vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/dev/dws_04_0890.html
Lu, Huayi a24ca60074 DWS DEVELOPER 811 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2023-01-19 13:37:49 +00:00

150 lines
40 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001145695003"></a><a name="EN-US_TOPIC_0000001145695003"></a>
<h1 class="topictitle1">Security and Authentication (postgresql.conf)</h1>
<div id="body8662426"><p id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_p11527581314">This section describes parameters about how to securely authenticate the client and server.</p>
<div class="section" id="EN-US_TOPIC_0000001145695003__sce830baddcd14b33a7a6700e27937abf"><h4 class="sectiontitle">authentication_timeout</h4><p id="EN-US_TOPIC_0000001145695003__affc6c27a3c6448ffb2843f5e61eae95d"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_en-us_topic_0058967753_b41120256">Parameter description</strong>: Specifies the longest duration to wait before the client authentication times out. If a client is not authenticated by the server within the timeout period, the server automatically breaks the connection from the client so that the faulty client does not occupy connection resources.</p>
<p id="EN-US_TOPIC_0000001145695003__p727782016135"><strong id="EN-US_TOPIC_0000001145695003__b14534171794511">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a36dc89e8d4924406add9e4eebff8ab09"><strong id="EN-US_TOPIC_0000001145695003__b1265223112433">Value range</strong>: an integer ranging from 1 to 600. The minimum unit is second (s).</p>
<p id="EN-US_TOPIC_0000001145695003__a64ef6e91cdaa40d9b8e67d32d70bb316"><strong id="EN-US_TOPIC_0000001145695003__b842352706185119">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778244_b15310055141954">1 min</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__section2612143317514"><h4 class="sectiontitle">auth_iteration_count</h4><p id="EN-US_TOPIC_0000001145695003__p1272212378514"><strong id="EN-US_TOPIC_0000001145695003__b1851794672203457">Parameter description</strong>: Specifies the number of interactions during the generation of encryption information for authentication.</p>
<p id="EN-US_TOPIC_0000001145695003__p195311751121515"><strong id="EN-US_TOPIC_0000001145695003__b414611844516">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__p4727123745110"><strong id="EN-US_TOPIC_0000001145695003__b20165267194730">Value range</strong>: an integer ranging from 2048 to 134217728</p>
<p id="EN-US_TOPIC_0000001145695003__p12729143735111"><strong id="EN-US_TOPIC_0000001145695003__b842352706203757">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b84235270620380">50000</strong></p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__note185621927143113"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__p6981136111717">If this parameter is set to a large value, performance deteriorates in operations involving password encryption, such as authentication and user creation. Set this parameter to an appropriate value based on the hardware conditions.</p>
</div></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s7086b76ae0224deaa57a373bffdb2cd4"><h4 class="sectiontitle">session_timeout</h4><p id="EN-US_TOPIC_0000001145695003__a65fd2184ace34d97b2a0687ab4e37059"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_aa0c7fa83044942d19d71d426bf003365">Parameter description</strong>: Specifies the longest duration with no operations after the connection to the server.</p>
<p id="EN-US_TOPIC_0000001145695003__p17710210161613"><strong id="EN-US_TOPIC_0000001145695003__b55090196459">Type</strong>: USERSET</p>
<p id="EN-US_TOPIC_0000001145695003__a09a71366f2b040d6ae2a70b893186868"><strong id="EN-US_TOPIC_0000001145695003__b842352706204447">Value range</strong>: an integer ranging from 0 to 86400. The minimum unit is second (s). <strong id="EN-US_TOPIC_0000001145695003__b84235270620458">0</strong> means to disable the timeout.</p>
<p id="EN-US_TOPIC_0000001145695003__adc0a1206ddb24871bd8f94618569b424"><strong id="EN-US_TOPIC_0000001145695003__b17505192220213">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b18505182219218">10 min</strong></p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__nea2f24e1ae734d76bc9b119dbf7113e9"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001145695003__ul1841500205618"><li id="EN-US_TOPIC_0000001145695003__li151951611565">The gsql client of <span id="EN-US_TOPIC_0000001145695003__text13194294582">GaussDB(DWS)</span> has an automatic reconnection mechanism. If the initialized local connection of a user to the server times out, gsql disconnects from and reconnects to the server.</li><li id="EN-US_TOPIC_0000001145695003__li6344177165713">Connections from the pooler connection pool to other CNs and DNs are not controlled by the <strong id="EN-US_TOPIC_0000001145695003__b1792419185597">session_timeout</strong> parameter.</li></ul>
