Security and Permission
This section describes how to secure a Apache Cloudberry system. The guide assumes knowledge of Linux/UNIX system administration and database management systems. Familiarity with structured query language (SQL) is helpful.
Because Apache Cloudberry is based on PostgreSQL, this guide assumes some familiarity with PostgreSQL. References to PostgreSQL documentation are provided throughout this guide for features that are similar to those in Apache Cloudberry.
This information is intended for system administrators responsible for administering a Apache Cloudberry system.
๐๏ธ Ports and Protocols
Lists network ports and protocols used within the Cloudberry cluster.
๐๏ธ Manage Roles and Privileges
The Apache Cloudberry authorization mechanism stores roles and privileges to access database objects in the database and is administered using SQL statements or command-line utilities.
๐๏ธ Configure Client Authentication
This topic explains how to configure client connections and authentication for Apache Cloudberry.
๐๏ธ Configure Database Authorization
This document describes how to restrict authorization access to database data at the user level by using roles and permissions.
๐๏ธ Encrypt Data and Database Connections
This document describes how to encrypt data at rest in the database or in transit over the network, to protect from eavesdroppers or man-in-the-middle attacks.
๐๏ธ Transparent Data Encryption
To meet the requirements for protecting user data security, Apache Cloudberry supports Transparent Data Encryption (TDE).
๐๏ธ Log Auditing
This document describes Apache Cloudberry events that are logged and should be monitored to detect security threats.
๐๏ธ Configure Row-Level Security Policy
Row-level security (RLS) policy allows the table owner to define access policies that control users' access to specific rows of the table. When a user tries to query or update a table, the RLS policy will be applied first before any user command is executed to truncate the rows in the table.
��๐๏ธ Protect Passwords
In its default configuration, Apache Cloudberry saves MD5 or SCRAM-SHA-256 hashes of login users' passwords in the pgauthid system catalog rather than saving clear text passwords. Anyone who is able to view the pgauthid table can see hash strings, but no passwords. This also ensures that passwords are obscured when the database is dumped to backup files.
๐๏ธ Set Password Profile
Profile refers to the password policy configuration, which is used to control the password security policy of users in Apache Cloudberry. You can bind a profile to one or more users to control the password security policy of database users. Profile defines the rules for user management and password reuse. With Profile, the database administrator can use SQL to force some constraints, such as locking accounts after login failures or controlling the number of password reuses.
๐๏ธ Security Best Practices
Describes basic security best practices that you should follow to ensure the highest level of system security.
About endpoint security softwareโ
If you install any endpoint security software on your Apache Cloudberry hosts, such as anti-virus, data protection, network security, or other security related software, the additional CPU, IO, network or memory load can interfere with Apache Cloudberry operations and may affect database performance and stability.
Refer to your endpoint security vendor and perform careful testing in a non-production environment to ensure it does not have any negative impact on Apache Cloudberry operations.
