vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/umn/dws_01_0074.html
Lu, Huayi c5fcb46315 DWS UMN 801 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2022-12-13 12:47:57 +00:00

94 lines
16 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001134560600"></a><a name="EN-US_TOPIC_0000001134560600"></a>
<h1 class="topictitle1">Configuring Separation of Permissions</h1>
<div id="body1508830153272"><div class="section" id="EN-US_TOPIC_0000001134560600__section43782126162722"><h4 class="sectiontitle">Scenario</h4><p id="EN-US_TOPIC_0000001134560600__p17859528113310">By default, the administrator specified when you create a GaussDB(DWS) cluster is the database system administrator. The administrator can create other users and view the audit logs of the database. That is, separation of permissions is disabled.</p>
<p id="EN-US_TOPIC_0000001134560600__p1550115116373">GaussDB(DWS) supports role-based separation of permissions. In this way, different roles have different permissions and cluster data can be better protected.</p>
<p id="EN-US_TOPIC_0000001134560600__p18197342213">For details about the default permissions mode and the separation of permissions mode, see "Database Security Management &gt; Managing Users and Their Permissions &gt; Separation of Permissions" in the <i><cite id="EN-US_TOPIC_0000001134560600__cite6cd7bbbf77d94888b323a578a8aab11e162923">Data Warehouse Service (DWS) Developer Guide</cite></i>.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001134560600__section32447445163911"><h4 class="sectiontitle">Impact on the System</h4><p id="EN-US_TOPIC_0000001134560600__p10983948163924">After you have modified the security parameters and the modifications take effect, the cluster may be restarted, which makes the cluster unavailable temporarily.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001134560600__section6488541984957"><h4 class="sectiontitle">Prerequisites</h4><p id="EN-US_TOPIC_0000001134560600__p13296105233612">To modify the cluster's security configuration, ensure that the following conditions are met:</p>
<ul id="EN-US_TOPIC_0000001134560600__ul1465125853716"><li id="EN-US_TOPIC_0000001134560600__li362597153810">The cluster status is <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue39842032133813"><b>Available</b></span> or <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue898443233811"><b>Unbalanced</b></span>.</li><li id="EN-US_TOPIC_0000001134560600__li16464158183717">The value of <strong id="EN-US_TOPIC_0000001134560600__b29518326385">Task Information</strong> cannot be <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue109518323387"><b>Creating snapshot</b></span>, <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue14951183211383"><b>Resizing</b></span>, <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue5952103283816"><b>Configuring</b></span>, or <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue395214323381"><b>Restarting</b></span>.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001134560600__section63097435164448"><h4 class="sectiontitle">Procedure</h4><ol id="EN-US_TOPIC_0000001134560600__ol587855816457"><li id="EN-US_TOPIC_0000001134560600__li1864101482116"><span>Log in to the GaussDB(DWS) management console.</span></li><li id="EN-US_TOPIC_0000001134560600__li640122716457"><span>In the navigation pane on the left, click <span class="uicontrol" id="EN-US_TOPIC_0000001134560600__uicontrol5438105692318"><b>Clusters</b></span>.</span></li><li id="EN-US_TOPIC_0000001134560600__li18003557164415"><span>In the cluster list, click the name of a cluster. On the page that is displayed, click <span class="uicontrol" id="EN-US_TOPIC_0000001134560600__uicontrol1495449194249"><b>Security Settings</b></span>.</span><p><p id="EN-US_TOPIC_0000001134560600__p46648779164659">By default, <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname325381539194317"><b>Configuration Status</b></span> is <span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue212129348194334"><b>Synchronized</b></span>, which indicates that the latest database result is displayed.</p>
</p></li><li id="EN-US_TOPIC_0000001134560600__li1254982362310"><span>On the <span class="wintitle" id="EN-US_TOPIC_0000001134560600__wintitle1511446198145918"><b>Security Settings</b></span> page, configure separation of permissions.</span><p><p id="EN-US_TOPIC_0000001134560600__p52528295290"><span><img id="EN-US_TOPIC_0000001134560600__image1325210299294" src="figure/en-us_image_0000001134560798.png"></span> indicates that the function is enabled. When separation of permissions is enabled, configure the username and password for <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname03271852213"><b>Security Administrator</b></span> and <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname13434802217"><b>Audit Administrator</b></span>. Then the system automatically creates these two users. You can use these two users to connect to the database and perform database-related operations.</p>