</div></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__sb4f20106a9e44510a2243affa571091e"><h4 class="sectiontitle">ssl</h4><p id="EN-US_TOPIC_0000001145695003__a02b5d4a536824c488c8b9adb394fff4d"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_en-us_topic_0058967753_b3421177">Parameter description</strong>: Specifies whether the SSL connection is enabled. </p>
<p id="EN-US_TOPIC_0000001145695003__p5546202314257"><strong id="EN-US_TOPIC_0000001145695003__b943209459">Type</strong>: POSTMASTER</p>
<p id="EN-US_TOPIC_0000001145695003__aee317e181dd64b79b5d9f955cb8a01ab"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_en-us_topic_0058967753_b9994653">Value range</strong>: Boolean</p>
<ul id="EN-US_TOPIC_0000001145695003__u6639deb980fa41e0aff2c912209160d6"><li id="EN-US_TOPIC_0000001145695003__l176b0507a7f04700bae8e4ba188153b4"><strong id="EN-US_TOPIC_0000001145695003__b104324785634549">on</strong> indicates that the SSL connection is enabled.</li><li id="EN-US_TOPIC_0000001145695003__l0f5d4aaacae548aa9b061bcb56711032"><strong id="EN-US_TOPIC_0000001145695003__b1721383012219">off</strong> indicates that the SSL connection is not enabled.</li></ul>
<div class="notice" id="EN-US_TOPIC_0000001145695003__n187bb3bb153143a9886ceff0767d478d"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__a0f4d1c9994f34000a2ce05bb71e5ea23"><span id="EN-US_TOPIC_0000001145695003__text1090562960">GaussDB(DWS)</span> supports the SSL connection when the client connects to CNs. It is recommended that the SSL connection be enabled only on CNs.</p>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__a823cf6901f4f47ca8ead0269f16fc944"><strong id="EN-US_TOPIC_0000001145695003__b277223817218">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b1777210382219">on</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s0742999cbaad4392a0a66f168e83398c"><h4 class="sectiontitle">ssl_ciphers</h4><p id="EN-US_TOPIC_0000001145695003__a40b610aa990b4b8ca6d0008068528ab8"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_aee607761efca4160868d59583c52fa7e">Parameter description</strong>: Specifies the encryption algorithm list supported by the SSL.</p>
<p id="EN-US_TOPIC_0000001145695003__p2345191112515"><strong id="EN-US_TOPIC_0000001145695003__b13751520184516">Type</strong>: POSTMASTER</p>
<p id="EN-US_TOPIC_0000001145695003__a6baa0bd7e85449f7a91b8f7a1f26fe18"><strong id="EN-US_TOPIC_0000001145695003__b166421341041">Value range</strong>: a string. Separate multiple encryption algorithms with semicolons (;). </p>
<p id="EN-US_TOPIC_0000001145695003__aae84c198aa6f4f08b9136c484ebbb400"><strong id="EN-US_TOPIC_0000001145695003__b2012012131341">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b51216134414">ALL</strong></p>
<div class="note" id="EN-US_TOPIC_0000001145695003__note1078975013110"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000001145695003__ul321613417133"><li id="EN-US_TOPIC_0000001145695003__li4849172582211">The default value of <strong id="EN-US_TOPIC_0000001145695003__b12976175851416">ssl_ciphers</strong> is <strong id="EN-US_TOPIC_0000001145695003__b1297695818140">ALL</strong>, indicating that all the following encryption algorithms are supported. Users are advised to retain the default value, unless there are other special requirements on the encryption algorithm.<ul id="EN-US_TOPIC_0000001145695003__ul1578411461719"><li id="EN-US_TOPIC_0000001145695003__li1667753110137">TLS1_3_RFC_AES_128_GCM_SHA256</li><li id="EN-US_TOPIC_0000001145695003__li2091373231315">TLS1_3_RFC_AES_256_GCM_SHA384</li><li id="EN-US_TOPIC_0000001145695003__li1234153621312">TLS1_3_RFC_CHACHA20_POLY1305_SHA256</li><li id="EN-US_TOPIC_0000001145695003__li1841243719138">TLS1_3_RFC_AES_128_CCM_SHA256</li><li id="EN-US_TOPIC_0000001145695003__la226f0b6f6c040c29e011c10c109139c">TLS1_3_RFC_AES_128_CCM_8_SHA256</li></ul>
</li><li id="EN-US_TOPIC_0000001145695003__li22171542130">Currently, SSL connection authentication supports only the TLS1.3 encryption algorithm, which has better performance and security. It is also compatible with SSL connection authentication between clients that comply with TLS1.2.</li></ul>
</div></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s6fec625af84c4e5ab66d1731d270f22b"><h4 class="sectiontitle">ssl_renegotiation_limit</h4><p id="EN-US_TOPIC_0000001145695003__a182a4c15d39a4a24b2f205e7f6ccb03f"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_a3d4c28655aba4ee29f293b53d46b3ba1">Parameter description</strong>: Specifies the traffic volume over the SSL-encrypted channel before the session key is renegotiated. The renegotiation traffic limitation mechanism reduces the probability that attackers use the password analysis method to crack the key based on a huge amount of data but causes big performance losses. The traffic indicates the sum of sent and received traffic.</p>
