- About MogDB
- MogDB Introduction
- Comparison Between MogDB and openGauss
- MogDB Release Note
- High Availability and Performance
- Open Source Components
- Usage Limitations
- Terms of Use
- Quick Start
- Installation Guide
- Container Installation
- Standard Installation
- Installation Overview
- Preparing for Installation
- Installing the MogDB
- Verifying the Installation
- Uninstalling the MogDB
- Administrator Guide
- Routine Maintenance
- Primary and Standby Management
- MogHA Management
- MOT Engine
- Introducing MOT
- Using MOT
- Concepts of MOT
- Appendix
- Column-store Tables Management
- Backup and Restoration
- Importing and Exporting Data
- Importing Data
- Exporting Data
- Upgrade Guide
- Common Fault Locating Cases
- Core Fault Locating
- When the TPC-C is running and a disk to be injected is full, the TPC-C stops responding
- Standby Node in the Need Repair (WAL) State
- Insufficient Memory
- Service Startup Failure
- "Error:No space left on device" Is Displayed
- After You Run the du Command to Query Data File Size In the XFS File System, the Query Result Is Greater than the Actual File Size
- File Is Damaged in the XFS File System
- Primary Node Is Hung in Demoting During a Switchover
- Disk Space Usage Reaches the Threshold and the Database Becomes Read-only
- Slow Response to a Query Statement
- Analyzing the Status of a Query Statement
- Forcibly Terminating a Session
- Analyzing Whether a Query Statement Is Blocked
- Low Query Efficiency
- "Lock wait timeout" Is Displayed When a User Executes an SQL Statement
- Table Size Does not Change After VACUUM FULL Is Executed on the Table
- An Error Is Reported When the Table Partition Is Modified
- Different Data Is Displayed for the Same Table Queried By Multiple Users
- When a User Specifies Only an Index Name to Modify the Index, A Message Indicating That the Index Does Not Exist Is Displayed
- Reindexing Fails
- An Error Occurs During Integer Conversion
- "too many clients already" Is Reported or Threads Failed To Be Created in High Concurrency Scenarios
- B-tree Index Faults
- Security Guide
- Database Security Management
- Performance Tuning
- System Optimization
- SQL Optimization
- WDR Snapshot Schema
- Developer Guide
- Application Development Guide
- Development Specifications
- Development Based on JDBC
- Overview
- JDBC Package, Driver Class, and Environment Class
- Development Process
- Loading the Driver
- Connecting to a Database
- Connecting to the Database (Using SSL)
- Running SQL Statements
- Processing Data in a Result Set
- Closing a Connection
- Example: Common Operations
- Example: Retrying SQL Queries for Applications
- Example: Importing and Exporting Data Through Local Files
