenario</h4><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p17859528113310">By default, the administrator specified when you create a GaussDB(DWS) cluster is the database system administrator. The administrator can create other users and view the audit logs of the database. That is, separation of permissions is disabled.</p>
<p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p1550115116373">GaussDB(DWS) supports role-based separation of permissions. In this way, different roles have different permissions and cluster data can be better protected.</p>
<p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p18197342213">For details about the default permissions mode and the separation of permissions mode, see "Database Security Management &gt; Managing Users and Their Permissions &gt; Separation of Permissions" in the <i><cite id="EN-US_TOPIC_0000001658895330__cite41e7c872bc1544469510df48feae677c164933">Data Warehouse Service (DWS) Developer Guide</cite></i>.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_section32447445163911"><h4 class="sectiontitle">Impact on the System</h4><ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul5918193913327"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li4918103923213">After you modified the security parameters and the modifications take effect, the cluster may be restarted, which makes the cluster unavailable temporarily.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_section6488541984957"><h4 class="sectiontitle">Prerequisites</h4><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p13296105233612">To modify the cluster's security configuration, ensure that the following conditions are met:</p>
<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul1465125853716"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li362597153810">The cluster status is <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b8494133713474">Available</strong>, <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b1050016371475">To be restarted</strong>, or <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b2501173764716">Unbalanced</strong>.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li16464158183717">The <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b978711245378">Task Information</strong> cannot be <span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue378711246375"><b>Creating snapshot</b></span>, <span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue8788132453714"><b>Scaling out</b></span>, <span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue1778872423715"><b>Configuring</b></span>, or <span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue1678872433713"><b>Restarting</b></span>.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_section63097435164448"><h4 class="sectiontitle">Procedure</h4><ol id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ol587855816457"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li1864101482116"><span>Log in to the GaussDB(DWS) management console.</span></li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li640122716457"><span>In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000001658895330__uicontrol175912006875823"><b>Clusters</b></span> &gt; <strong id="EN-US_TOPIC_0000001658895330__b105967455775823">Dedicated Clusters</strong>.</span></li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li18003557164415"><span>In the cluster list, click the name of a cluster. On the page that is displayed, click <span class="uicontrol" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_uicontrol1495449194249"><b>Security Settings</b></span>.</span><p><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p46648779164659">By default, <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname325381539194317"><b>Configuration Status</b></span> is <span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue212129348194334"><b>Synchronized</b></span>, which indicates that the latest database result is displayed.</p>
</p></li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li1254982362310"><span>On the <span class="wintitle" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_wintitle1511446198145918"><b>Security Settings</b></span> page, configure separation of permissions.</span><p><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p52528295290"><span><img id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_image1325210299294" src="figure/en-us_image_0000001759579485.png"></span> indicates that the function is enabled. When separation of permissions is enabled, configure the username and password for <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname03271852213"><b>Security Administrator</b></span> and <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname13434802217"><b>Audit Administrator</b></span>. Then the system automatically creates these two users. You can use these two users to connect to the database and perform database-related operations.</p>
<div class="p" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p9253029112910"><span><img id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_image2068495618556" src="figure/en-us_image_0000001711820076.jpg"></span> indicates that <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b815464223219">Rights Separation</strong> is disabled. <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b13107140185415">Rights Separation</strong> is disabled by default.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_table19251053172511" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Security parameters</caption><thead align="left"><tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row1625953112519"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.4.2.4.2.2.4.2.4.1.1"><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p32612535253"><strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b7617970162543">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="59%" id="mcps1.3.4.2.4.2.2.4.2.4.1.2"><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p11261153202515"><strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b842352706181449">Description</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21%" id="mcps1.3.4.2.4.2.2.4.2.4.1.3"><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p15261253162517"><strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b60793810112357">Example Value</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row626115316259"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p326105342511">Security Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p1125715255316">The username must meet the following requirements:</p>
