检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Syntax 1 CREATE USER user_name [ [ WITH ] option [ ... ] ] [ ENCRYPTED | UNENCRYPTED ] { PASSWORD | IDENTIFIED BY } { 'password' [EXPIRED] | DISABLE }; The option clause is used to configure information, including permissions and properties. 1 2 3 4 5 6 7 8 9 10 11 12 13
- -k, --with-key=KEY Uses gsql to decrypt imported encrypted files.
- -k, --with-key=KEY Uses gsql to decrypt imported encrypted files.
To enable the basic capability of encrypted equality query, change the value to 1.
Default value: postgresql enable_ce Specifies the encrypted equality query capability.
The following object types do not support flashback: system catalogs, column-store tables, MOTs, DFS tables, global temporary tables, local temporary tables, unlogged tables, sequence tables, hash bucket tables, and encrypted tables.
You can run the SHOW command to check whether the parameters are set successfully. enable_ce Encrypted database function. enable_ce=1 indicates that the Go driver supports the basic capability of encrypted equality query.
database. 1 2 3 4 Prerequisites: You have set the parameters and used the CREATE CLIENT MASTER KEY syntax to create a master key named MyCMK1 by referring to "Setting Encrypted Equality Queries" in Feature Guide.
Precautions Currently, you can change only the permissions for tables (including views), sequences, functions, types, CMKs of encrypted databases, and CEKs.
operation. enableSeparationOfDuty Specifies whether the separation of duties is enabled. session_timeout If the duration of a connection session exceeds the parameter value, the session is automatically disconnected. auth_iteration_count Number of iterations during the generation of encrypted
Precautions Currently, you can change only the permissions for tables (including views), sequences, functions, client master keys of encrypted databases, column encryption keys, and types.
Table 3 SQL statements for defining a CMK Function SQL Statement Creating a CMK CREATE CLIENT MASTER KEY Dropping a CMK DROP CLIENT MASTER KEY Defining a Column Encryption Key (CEK) CEKs are used to encrypt data for the encrypted database feature.
CMKs are used to encrypt column encryption keys (CEKs) for the encrypted database feature. CMK definition includes creating and deleting a CMK. For details about related SQL statements, see Table 3.
table. 1 2 3 4 5 6 7 8 gaussdb=# SET SESSION AUTHORIZATION newuser PASSWORD '********'; gaussdb=> CREATE TABLE acltest1 (x int, x2 varchar(50) ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = MyCEK1, ENCRYPTION_TYPE = DETERMINISTIC)); CREATE TABLE gaussdb=> SELECT has_cek_privilege('newuser
Connect to an encrypted database. 1 2 3 4 5 6 -- Use the -C parameter to enable the encrypted database function. gsql -p 57101 gaussdb -r -C gaussdb=# CREATE CLIENT MASTER KEY MyCMK1 WITH ( KEY_STORE = xxx, KEY_PATH = xxx, ALGORITHM = AES_256_CBC); CREATE CLIENT MASTER KEY gaussdb
Connect to an encrypted database. 1 2 3 4 5 6 -- Use the -C parameter to enable the encrypted database function. gsql -p 57101 postgres -r -C gaussdb=# CREATE CLIENT MASTER KEY MyCMK1 WITH ( KEY_STORE = xxx , KEY_PATH = xxx , ALGORITHM = AES_256_CBC); CREATE CLIENT MASTER KEY gaussdb
audit the SET operation enableSeparationOfDuty Whether the separation of duty is enabled session_timeout If the duration of a connection session exceeds the parameter value, the session is automatically disconnected. auth_iteration_count Number of iterations during the generation of encrypted
[cmd] gs_ktool -g -- (2) Use a privileged account to create a common user named alice. openGauss=# CREATE USER alice PASSWORD '********'; -- (3) Use the account of common user alice to connect to the encrypted database and execute the syntax. gsql -p 57101 postgres -U alice -r -C
Compared with the PG driver, the GaussDB JDBC driver has the following enhanced features: SHA-256 is supported for encrypted login. The third-party log framework that implements the sf4j API can be connected. DR failover is supported.
Precautions Currently, you can change only the permissions for tables (including views), sequences, functions, types, client master keys of encrypted databases, and column encryption keys.