<p id="EN-US_TOPIC_0000001145695003__p777214359165"><strong id="EN-US_TOPIC_0000001145695003__b20877120204513">Type</strong>: USERSET</p>
<div class="note" id="EN-US_TOPIC_0000001145695003__note11998020131414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000001145695003__p1853316399306">You are advised to retain the default value, that is, disable the renegotiation mechanism. You are not advised to use the <strong id="EN-US_TOPIC_0000001145695003__b204674514101">gs_guc</strong> tool or other methods to set the <strong id="EN-US_TOPIC_0000001145695003__b9686134100">ssl_renegotiation_limit</strong> parameter in the <strong id="EN-US_TOPIC_0000001145695003__b5982122031010">postgresql.conf</strong> file. The setting does not take effect.</p>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__aac6ce1acfd8544cf9724d1da94365b4c"><strong id="EN-US_TOPIC_0000001145695003__b1316119383446">Value range</strong>: an integer ranging from 0 to <strong id="EN-US_TOPIC_0000001145695003__b11979145834416">INT_MAX</strong>. The unit is KB. <strong id="EN-US_TOPIC_0000001145695003__b842352706173359">0</strong> indicates that the renegotiation mechanism is disabled.</p>
<p id="EN-US_TOPIC_0000001145695003__a9e96827e5e37425cb22d8f3bcec9b4b3"><strong id="EN-US_TOPIC_0000001145695003__b5735075">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706171333">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s66e18c0433544eefaa5369459d6b220a"><h4 class="sectiontitle">password_policy</h4><p id="EN-US_TOPIC_0000001145695003__aad2b7fac24ad49b0abfed1fbc188d7f0"><strong id="EN-US_TOPIC_0000001145695003__b825354011420">Parameter description</strong>: Specifies whether to check the password complexity when you run the <strong id="EN-US_TOPIC_0000001145695003__b102595401446">CREATE ROLE/USER</strong> or <strong id="EN-US_TOPIC_0000001145695003__b4259174016420">ALTER ROLE/USER</strong> command to create or modify a <span id="EN-US_TOPIC_0000001145695003__text1359377587">GaussDB(DWS)</span> account. </p>
<p id="EN-US_TOPIC_0000001145695003__p1345516265239"><strong id="EN-US_TOPIC_0000001145695003__b8440423144517">Type</strong>: SIGHUP</p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__nffa7a21a10a949c681bac168c79c0a16"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__a813de7415b2f4079a9429f46a1b656a1">For security purposes, do not disable the password complexity policy.</p>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__a5c71c4ec624b4db5922095c21b0a0fcf"><strong id="EN-US_TOPIC_0000001145695003__b66499804">Value range</strong>: an integer, <strong id="EN-US_TOPIC_0000001145695003__b842352706111635">0</strong> or <strong id="EN-US_TOPIC_0000001145695003__b842352706111638">1</strong></p>
<ul id="EN-US_TOPIC_0000001145695003__u697584b48056419ea9e5faaecb4320ea"><li id="EN-US_TOPIC_0000001145695003__la2e19d02819d48769ccfebfecf8db608"><strong id="EN-US_TOPIC_0000001145695003__b176848255134549">0</strong> indicates that no password complexity policy is enabled.</li><li id="EN-US_TOPIC_0000001145695003__l5e49744c570143b08c97031226c2cec2"><strong id="EN-US_TOPIC_0000001145695003__ac4a71b0e13b64122b4edcb8c101652c4">1</strong> indicates that the default password complexity policy is disabled.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__afab54009b43849cb885fb93580c05f11"><strong id="EN-US_TOPIC_0000001145695003__a4c25757a8859417e8d363ca9016b506c">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0058967566_b56157513619462">1</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c"><a name="EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c"></a><a name="sbbafd6b400d246ad9b10b95fd632643c"></a><h4 class="sectiontitle">password_reuse_time</h4><p id="EN-US_TOPIC_0000001145695003__af592be33e34b450da67c0f519d3ca36d"><strong id="EN-US_TOPIC_0000001145695003__b4546792291624">Parameter description:</strong> Specifies whether to check the reuse days of the new password when you run the <strong id="EN-US_TOPIC_0000001145695003__b3082399791624">ALTER USER</strong> or <strong id="EN-US_TOPIC_0000001145695003__b3555929791624">ALTER ROLE</strong> command to change a user password. </p>
<p id="EN-US_TOPIC_0000001145695003__p83506149239"><strong id="EN-US_TOPIC_0000001145695003__b063932304516">Type</strong>: SIGHUP</p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__n6490ed2389ef4d0bab4609c6d12bb219"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__p67333441426">When you change the password, the system checks the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a>.</p>