<p id="EN-US_TOPIC_0000001134560600__p9253029112910"><span><img id="EN-US_TOPIC_0000001134560600__image2068495618556" src="figure/en-us_image_0000001180440227.jpg"></span> indicates that <strong id="EN-US_TOPIC_0000001134560600__b815464223219">Rights Separation</strong> is disabled. <strong id="EN-US_TOPIC_0000001134560600__b13107140185415">Rights Separation</strong> is disabled by default.</p>
<div class="fignone" id="EN-US_TOPIC_0000001134560600__fig151823755214"><span class="figcap"><b>Figure 1 </b>Security configuration</span><br><span><img id="EN-US_TOPIC_0000001134560600__image48464235714" src="figure/en-us_image_0000001134401020.png" height="343.221928" width="465.5" title="Click to enlarge" class="imgResize"></span></div>
<div class="p" id="EN-US_TOPIC_0000001134560600__p820220480539">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001134560600__table19251053172511" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Security parameters</caption><thead align="left"><tr id="EN-US_TOPIC_0000001134560600__row1625953112519"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.4.2.4.2.4.1.2.4.1.1"><p id="EN-US_TOPIC_0000001134560600__p32612535253"><strong id="EN-US_TOPIC_0000001134560600__b7617970162543">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="59%" id="mcps1.3.4.2.4.2.4.1.2.4.1.2"><p id="EN-US_TOPIC_0000001134560600__p11261153202515"><strong id="EN-US_TOPIC_0000001134560600__b842352706181449">Description</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21%" id="mcps1.3.4.2.4.2.4.1.2.4.1.3"><p id="EN-US_TOPIC_0000001134560600__p15261253162517"><strong id="EN-US_TOPIC_0000001134560600__b60793810112357">Example Value</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001134560600__row626115316259"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p326105342511">Security Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><p id="EN-US_TOPIC_0000001134560600__p1125715255316">The username must meet the following requirements:</p>
<ul id="EN-US_TOPIC_0000001134560600__ul925811254311"><li id="EN-US_TOPIC_0000001134560600__li102591325173115">Consists of lowercase letters, digits, or underscores.</li><li id="EN-US_TOPIC_0000001134560600__li1026116251316">Starts with a lowercase letter or an underscore.</li><li id="EN-US_TOPIC_0000001134560600__li0263102511313">Contains 6 to 64 characters.</li><li id="EN-US_TOPIC_0000001134560600__li1126582593114">Cannot be a keyword of the GaussDB(DWS) database. For details about the keywords of the GaussDB(DWS) database, see "SQL Syntax Reference &gt; Keyword" in the <em id="EN-US_TOPIC_0000001134560600__i17317051113419">Data Warehouse Service (DWS) Developer Guide</em>.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p62610537258">security_admin</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001134560600__row326125322513"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p1026853112518">Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><div class="p" id="EN-US_TOPIC_0000001134560600__p14892133520320">The password complexity requirements are as follows:<ul id="EN-US_TOPIC_0000001134560600__ue389ad2f3aa5470484fa087e28427ed7"><li id="EN-US_TOPIC_0000001134560600__en-us_topic_0106894662_li14183138142">Contains 8 to 32 characters.</li><li id="EN-US_TOPIC_0000001134560600__l74fe7d31380b48208fb0ff63c167c83d">Cannot be the username or the username spelled backwards.</li><li id="EN-US_TOPIC_0000001134560600__l67a2f75d35aa4f77bfba2654af9a7980">Must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (~!`?,.:;-_'"(){}[]/&lt;&gt;@#%^&amp;*+|\=)</li><li id="EN-US_TOPIC_0000001134560600__l7db73fd0c15f463b8c0c82f13969046a">Passes the weak password check.</li></ul>
</div>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p226753172513">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001134560600__row82645310256"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p126195319254">Confirm Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><p id="EN-US_TOPIC_0000001134560600__p82612538250">Enter the password of the security administrator again.</p>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p14262538253">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001134560600__row3931218192713"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p1695718122717">Audit Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><p id="EN-US_TOPIC_0000001134560600__p138595192390">The username must meet the following requirements:</p>