- Example 2: Migrating Data from a MY Database to MogDB
- Example: Logic Replication Code
- JDBC Interface Reference
- Development Based on ODBC
- Development Based on libpq
- Commissioning
- Appendices
- Stored Procedure
- User Defined Functions
- Application Development Guide
- Tool Reference
- System Catalogs and System Views
- Overview of System Catalogs and System Views
- System Catalogs
- GS_CLIENT_GLOBAL_KEYS
- GS_CLIENT_GLOBAL_KEYS_ARGS
- GS_COLUMN_KEYS
- GS_COLUMN_KEYS_ARGS
- GS_ENCRYPTED_COLUMNS
- GS_OPT_MODEL
- GS_WLM_INSTANCE_HISTORY
- GS_WLM_OPERATOR_INFO
- GS_WLM_PLAN_ENCODING_TABLE
- GS_WLM_PLAN_OPERATOR_INFO
- GS_WLM_USER_RESOURCE_HISTORY
- PG_AGGREGATE
- PG_AM
- PG_AMOP
- PG_AMPROC
- PG_APP_WORKLOADGROUP_MAPPING
- PG_ATTRDEF
- PG_ATTRIBUTE
- PG_AUTHID
- PG_AUTH_HISTORY
- PG_AUTH_MEMBERS
- PG_CAST
- PG_CLASS
- PG_COLLATION
- PG_CONSTRAINT
- PG_CONVERSION
- PG_DATABASE
- PG_DB_ROLE_SETTING
- PG_DEFAULT_ACL
- PG_DEPEND
- PG_DESCRIPTION
- PG_DIRECTORY
- PG_ENUM
- PG_EXTENSION
- PG_EXTENSION_DATA_SOURCE
- PG_FOREIGN_DATA_WRAPPER
- PG_FOREIGN_SERVER
- PG_FOREIGN_TABLE
- PG_INDEX
- PG_INHERITS
- PG_JOB
- PG_JOB_PROC
- PG_LANGUAGE
- PG_LARGEOBJECT
- PG_LARGEOBJECT_METADATA
- PG_NAMESPACE
- PG_OBJECT
- PG_OPCLASS
- PG_OPERATOR
- PG_OPFAMILY
- PG_PARTITION
- PG_PLTEMPLATE
- PG_PROC
- PG_RANGE
- PG_RESOURCE_POOL
- PG_REWRITE
- PG_RLSPOLICY
- PG_SECLABEL
- PG_SHDEPEND
- PG_SHDESCRIPTION
- PG_SHSECLABEL
- PG_STATISTIC
- PG_STATISTIC_EXT
- PG_TABLESPACE
- PG_TRIGGER
- PG_TS_CONFIG
- PG_TS_CONFIG_MAP
- PG_TS_DICT
- PG_TS_PARSER
- PG_TS_TEMPLATE
- PG_TYPE
- PG_USER_MAPPING
- PG_USER_STATUS
- PG_WORKLOAD_GROUP
- PLAN_TABLE_DATA
- STATEMENT_HISTORY
- System Views
- GS_SESSION_CPU_STATISTICS
- GS_SESSION_MEMORY_STATISTICS
- GS_SQL_COUNT
- GS_WLM_OPERATOR_HISTORY
- GS_WLM_OPERATOR_STATISTICS
- GS_WLM_PLAN_OPERATOR_HISTORY
- GS_WLM_REBUILD_USER_RESOURCE_POOL
- GS_WLM_RESOURCE_POOL
- GS_WLM_SESSION_HISTORY
- GS_WLM_SESSION_INFO_ALL
- GS_WLM_USER_INFO
- GS_WLM_SESSION_STATISTICS
- GS_STAT_SESSION_CU
- MPP_TABLES
- PG_AVAILABLE_EXTENSION_VERSIONS
- PG_AVAILABLE_EXTENSIONS
- PG_CURSORS
- PG_EXT_STATS
- PG_GET_INVALID_BACKENDS
- PG_GET_SENDERS_CATCHUP_TIME
- PG_GROUP
- PG_GTT_RELSTATS
- PG_GTT_STATS
- PG_GTT_ATTACHED_PIDS
- PG_INDEXES
- PG_LOCKS
- PG_MATVIEWS
- PG_NODE_ENV
- PG_OS_THREADS
- PG_PREPARED_STATEMENTS
- PG_PREPARED_XACTS
- PG_REPLICATION_SLOTS
- PG_RLSPOLICIES
- PG_ROLES
- PG_RULES
- PG_SECLABELS
- PG_SESSION_WLMSTAT
- PG_SESSION_IOSTAT
- PG_SETTINGS
- PG_SHADOW
- PG_STATS
- PG_STAT_ACTIVITY
- PG_STAT_ALL_INDEXES
- PG_STAT_ALL_TABLES
- PG_STAT_BAD_BLOCK
- PG_STAT_BGWRITER
- PG_STAT_DATABASE
- PG_STAT_DATABASE_CONFLICTS
- PG_STAT_USER_FUNCTIONS
- PG_STAT_USER_INDEXES
- PG_STAT_USER_TABLES
- PG_STAT_REPLICATION
- PG_STAT_SYS_INDEXES
- PG_STAT_SYS_TABLES
- PG_STAT_XACT_ALL_TABLES
- PG_STAT_XACT_SYS_TABLES
- PG_STAT_XACT_USER_FUNCTIONS
- PG_STAT_XACT_USER_TABLES
- PG_STATIO_ALL_INDEXES
- PG_STATIO_ALL_SEQUENCES
- PG_STATIO_ALL_TABLES
- PG_STATIO_SYS_INDEXES
- PG_STATIO_SYS_SEQUENCES
- PG_STATIO_SYS_TABLES
- PG_STATIO_USER_INDEXES
- PG_STATIO_USER_SEQUENCES
- PG_STATIO_USER_TABLES
- PG_THREAD_WAIT_STATUS
- PG_TABLES
- PG_TDE_INFO
- PG_TIMEZONE_NAMES
- PG_TOTAL_USER_RESOURCE_INFO
- PG_USER
- PG_USER_MAPPINGS
- PG_VIEWS
- PG_WLM_STATISTICS
- PLAN_TABLE
- GS_FILE_STAT
- GS_OS_RUN_INFO
- GS_REDO_STAT
- GS_SESSION_MEMORY
- GS_SESSION_MEMORY_DETAIL
- GS_SESSION_STAT
- GS_SESSION_TIME
- GS_THREAD_MEMORY_DETAIL
- GS_TOTAL_MEMORY_DETAIL
- PG_TIMEZONE_ABBREVS
- PG_TOTAL_USER_RESOURCE_INFO_OID
- PG_VARIABLE_INFO
- GS_INSTANCE_TIME
- Functions and Operators
- Logical Operators
- Comparison Operators
- Character Processing Functions and Operators
- Binary String Functions and Operators
- Bit String Functions and Operators
- Mode Matching Operators
- Mathematical Functions and Operators
- Date and Time Processing Functions and Operators
- Type Conversion Functions
- Geometric Functions and Operators
- Network Address Functions and Operators
- Text Search Functions and Operators
- JSON Functions
- SEQUENCE Functions
- Array Functions and Operators
- Range Functions and Operators
- Aggregate Functions
- Window Functions
- Security Functions
- Encrypted Equality Functions
- Set Returning Functions
- Conditional Expression Functions
- System Information Functions
- System Administration Functions
- Statistics Information Functions
- Trigger Functions
- Global Temporary Table Functions
- AI Feature Functions
- Other System Functions
- Supported Data Types
- SQL Syntax
- ABORT
- ALTER DATABASE
- ALTER DATA SOURCE
- ALTER DEFAULT PRIVILEGES
- ALTER DIRECTORY
- ALTER FOREIGN TABLE
- ALTER FUNCTION
- ALTER GROUP
- ALTER INDEX
- ALTER LARGE OBJECT
- ALTER MATERIALIZED VIEW
- ALTER ROLE
- ALTER ROW LEVEL SECURITY POLICY
- ALTER RULE
- ALTER SCHEMA
- ALTER SEQUENCE
- ALTER SERVER
- ALTER SESSION
- ALTER SYNONYM
- ALTER SYSTEM KILL SESSION
- ALTER SYSTEM SET
- ALTER TABLE
- ALTER TABLE PARTITION
- ALTER TABLESPACE
- ALTER TEXT SEARCH CONFIGURATION
- ALTER TEXT SEARCH DICTIONARY
- ALTER TRIGGER
- ALTER TYPE
- ALTER USER
- ALTER USER MAPPING
- ALTER VIEW
- ANALYZE | ANALYSE
- BEGIN
- CALL
- CHECKPOINT
- CLOSE
- CLUSTER
- COMMENT
- COMMIT | END
- COMMIT PREPARED
- COPY
- CREATE CLIENT MASTER KEY
- CREATE COLUMN ENCRYPTION KEY
- CREATE DATABASE
- CREATE DATA SOURCE
- CREATE DIRECTORY
- CREATE FOREIGN TABLE
- CREATE FUNCTION