<ul id="EN-US_TOPIC_0000001145695003__ul13734194464216"><li id="EN-US_TOPIC_0000001145695003__li1852615215432">If the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> are both positive numbers, the password can be reused if either of the following conditions is met:</li><li id="EN-US_TOPIC_0000001145695003__li973454484219">If the value of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> is <strong id="EN-US_TOPIC_0000001145695003__b597410442502">0</strong>, the days of password reuse are not limited and only the times of password reuse are limited.</li><li id="EN-US_TOPIC_0000001145695003__li167348447425">If the value of <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> is <strong id="EN-US_TOPIC_0000001145695003__b8155446195218">0</strong>, the times of password reuse are not limited and only the days of password reuse are limited.</li><li id="EN-US_TOPIC_0000001145695003__li1873474416422">If the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> are both <strong id="EN-US_TOPIC_0000001145695003__b801046185311">0</strong>, password reuse is not limited.</li></ul>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__a296e83f968604830a15e9764ac21aa72"><strong id="EN-US_TOPIC_0000001145695003__b452233516510">Value range</strong>: a floating number ranging from 0 to 3650. The unit is day.</p>
<ul id="EN-US_TOPIC_0000001145695003__u1e64b12c6f444173b8207e9e18d63221"><li id="EN-US_TOPIC_0000001145695003__l95d4ac4127be4e41a934bfe422abcf98"><strong id="EN-US_TOPIC_0000001145695003__b17817453165312">0</strong> indicates that the password reuse days are not checked.</li><li id="EN-US_TOPIC_0000001145695003__lf9cf65f9e97f4bef927bcfb6e8542a53">A positive number indicates that the new password cannot be the one that is used within the specified days.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a95bce48e12a044c3b7c7ff06792b27c8"><strong id="EN-US_TOPIC_0000001145695003__b27385108834549">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706171519">60</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191"><a name="EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191"></a><a name="scadaeaf8f1ee4427b11857bcd78cb191"></a><h4 class="sectiontitle">password_reuse_max</h4><p id="EN-US_TOPIC_0000001145695003__a5afb963054cf4b699602ed98207e6435"><strong id="EN-US_TOPIC_0000001145695003__b3967750491624">Parameter description:</strong> Specifies whether to check the reuse times of the new password when you run the <strong id="EN-US_TOPIC_0000001145695003__b1077670391624">ALTER USER</strong> or <strong id="EN-US_TOPIC_0000001145695003__b4850188091624">ALTER ROLE</strong> command to change a user password. </p>
<p id="EN-US_TOPIC_0000001145695003__p10187185314226"><strong id="EN-US_TOPIC_0000001145695003__b3768132314510">Type</strong>: SIGHUP</p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__nefbf0ac32661426faf0a547e43c6543c"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__p2063718252432">When you change the password, the system checks the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a>.</p>
<ul id="EN-US_TOPIC_0000001145695003__ul26372258431"><li id="EN-US_TOPIC_0000001145695003__li11637142517435">If the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> are both positive numbers, the password can be reused if either of the following conditions is met:</li><li id="EN-US_TOPIC_0000001145695003__li12637425114311">If the value of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> is <strong id="EN-US_TOPIC_0000001145695003__b196131645452">0</strong>, the days of password reuse are not limited and only the times of password reuse are limited.</li><li id="EN-US_TOPIC_0000001145695003__li7637102517438">If the value of <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> is <strong id="EN-US_TOPIC_0000001145695003__b1793813473513">0</strong>, the times of password reuse are not limited and only the days of password reuse are limited.</li><li id="EN-US_TOPIC_0000001145695003__li106371525174316">If the values of <a href="#EN-US_TOPIC_0000001145695003__sbbafd6b400d246ad9b10b95fd632643c">password_reuse_time</a> and <a href="#EN-US_TOPIC_0000001145695003__scadaeaf8f1ee4427b11857bcd78cb191">password_reuse_max</a> are both <strong id="EN-US_TOPIC_0000001145695003__b2478105011510">0</strong>, password reuse is not limited.</li></ul>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__a0485b70193344cdeb7b278f802386372"><strong id="EN-US_TOPIC_0000001145695003__b18570152151">Value range</strong>: an integer ranging from 0 to 1000</p>
<ul id="EN-US_TOPIC_0000001145695003__uca565f077acf44c6ad5949061c29608d"><li id="EN-US_TOPIC_0000001145695003__lb6982604599147448f583529ea56f186"><strong id="EN-US_TOPIC_0000001145695003__b185999215334549">0</strong> indicates that the password reuse times are not checked.</li><li id="EN-US_TOPIC_0000001145695003__l393880ef56be4c38bfb0437389c94545">A positive number indicates that the new password cannot be the one whose reuse times exceed the specified number.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a04a77fb79a884473b402c9f0ef9e612a"><strong id="EN-US_TOPIC_0000001145695003__b13915259151516">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706165429">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s943fe3c453f648fb958919ab0aa2b08b"><a name="EN-US_TOPIC_0000001145695003__s943fe3c453f648fb958919ab0aa2b08b"></a><a name="s943fe3c453f648fb958919ab0aa2b08b"></a><h4 class="sectiontitle">password_lock_time</h4><p id="EN-US_TOPIC_0000001145695003__aebbbd79dfc624d58a963eccd0013796c"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_en-us_topic_0058967753_b40832548">Parameter description</strong>: Specifies the duration before an account is automatically unlocked. </p>
<p id="EN-US_TOPIC_0000001145695003__p9677154418222"><strong id="EN-US_TOPIC_0000001145695003__b49511423134520">Type</strong>: SIGHUP</p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__nede83145091d408893269caea44c746c"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001145695003__a5e8cbd5becb64e4e984aa9badca2cf93">The locking and unlocking functions take effect only when the values of <strong id="EN-US_TOPIC_0000001145695003__b1027112545512">password_lock_time</strong> and <a href="#EN-US_TOPIC_0000001145695003__s98a9fdb6b85f4f6ab813a269524dc136">failed_login_attempts</a> are positive numbers.</p>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__ac6d6390ccf484acebea31f3e850b3acb"><strong id="EN-US_TOPIC_0000001145695003__b13596170167">Value range</strong>: a floating number ranging from 0 to 365. The unit is day.</p>
<ul id="EN-US_TOPIC_0000001145695003__u5a7cfddea7c94de5ac8eed2eb726cc6d"><li id="EN-US_TOPIC_0000001145695003__led7d9d51541e4d41ad4f757986bed67b"><strong id="EN-US_TOPIC_0000001145695003__b128346474034549">0</strong> indicates that the automatic locking function does not take effect if the password verification fails.</li><li id="EN-US_TOPIC_0000001145695003__le058156bf4c54c51bcc9796540ce63f2">A positive number indicates the duration after which an account is automatically unlocked.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a23b71f9839644b0db42bd61295ef3c21"><strong id="EN-US_TOPIC_0000001145695003__b871608913">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b1101876379">1</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s98a9fdb6b85f4f6ab813a269524dc136"><a name="EN-US_TOPIC_0000001145695003__s98a9fdb6b85f4f6ab813a269524dc136"></a><a name="s98a9fdb6b85f4f6ab813a269524dc136"></a><h4 class="sectiontitle">failed_login_attempts</h4><p id="EN-US_TOPIC_0000001145695003__a728065526a914656aaf8a378553443e9"><strong id="EN-US_TOPIC_0000001145695003__b74807121034549">Parameter description</strong>: Specifies the maximum number of incorrect password attempts before an account is locked. The account will be automatically unlocked after the time specified in <strong id="EN-US_TOPIC_0000001145695003__b23110410534549">password_lock_time</strong>. For example, incorrect password attempts during login and password input failures when using the <strong id="EN-US_TOPIC_0000001145695003__b23623973144319">ALTER USER</strong> command </p>
<p id="EN-US_TOPIC_0000001145695003__p18461121072113"><strong id="EN-US_TOPIC_0000001145695003__b111832414517">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a0224277f9a664877b46f18d4c758d355"><strong id="EN-US_TOPIC_0000001145695003__b1258375934517">Value range</strong>: an integer ranging from 0 to 1000</p>
<ul id="EN-US_TOPIC_0000001145695003__u2bb51f329fe045138ae839bee1b2a455"><li id="EN-US_TOPIC_0000001145695003__lb312d482a3854183bf40917bf659c12a"><strong id="EN-US_TOPIC_0000001145695003__b116577120934549">0</strong> indicates that the automatic locking function does not take effect.</li><li id="EN-US_TOPIC_0000001145695003__l65f61253bf434234ae28fc8ccbc0df02">A positive number indicates that an account is locked when the number of incorrect password attempts reaches the value of <strong id="EN-US_TOPIC_0000001145695003__b15968773634549">failed_login_attempts</strong>.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__ab392fcc48a044305bd2ec11df4aeba77"><strong id="EN-US_TOPIC_0000001145695003__b16400126619">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b24011028618">10</strong></p>