<ul id="EN-US_TOPIC_0000001134560600__ul615614912298"><li id="EN-US_TOPIC_0000001134560600__l41a661ff392a43d9820a15f9610f9f2c">Consists of lowercase letters, digits, or underscores.</li><li id="EN-US_TOPIC_0000001134560600__l9c57b090c2f243ae9b34c86b9332ed0f">Starts with a lowercase letter or an underscore.</li><li id="EN-US_TOPIC_0000001134560600__l7916b6b1399d4e6282352ca7e577be4f">Contains 6 to 64 characters.</li><li id="EN-US_TOPIC_0000001134560600__l5cda75074d244980bec7977002e3b503">Cannot be a keyword of the GaussDB(DWS) database. For details about the keywords of the GaussDB(DWS) database, see "SQL Syntax Reference &gt; Keyword" in the <em id="EN-US_TOPIC_0000001134560600__i1276453219480">Data Warehouse Service (DWS) Developer Guide</em>.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p159510181272">audit_admin</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001134560600__row16584121102717"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p6584182110274">Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><div class="p" id="EN-US_TOPIC_0000001134560600__p1358411211270">The password complexity requirements are as follows:<ul id="EN-US_TOPIC_0000001134560600__u5e2bd265f04e46f9b7f0319234f05493"><li id="EN-US_TOPIC_0000001134560600__l093315efb2f943eab2030a9c6ebccfdd">Contains 8 to 32 characters.</li><li id="EN-US_TOPIC_0000001134560600__ld71a01baa8e846dbab9922618a9174fc">Cannot be the username or the username spelled backwards.</li><li id="EN-US_TOPIC_0000001134560600__l428973edc49b455eafc05af51a70f513">Must contain at least 3 of the following character types: uppercase letters, lowercase letters, digits, and special characters ~!@#%^&amp;*()-_=+|[{}];:,&lt;.&gt;/?</li><li id="EN-US_TOPIC_0000001134560600__la40dfacfcc48409fa103c87b34e816d5">Passes the weak password check.</li></ul>
</div>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p205846217277">-</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001134560600__row16526153272717"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.1 "><p id="EN-US_TOPIC_0000001134560600__p7526183215279">Confirm Password</p>
</td>
<td class="cellrowborder" valign="top" width="59%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.2 "><p id="EN-US_TOPIC_0000001134560600__p352613262718">Enter the password of the audit administrator again.</p>
</td>
<td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.4.2.4.2.4.1.2.4.1.3 "><p id="EN-US_TOPIC_0000001134560600__p9526163215277">-</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</p></li><li id="EN-US_TOPIC_0000001134560600__li64616335165821"><span>Click <span class="uicontrol" id="EN-US_TOPIC_0000001134560600__uicontrol1442806226195210"><b>Apply</b></span>.</span></li><li id="EN-US_TOPIC_0000001134560600__li886214216518"><span>In the displayed <span class="wintitle" id="EN-US_TOPIC_0000001134560600__wintitle934631851151546"><b>Save Configuration</b></span> dialog box, select or deselect <strong id="EN-US_TOPIC_0000001134560600__b842352706151624">Restart the cluster</strong> and click <strong id="EN-US_TOPIC_0000001134560600__b842352706151633">Yes</strong>.</span><p><ul id="EN-US_TOPIC_0000001134560600__ul17838265512"><li id="EN-US_TOPIC_0000001134560600__li14783122619515">If you select <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname1329250059152036"><b>Restart the cluster</b></span>, the system saves the settings on the <span class="wintitle" id="EN-US_TOPIC_0000001134560600__wintitle54552218152120"><b>Security Settings</b></span> page and restarts the cluster immediately. After the cluster is restarted, the security settings take effect immediately.</li><li id="EN-US_TOPIC_0000001134560600__li149486281515">If you do not select <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname47791558152215"><b>Restart the cluster</b></span>, the system only saves the settings on the <span class="wintitle" id="EN-US_TOPIC_0000001134560600__wintitle1748940334152247"><b>Security Settings</b></span> page. Later, you need to manually restart the cluster for the security settings to take effect.</li></ul>
<p id="EN-US_TOPIC_0000001134560600__p79676586616">After the security settings are complete, <span class="parmname" id="EN-US_TOPIC_0000001134560600__parmname7696479059396"><b>Configuration Status</b></span> can be one of the following on the <span class="wintitle" id="EN-US_TOPIC_0000001134560600__wintitle104272764093757"><b>Security Settings</b></span> page:</p>
<ul id="EN-US_TOPIC_0000001134560600__ul1485864535110"><li id="EN-US_TOPIC_0000001134560600__li139715583614"><span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue3971165813615"><b>Applying</b></span>: The system is saving the settings.</li><li id="EN-US_TOPIC_0000001134560600__li1797211581365"><span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue55512574494033"><b>Synchronized</b></span>: The settings have been saved and taken effect.</li><li id="EN-US_TOPIC_0000001134560600__li6863164555118"><span class="parmvalue" id="EN-US_TOPIC_0000001134560600__parmvalue8087991594148"><b>Take effect after restart</b></span>: The settings have been saved but have not taken effect. Restart the cluster for the settings to take effect.</li></ul>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_01_0700.html">Cluster Security Management</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink