yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/dws/dev/dws_04_0890.html
luhuayi 177cd61a57 DWS DEVG 910.211 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: luhuayi <luhuayi@huawei.com>
Co-committed-by: luhuayi <luhuayi@huawei.com>
2025-05-05 07:44:03 +00:00

34 lines
7.7 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001764650668"></a><a name="EN-US_TOPIC_0000001764650668"></a>
<h1 class="topictitle1">Security and Authentication (postgresql.conf)</h1>
<div id="body8662426"><p id="EN-US_TOPIC_0000001764650668__en-us_topic_0059778664_p11527581314">This section describes parameters about how to securely authenticate the client and server.</p>
<div class="section" id="EN-US_TOPIC_0000001764650668__s7086b76ae0224deaa57a373bffdb2cd4"><h4 class="sectiontitle">session_timeout</h4><p id="EN-US_TOPIC_0000001764650668__a65fd2184ace34d97b2a0687ab4e37059"><strong id="EN-US_TOPIC_0000001764650668__b510982710453">Parameter description</strong>: Specifies the maximum idle time without any operations after a connection to the server is established.</p>
<p id="EN-US_TOPIC_0000001764650668__p17710210161613"><strong id="EN-US_TOPIC_0000001764650668__b55090196459">Type</strong>: USERSET</p>
<p id="EN-US_TOPIC_0000001764650668__a09a71366f2b040d6ae2a70b893186868"><strong id="EN-US_TOPIC_0000001764650668__b842352706204447">Value range</strong>: an integer ranging from 0 to 86400. The minimum unit is second (s). <strong id="EN-US_TOPIC_0000001764650668__b84235270620458">0</strong> means to disable the timeout.</p>
<p id="EN-US_TOPIC_0000001764650668__adc0a1206ddb24871bd8f94618569b424"><strong id="EN-US_TOPIC_0000001764650668__b17505192220213">Default value</strong>: <strong id="EN-US_TOPIC_0000001764650668__b18505182219218">10 min</strong></p>
<div class="notice" id="EN-US_TOPIC_0000001764650668__nea2f24e1ae734d76bc9b119dbf7113e9"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001764650668__ul671116165720"><li id="EN-US_TOPIC_0000001764650668__li187111710575">The gsql client of <span id="EN-US_TOPIC_0000001764650668__text51909278">GaussDB(DWS)</span> has an automatic reconnection mechanism. If the initialized local connection of a user to the server times out, gsql disconnects from and reconnects to the server.</li><li id="EN-US_TOPIC_0000001764650668__li6344177165713">Connections from the pooler connection pool to other CNs and DNs are not controlled by the <strong id="EN-US_TOPIC_0000001764650668__b143365525113">session_timeout</strong> parameter.</li></ul>
</div></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001764650668__s6fec625af84c4e5ab66d1731d270f22b"><h4 class="sectiontitle">ssl_renegotiation_limit</h4><p id="EN-US_TOPIC_0000001764650668__a182a4c15d39a4a24b2f205e7f6ccb03f"><strong id="EN-US_TOPIC_0000001764650668__en-us_topic_0059778664_a3d4c28655aba4ee29f293b53d46b3ba1">Parameter description</strong>: Specifies the traffic volume over the SSL-encrypted channel before the session key is renegotiated. The renegotiation traffic limitation mechanism reduces the probability that attackers use the password analysis method to crack the key based on a huge amount of data but causes big performance losses. The traffic indicates the sum of sent and received traffic.</p>
<p id="EN-US_TOPIC_0000001764650668__p777214359165"><strong id="EN-US_TOPIC_0000001764650668__b20877120204513">Type</strong>: USERSET</p>
<div class="note" id="EN-US_TOPIC_0000001764650668__note11998020131414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000001764650668__p1853316399306">You are advised to retain the default value, that is, disable the renegotiation mechanism. You are not advised to use the <strong id="EN-US_TOPIC_0000001764650668__b204674514101">gs_guc</strong> tool or other methods to set the <strong id="EN-US_TOPIC_0000001764650668__b9686134100">ssl_renegotiation_limit</strong> parameter in the <strong id="EN-US_TOPIC_0000001764650668__b5982122031010">postgresql.conf</strong> file. The setting does not take effect.</p>
