Security Configuration

elastic_search_ip_addr

Parameter description: Specifies the IP address of the Elasticsearch system.

This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: a string

Default value: 'https:127.0.0.1'

enable_security_policy

Parameter description: Specifies whether the unified audit and dynamic data masking policies take effect.

This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

on: The security policy is enabled.

off: The security policy is disabled.

Default value: off

use_elastic_search

Parameter description: Specifies whether to send unified audit logs to Elasticsearch. If enable_security_policy and this parameter are enabled, unified audit logs are sent to Elasticsearch through HTTP or HTTPS (used by default). After this parameter is enabled, ensure that the Elasticsearch service corresponding to **elastic_search_ip_addr **can be properly connected. Otherwise, the process fails to be started.

This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

on: Unified audit logs are sent to Elasticsearch.

off: Unified audit logs are not sent to Elasticsearch.

Default value: off

is_sysadmin

Parameter description: Specifies whether the current user is an initial user.

This parameter is a fixed INTERNAL parameter and cannot be modified.

Value range: Boolean

on indicates that the user is an initial user.

off indicates that the user is not an initial user.

Default value: off

enable_tde

Parameter description: Specifies whether to enable the TDE function. Set this parameter to on before creating an encrypted table. If this parameter is set to off, new encrypted tables cannot be created. The created encrypted table is decrypted only when data is read and is not encrypted when the data is written.

This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

on: The TDE function is enabled.

off: The TDE function is disabled.

Default value: off

tde_cmk_id

Parameter description: Specifies the CMK ID of the database instance used by the TDE function. The ID is generated by KMS. The CMK of the database instance is used to encrypt the DEK. When the DEK needs to be decrypted, a request packet needs to be sent to KMS. The DEK ciphertext and the ID of the corresponding CMK are sent to KMS.

This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: a string

Default value: ""

block_encryption_mode

Parameter description: Specifies the block encryption mode used by the aes_encrypt and aes_decrypt functions for encryption and decryption.

This parameter is a USERSET parameter. Set it based on instructions provided in Table 1.

Value range: enumerated values. Valid values are aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-cfb1, aes-192-cfb1, aes-256-cfb1, aes-128-cfb8, aes-192-cfb8, aes-256-cfb8, aes-128-cfb128, aes-192-cfb128, aes-256-cfb128, aes-128-ofb, aes-192-ofb, and aes-256-ofb. aes indicates the encryption or decryption algorithm. 128, 192, and 256 indicate the key lengths (unit: bit). cbc, cfb1, cfb8, cfb128, ofb indicate the block encryption or decryption mode.

Default value: aes-128-cbc

Feedback
编组 3备份
    openGauss 2024-12-22 00:53:44
    cancel