<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul925811254311"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li102591325173115">Consists of lowercase letters, digits, or underscores.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li1026116251316">Starts with a lowercase letter or an underscore.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li0263102511313">Contains 6 to 64 characters.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li1126582593114">Cannot be a keyword of the GaussDB(DWS) database. For details about the keywords of the GaussDB(DWS) database, see "SQL Syntax Reference &gt; Keyword" in the <em id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_i17317051113419">Data Warehouse Service (DWS) Developer Guide</em>.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p62610537258">security_admin</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row326125322513"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p1026853112518">Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><div class="p" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p14892133520320">The password complexity requirements are as follows:<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ue389ad2f3aa5470484fa087e28427ed7"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_en-us_topic_0106894662_li14183138142">Contain 12 to 32 characters.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l74fe7d31380b48208fb0ff63c167c83d">Cannot be the username or the username spelled backwards.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l67a2f75d35aa4f77bfba2654af9a7980">Must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (~!?,.:;_(){}[]/&lt;&gt;@#%^&amp;*+|\=-)</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l7db73fd0c15f463b8c0c82f13969046a">Passes the weak password check.</li></ul>
</div>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p226753172513">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row82645310256"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p126195319254">Confirm Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p82612538250">Enter the password of the security administrator again.</p>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p14262538253">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row3931218192713"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p1695718122717">Audit Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p138595192390">The username must meet the following requirements:</p>
<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul615614912298"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l41a661ff392a43d9820a15f9610f9f2c">Consists of lowercase letters, digits, or underscores.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l9c57b090c2f243ae9b34c86b9332ed0f">Starts with a lowercase letter or an underscore.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l7916b6b1399d4e6282352ca7e577be4f">Contains 6 to 64 characters.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l5cda75074d244980bec7977002e3b503">Cannot be a keyword of the GaussDB(DWS) database. For details about the keywords of the GaussDB(DWS) database, see "SQL Syntax Reference &gt; Keyword" in the <em id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_i1276453219480">Data Warehouse Service (DWS) Developer Guide</em>.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p159510181272">audit_admin</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row16584121102717"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p6584182110274">Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><div class="p" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p1358411211270">The password complexity requirements are as follows:<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_u5e2bd265f04e46f9b7f0319234f05493"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l093315efb2f943eab2030a9c6ebccfdd">Contain 12 to 32 characters.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ld71a01baa8e846dbab9922618a9174fc">Cannot be the username or the username spelled backwards.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_l428973edc49b455eafc05af51a70f513">Must contain at least 3 of the following character types: uppercase letters, lowercase letters, digits, and special characters ~!@#%^&amp;*()-_=+|[{}];:,&lt;.&gt;/?</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_la40dfacfcc48409fa103c87b34e816d5">Passes the weak password check.</li></ul>
</div>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p205846217277">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_row16526153272717"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.1 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p7526183215279">Confirm Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.2 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p352613262718">Enter the password of the audit administrator again.</p>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.2.4.2.4.1.3 "><p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p9526163215277">-</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</p></li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li64616335165821"><span>Click <span class="uicontrol" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_uicontrol1442806226195210"><b>Apply</b></span>.</span></li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li886214216518"><span>In the displayed <span class="wintitle" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_wintitle934631851151546"><b>Save Configuration</b></span> dialog box, select or deselect <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b842352706151624">Restart the cluster</strong> and click <strong id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_b842352706151633">Yes</strong>.</span><p><ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul17838265512"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li14783122619515">If you select <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname1329250059152036"><b>Restart the cluster</b></span>, the system saves the settings on the <span class="wintitle" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_wintitle54552218152120"><b>Security Settings</b></span> page and restarts the cluster immediately. After the cluster is restarted, the security settings take effect immediately.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li149486281515">If you do not select <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname47791558152215"><b>Restart the cluster</b></span>, the system only saves the settings on the <span class="wintitle" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_wintitle1748940334152247"><b>Security Settings</b></span> page. Later, you need to manually restart the cluster for the security settings to take effect.</li></ul>
<p id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_p79676586616">After the security settings are complete, <span class="parmname" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmname7696479059396"><b>Configuration Status</b></span> can be one of the following on the <span class="wintitle" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_wintitle104272764093757"><b>Security Settings</b></span> page:</p>
<ul id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_ul1485864535110"><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li139715583614"><span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue3971165813615"><b>Applying</b></span>: The system is saving the settings.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li1797211581365"><span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue55512574494033"><b>Synchronized</b></span>: The settings have been saved and taken effect.</li><li id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_li6863164555118"><span class="parmvalue" id="EN-US_TOPIC_0000001658895330__en-us_topic_0000001423119225_parmvalue8087991594148"><b>Take effect after restart</b></span>: The settings have been saved but have not taken effect. Restart the cluster for the settings to take effect.</li></ul>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_01_0700.html">Cluster Security Management</a></div>
</div>
</div>
View Git Blame Copy Permalink