</div></div>
<p id="EN-US_TOPIC_0000001764650668__aac6ce1acfd8544cf9724d1da94365b4c"><strong id="EN-US_TOPIC_0000001764650668__b1316119383446">Value range</strong>: an integer ranging from 0 to <strong id="EN-US_TOPIC_0000001764650668__b11979145834416">INT_MAX</strong>. The unit is KB. <strong id="EN-US_TOPIC_0000001764650668__b842352706173359">0</strong> indicates that the renegotiation mechanism is disabled.</p>
<p id="EN-US_TOPIC_0000001764650668__a9e96827e5e37425cb22d8f3bcec9b4b3"><strong id="EN-US_TOPIC_0000001764650668__b5735075">Default value</strong>: <strong id="EN-US_TOPIC_0000001764650668__b842352706171333">0</strong></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001764650668__s98a9fdb6b85f4f6ab813a269524dc136"><h4 class="sectiontitle">failed_login_attempts</h4><p id="EN-US_TOPIC_0000001764650668__a728065526a914656aaf8a378553443e9"><strong id="EN-US_TOPIC_0000001764650668__b74807121034549">Parameter description</strong>: Specifies the maximum number of incorrect password attempts before an account is locked. The account will be automatically unlocked after the time specified in <strong id="EN-US_TOPIC_0000001764650668__b23110410534549">password_lock_time</strong>. For example, incorrect password attempts during login and password input failures when using the <strong id="EN-US_TOPIC_0000001764650668__b23623973144319">ALTER USER</strong> command</p>
<p id="EN-US_TOPIC_0000001764650668__p18461121072113"><strong id="EN-US_TOPIC_0000001764650668__b111832414517">Type</strong>: SIGHUP</p>
<p id="EN-US_TOPIC_0000001764650668__a0224277f9a664877b46f18d4c758d355"><strong id="EN-US_TOPIC_0000001764650668__b1258375934517">Value range</strong>: an integer ranging from 0 to 1000</p>
<ul id="EN-US_TOPIC_0000001764650668__u2bb51f329fe045138ae839bee1b2a455"><li id="EN-US_TOPIC_0000001764650668__lb312d482a3854183bf40917bf659c12a"><strong id="EN-US_TOPIC_0000001764650668__b116577120934549">0</strong> indicates that the automatic locking function does not take effect.</li><li id="EN-US_TOPIC_0000001764650668__l65f61253bf434234ae28fc8ccbc0df02">A positive number indicates that an account is locked when the number of incorrect password attempts reaches the value of <strong id="EN-US_TOPIC_0000001764650668__b15968773634549">failed_login_attempts</strong>.</li></ul>
<p id="EN-US_TOPIC_0000001764650668__ab392fcc48a044305bd2ec11df4aeba77"><strong id="EN-US_TOPIC_0000001764650668__b16400126619">Default value</strong>: <strong id="EN-US_TOPIC_0000001764650668__b24011028618">10</strong></p>
<div class="notice" id="EN-US_TOPIC_0000001764650668__n28c694ec85094dcc9f7b9ac281b5df70"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001764650668__ul17447217111619"><li id="EN-US_TOPIC_0000001764650668__li134473174161">The locking and unlocking functions take effect only when the values of <strong id="EN-US_TOPIC_0000001764650668__b99521678215">failed_login_attempts</strong> and <strong id="EN-US_TOPIC_0000001764650668__b1439522515210">password_lock_time</strong> are positive numbers.</li><li id="EN-US_TOPIC_0000001764650668__li10201141914167"><strong id="EN-US_TOPIC_0000001764650668__b3679195513415">failed_login_attempts</strong> works with the SSL connection mode of the client to identify the number of incorrect password attempts. If PGSSLMODE is set to <strong id="EN-US_TOPIC_0000001764650668__b210523516611">allow</strong> or <strong id="EN-US_TOPIC_0000001764650668__b2784382067">prefer</strong>, two connection requests are generated for a password connection request. One request attempts an SSL connection, and the other request attempts a non-SSL connection. In this case, the number of incorrect password attempts perceived by the user is the value of <strong id="EN-US_TOPIC_0000001764650668__b410464714816">failed_login_attempts</strong> divided by 2.</li></ul>
</div></div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0888.html">Connection and Authentication</a></div>
</div>
</div>
View Git Blame Copy Permalink