<div class="notice" id="EN-US_TOPIC_0000001145695003__n28c694ec85094dcc9f7b9ac281b5df70"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001145695003__ul17447217111619"><li id="EN-US_TOPIC_0000001145695003__li134473174161">The locking and unlocking functions take effect only when the values of <strong id="EN-US_TOPIC_0000001145695003__b1816516161246">failed_login_attempts</strong> and <a href="#EN-US_TOPIC_0000001145695003__s943fe3c453f648fb958919ab0aa2b08b">password_lock_time</a> are positive numbers.</li><li id="EN-US_TOPIC_0000001145695003__li10201141914167"><strong id="EN-US_TOPIC_0000001145695003__b3679195513415">failed_login_attempts</strong> works with the SSL connection mode of the client to identify the number of incorrect password attempts. If PGSSLMODE is set to <strong id="EN-US_TOPIC_0000001145695003__b210523516611">allow</strong> or <strong id="EN-US_TOPIC_0000001145695003__b2784382067">prefer</strong>, two connection requests are generated for a password connection request. One request attempts an SSL connection, and the other request attempts a non-SSL connection. In this case, the number of incorrect password attempts perceived by the user is the value of <strong id="EN-US_TOPIC_0000001145695003__b410464714816">failed_login_attempts</strong> divided by 2.</li></ul>
</div></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s8704e0b9404741b89a785baf9a334d2a"><h4 class="sectiontitle">password_encryption_type</h4><p id="EN-US_TOPIC_0000001145695003__a2a290c8c9a414c028e5b7e7242957dc0"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_aaf01a20fd744461998a11deb15a38896">Parameter description</strong>: Specifies the encryption type of user passwords.</p>
<p id="EN-US_TOPIC_0000001145695003__p537510552203"><strong id="EN-US_TOPIC_0000001145695003__b6295112412457">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a90e94ed6ff46414eac7084eda199200e"><strong id="EN-US_TOPIC_0000001145695003__b1297620882">Value range</strong>: an integer, <strong id="EN-US_TOPIC_0000001145695003__b415246630">0</strong>, <strong id="EN-US_TOPIC_0000001145695003__b757674557">1</strong>, or <strong id="EN-US_TOPIC_0000001145695003__b16214111417422">2</strong></p>
<ul id="EN-US_TOPIC_0000001145695003__ucf6340a5f1ff4877a5549178fcdd5327"><li id="EN-US_TOPIC_0000001145695003__l78ce25ee9b7940b084ed7c1b9e7a7718"><strong id="EN-US_TOPIC_0000001145695003__a0a0aeba5ee354a319376d5d57646ce87">0</strong> indicates that passwords are encrypted in MD5 mode.</li><li id="EN-US_TOPIC_0000001145695003__li731613248552"><strong id="EN-US_TOPIC_0000001145695003__b1315365611411">1</strong> indicates that passwords are encrypted using SHA256, which is compatible with the MD5 user authentication method of the PostgreSQL client.</li><li id="EN-US_TOPIC_0000001145695003__l33a31388b1ea4819aa03c6ba8bbfaf60"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0004450763_b291431591493">2</strong> indicates that passwords are encrypted using SHA256.</li></ul>
<div class="notice" id="EN-US_TOPIC_0000001145695003__n021991b65c0c451bbcfcbbf107f26e6f"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001145695003__ul34738420181"><li id="EN-US_TOPIC_0000001145695003__li18305163224415">MD5 is not recommended because it is not a secure encryption algorithm.</li><li id="EN-US_TOPIC_0000001145695003__li4507120121913">If the cluster is upgraded from 8.0.0 or an earlier version to the current version, the default value of this parameter is the same as that of the cluster of the earlier version. For example, the default value of <strong id="EN-US_TOPIC_0000001145695003__b10361228347">password_encryption_type</strong> in 8.0.0 is <strong id="EN-US_TOPIC_0000001145695003__b23468326417">1</strong>. After the cluster is upgraded from 8.0.0 to 8.1.1, the default value of <strong id="EN-US_TOPIC_0000001145695003__b684310121250">password_encryption_type</strong> remains <strong id="EN-US_TOPIC_0000001145695003__b1489312211253">1</strong>.</li></ul>
</div></div>
<p id="EN-US_TOPIC_0000001145695003__a959e6d4e2678482199947467e088006c"><strong id="EN-US_TOPIC_0000001145695003__b3158552610564">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706173228">2</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s1ad72a5afb584f75bcdf05d19ee152f0"><h4 class="sectiontitle">password_min_length</h4><p id="EN-US_TOPIC_0000001145695003__a280331dce9f14713bebd9fb0281c156f"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_a1fcc890ea1a74237a652e5545f91ef5f">Parameter description</strong>: Specifies the minimum account password length.</p>
<p id="EN-US_TOPIC_0000001145695003__p19381245112019"><strong id="EN-US_TOPIC_0000001145695003__b15452724204517">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__p10232345153413"><strong id="EN-US_TOPIC_0000001145695003__b17725142820223">Value range</strong>: an integer. A password can contain 6 to 999 characters.</p>
<p id="EN-US_TOPIC_0000001145695003__aba52b80e818a4061b4c88f050e7c375b"><strong id="EN-US_TOPIC_0000001145695003__b1413578664144214">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b578690575144214">8</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__sc2fd1e87a08e46d4b37dd700a87a1590"><h4 class="sectiontitle">password_max_length</h4><p id="EN-US_TOPIC_0000001145695003__ab44aea1854e9495faca57e57cb9099ab"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_ad86000e86ba44b6caa0c3e5e1d850bc9">Parameter description</strong>: Specifies the maximum account password length.</p>
<p id="EN-US_TOPIC_0000001145695003__p128800359207"><strong id="EN-US_TOPIC_0000001145695003__b1063120242454">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__p084941483417"><strong id="EN-US_TOPIC_0000001145695003__b17746174413233">Value range</strong>: an integer. A password can contain 6 to 999 characters.</p>
<p id="EN-US_TOPIC_0000001145695003__a32516f1314934fd9bea16d9f506e3271"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778487_ac1c9fb1d06e240c599caf85c9a8ed519">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778487_en-us_topic_0058967649_b842352706195020">32</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__saeb9604931e149849cfea48326df75e4"><h4 class="sectiontitle">password_min_uppercase</h4><p id="EN-US_TOPIC_0000001145695003__a94e7257f5aa2436b9c093e36ebb2d3c3"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_en-us_topic_0058967753_b586567172054">Parameter description</strong>: Specifies the minimum number of uppercase letters that an account password must contain.</p>
<p id="EN-US_TOPIC_0000001145695003__p112481327112020"><strong id="EN-US_TOPIC_0000001145695003__b87841424154513">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__ac8e8cdb3d40e4cfc83f33ee23ebd7546"><strong id="EN-US_TOPIC_0000001145695003__b1621535982316">Value range</strong>: an integer ranging from 0 to 999.</p>
<ul id="EN-US_TOPIC_0000001145695003__u29390a83cd49414094fad7c2220baedf"><li id="EN-US_TOPIC_0000001145695003__l8f404cf47536484cbd61040492d22b45"><strong id="EN-US_TOPIC_0000001145695003__b842352706212534">0</strong> means no limit.</li><li id="EN-US_TOPIC_0000001145695003__li113111038462">A positive integer indicates the minimum number of uppercase letters in the password specified for creating an account.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a5d775a49aa094ae1a2f9fca99ff8bc53"><strong id="EN-US_TOPIC_0000001145695003__b842352706212615">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b20490125619251">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__sd016bfb5242743bcbba8245d16118228"><h4 class="sectiontitle">password_min_lowercase</h4><p id="EN-US_TOPIC_0000001145695003__a3caac1e29a0540b5b45a0f0abd98ca87"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_ae1bfc0751d754deea0a2acfe3268333f">Parameter description</strong>: Specifies the minimum number of lowercase letters that an account password must contain.</p>
<p id="EN-US_TOPIC_0000001145695003__p11122151919205"><strong id="EN-US_TOPIC_0000001145695003__b895842413450">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a31e8387060a147d58ba8ca2850cee87d"><strong id="EN-US_TOPIC_0000001145695003__b934987809">Value range</strong>: an integer ranging from 0 to 999.</p>
<ul id="EN-US_TOPIC_0000001145695003__ua02658c2386448c0b73d48bef24d0712"><li id="EN-US_TOPIC_0000001145695003__l448421f6ee2b463ca49d120f40d9a503"><strong id="EN-US_TOPIC_0000001145695003__b877703811">0</strong> means no limit.</li><li id="EN-US_TOPIC_0000001145695003__ld379180671314988b222cc33482dd2a4">A positive integer indicates the minimum number of lowercase letters in the password specified for creating an account.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a5136da75fb384cedb78e8037a6185896"><strong id="EN-US_TOPIC_0000001145695003__b1354036802">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b2116387839">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s6f018b106158445891f20cd2ff03d05e"><h4 class="sectiontitle">password_min_digital</h4><p id="EN-US_TOPIC_0000001145695003__afd038c00d694445e98abf282a3d3bf2c"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_a03703e193a43423ca416f701d2eab723">Parameter description</strong>: Specifies the minimum number of digits that an account password must contain.</p>
<p id="EN-US_TOPIC_0000001145695003__p36461111192017"><strong id="EN-US_TOPIC_0000001145695003__b171361025174518">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a13f80aece3b14e10a5e6d369d8bf9522"><strong id="EN-US_TOPIC_0000001145695003__b2088263439">Value range</strong>: an integer ranging from 0 to 999.</p>
