安全与权限
本节介绍如何保护 Apache Cloudberry 系统的安全。阅读本指南需要具备 Linux/UNIX 系统管理和数据库管理��系统方面的知识,以及熟悉 SQL 语言。
Apache Cloudberry 基于 PostgreSQL 开发,因此你需要对 PostgreSQL 有一定了解。对于 Apache Cloudberry 中与 PostgreSQL 类似的功能,文中会提供 PostgreSQL 官方文档的参考链接。
文档面向负责管理 Apache Cloudberry 数据库系统的管理员。
📄️ Ports and Protocols
Lists network ports and protocols used within the Cloudberry cluster.
📄️ Manage Roles and Privileges
The Apache Cloudberry authorization mechanism stores roles and privileges to access database objects in the database and is administered using SQL statements or command-line utilities.
📄️ 配置客户端认证
本文介绍如何配置 Apache Cloudberry 的客户端连接与身份认证�。
📄️ 配置数据库授权
本文介绍如何通过角色与权限机制,在用户级别限制对数据库数据的访问。
📄️ 加密数据与数据库连接
本文介绍如何对数据库中的静态数据或网络中传输的数据进行加密,以防止被窃听或遭受中间人攻击。
📄️ 透明数据加密
为了满足保护用户数据安全的需求,Apache Cloudberry 支持透明数据加密(Transparent Data Encryption,简称 TDE)功能。
📄️ Log Auditing
This document describes Apache Cloudberry events that are logged and should be monitored to detect security threats.
📄️ 配置行级安全策略
行级安全(RLS)策略允许表的所有者定义访问控制规则,用于限制用户对表中特定行的访问。当用户尝试查询或修改表数据时,系统会优先应用 RLS 策略,从而筛选出可访问的行,之后才会执行用户提交的 SQL 操作。
📄️ Protect Passwords
In its default configuration, Apache Cloudberry saves MD5 or SCRAM-SHA-256 hashes of login users' passwords in the pgauthid system catalog rather than saving clear text passwords. Anyone who is able to view the pgauthid table can see hash strings, but no passwords. This also ensures that passwords are obscured when the database is dumped to backup files.
📄️ Set Password Profile
Profile refers to the password policy configuration, which is used to control the password security policy of users in Apache Cloudberry. You can bind a profile to one or more users to control the password security policy of database users. Profile defines the rules for user management and password reuse. With Profile, the database administrator can use SQL to force some constraints, such as locking accounts after login failures or controlling the number of password reuses.
📄️ Security Best Practices
Describes basic security best practices that you should follow to ensure the highest level of system security.
关于终端安全软件
如果你在 Apache Cloudberry 所在主机上安装了终端安全类软件,比如杀毒软件、数据防护软件、网络安全工具或其他安全相关程序,这些软件可能会带来额外的 CPU、I\O、网络或内存负载,从而干扰 Apache Cloudberry 的运行,影响数据库的性能和稳定性。
请参考终端安全软件厂商的建议,并在非生产环境中进行充分测试,确保这些软件不会对 Apache Cloudberry 的运行产生负面影响。