<ul id="EN-US_TOPIC_0000001145695003__u5f5f6b285e234b49b04e993d4b1efeef"><li id="EN-US_TOPIC_0000001145695003__l31a2474a619d4c218c3bb199050a9dda"><strong id="EN-US_TOPIC_0000001145695003__b1210535680">0</strong> means no limit.</li><li id="EN-US_TOPIC_0000001145695003__l9b07fe4b86354dc8b2e61bf0c9ef6118">A positive integer indicates the minimum number of digits in the password specified for creating an account.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a25fe8cf7de854096a0945a5e94685c36"><strong id="EN-US_TOPIC_0000001145695003__b510660400">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b327343446">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s592982c9d4be4e7089e9895b0282a928"><h4 class="sectiontitle">password_min_special</h4><p id="EN-US_TOPIC_0000001145695003__add3613fae3ce42569375d18b46ebd9f4"><strong id="EN-US_TOPIC_0000001145695003__b1412013101869">Parameter description</strong>: Specifies the minimum number of <span id="EN-US_TOPIC_0000001145695003__ph1754411498293">special characters</span> that an account password must contain.</p>
<p id="EN-US_TOPIC_0000001145695003__p58056316209"><strong id="EN-US_TOPIC_0000001145695003__b43042257456">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a0b6544ffccd140e7b63cfeeca471d346"><strong id="EN-US_TOPIC_0000001145695003__b1764987076">Value range</strong>: an integer ranging from 0 to 999.</p>
<ul id="EN-US_TOPIC_0000001145695003__u0dcd92b62ff5498794ac7b71b2f25d8c"><li id="EN-US_TOPIC_0000001145695003__l7ee939ed477641a99e3b76e1af87611c"><strong id="EN-US_TOPIC_0000001145695003__b1823430129">0</strong> means no limit.</li><li id="EN-US_TOPIC_0000001145695003__li857662895214">A positive integer indicates the minimum number of special characters in the password specified for creating an account.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__a4c668cd1c1b84450911a9a26c2920f95"><strong id="EN-US_TOPIC_0000001145695003__b2125402221">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b448405009">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__sf2083c0fff0d4f52a32c89dc24cb0476"><h4 class="sectiontitle">password_effect_time</h4><p id="EN-US_TOPIC_0000001145695003__aa298734079d54c9cb62e2928c623d051"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_a8b870fe38dfa4ae1ab0fcf85aa425d3f">Parameter description</strong>: Specifies the validity period of an account password.</p>
<p id="EN-US_TOPIC_0000001145695003__p9978554151913"><strong id="EN-US_TOPIC_0000001145695003__b2473102554517">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a543a1a821a034992a698f47fdd6c69ca"><strong id="EN-US_TOPIC_0000001145695003__b4959152315476">Value range</strong>: a floating number ranging from 0 to 999. The unit is day.</p>
<ul id="EN-US_TOPIC_0000001145695003__udf25f051463543b1ab5d36d8d0185a41"><li id="EN-US_TOPIC_0000001145695003__l3540aab4c9234f13a20079a3edd37d3b"><strong id="EN-US_TOPIC_0000001145695003__b84235270621354">0</strong> indicates the function of validity period restriction is disabled.</li><li id="EN-US_TOPIC_0000001145695003__li2969182411532">A floating point number from 1 to 999 indicates the validity period of the password specified for creating an account. When the password is about to expire or has expired, the system prompts the user to change the password.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__accd9cd0f325c4f02a8e92619836d989e"><strong id="EN-US_TOPIC_0000001145695003__b1896293517535">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706171710">90</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001145695003__s3e8269f98d6142ec91ef07b9b5bf6168"><h4 class="sectiontitle">password_notify_time</h4><p id="EN-US_TOPIC_0000001145695003__a2a948409ed244e09a17bc6a31748010b"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0059778664_a640280595dc84d1498b59351e4a520f2">Parameter description</strong>: Specifies how many days in advance users are notified before the account password expires.</p>
<p id="EN-US_TOPIC_0000001145695003__p134171640181714"><strong id="EN-US_TOPIC_0000001145695003__b16640202519458">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001145695003__a20481a932b404bd5a403ba802046efa8"><strong id="EN-US_TOPIC_0000001145695003__b1842173254713">Value range</strong>: an integer ranging from 0 to 999. The unit is day.</p>
<ul id="EN-US_TOPIC_0000001145695003__u2ea69d68c3cf40bfa8f13747710c6ecd"><li id="EN-US_TOPIC_0000001145695003__l634b3abfe3274a4ba0f7115869935645"><strong id="EN-US_TOPIC_0000001145695003__b842352706213633">0</strong> indicates the reminder is disabled.</li><li id="EN-US_TOPIC_0000001145695003__li1937775035716">A positive integer indicates how long before expiry the reminder will appear.</li></ul>
<p id="EN-US_TOPIC_0000001145695003__p1215920525812"><strong id="EN-US_TOPIC_0000001145695003__en-us_topic_0058967657_b26917141">Default value</strong>: <strong id="EN-US_TOPIC_0000001145695003__b842352706204923">7</strong></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0888.html">Connection and Authentication</a></div>
</div>
</div>
View Git Blame Copy Permalink