- CREATE GROUP
- CREATE INDEX
- CREATE MATERIALIZED VIEW
- CREATE ROW LEVEL SECURITY POLICY
- CREATE PROCEDURE
- CREATE ROLE
- CREATE RULE
- CREATE SCHEMA
- CREATE SEQUENCE
- CREATE SERVER
- CREATE SYNONYM
- CREATE TABLE
- CREATE TABLE AS
- CREATE TABLE PARTITION
- CREATE TABLESPACE
- CREATE TEXT SEARCH CONFIGURATION
- CREATE TEXT SEARCH DICTIONARY
- CREATE TRIGGER
- CREATE TYPE
- CREATE USER
- CREATE USER MAPPING
- CREATE VIEW
- CURSOR
- DEALLOCATE
- DECLARE
- DELETE
- DO
- DROP CLIENT MASTER KEY
- DROP COLUMN ENCRYPTION KEY
- DROP DATABASE
- DROP DATA SOURCE
- DROP DIRECTORY
- DROP FOREIGN TABLE
- DROP FUNCTION
- DROP GROUP
- DROP INDEX
- DROP MATERIALIZED VIEW
- DROP OWNED
- DROP ROW LEVEL SECURITY POLICY
- DROP PROCEDURE
- DROP ROLE
- DROP RULE
- DROP SCHEMA
- DROP SEQUENCE
- DROP SERVER
- DROP SYNONYM
- DROP TABLE
- DROP TABLESPACE
- DROP TEXT SEARCH CONFIGURATION
- DROP TEXT SEARCH DICTIONARY
- DROP TRIGGER
- DROP TYPE
- DROP USER
- DROP USER MAPPING
- DROP VIEW
- EXECUTE
- EXPLAIN
- EXPLAIN PLAN
- FETCH
- GRANT
- INSERT
- LOCK
- MOVE
- MERGE INTO
- PREPARE
- PREPARE TRANSACTION
- REASSIGN OWNED
- REFRESH MATERIALIZED VIEW
- REINDEX
- RELEASE SAVEPOINT
- RESET
- REVOKE
- ROLLBACK
- ROLLBACK PREPARED
- ROLLBACK TO SAVEPOINT
- SAVEPOINT
- SELECT
- SELECT INTO
- SET
- SET CONSTRAINTS
- SET ROLE
- SET SESSION AUTHORIZATION
- SET TRANSACTION
- SHOW
- SHUTDOW
- START TRANSACTION
- TRUNCATE
- UPDATE
- VACUUM
- VALUES
- GUC Parameters
- GUC Parameter Usage
- File Location
- Connection and Authentication
- Resource Consumption
- Parallel Import
- Write Ahead Log
- HA Replication
- Memory Table
- Query Planning
- Error Reporting and Logging
- Alarm Detection
- Statistics During the Database Running
- Load Management
- Automatic Vacuuming
- Default Settings of Client Connection
- Lock Management
- Version and Platform Compatibility
- Faut Tolerance
- Connection Pool Parameters
- MogDB Transaction
- Developer Options
- Auditing
- Upgrade Parameters
- Miscellaneous Parameters
- Wait Events
- Query
- System Performance Snapshot
- Equality Query in a Fully-encrypted Database
- Global Temporary Table
- Appendix
- DBE_PERF
- DBE_PERF Overview
- OS
- Instance
- Memory
- File
- Object
- STAT_USER_TABLES
- SUMMARY_STAT_USER_TABLES
- GLOBAL_STAT_USER_TABLES
- STAT_USER_INDEXES
- SUMMARY_STAT_USER_INDEXES
- GLOBAL_STAT_USER_INDEXES
- STAT_SYS_TABLES
- SUMMARY_STAT_SYS_TABLES
- GLOBAL_STAT_SYS_TABLES
- STAT_SYS_INDEXES
- SUMMARY_STAT_SYS_INDEXES
- GLOBAL_STAT_SYS_INDEXES
- STAT_ALL_TABLES
- SUMMARY_STAT_ALL_TABLES
- GLOBAL_STAT_ALL_TABLES
- STAT_ALL_INDEXES
- SUMMARY_STAT_ALL_INDEXES
- GLOBAL_STAT_ALL_INDEXES
- STAT_DATABASE
- SUMMARY_STAT_DATABASE
- GLOBAL_STAT_DATABASE
- STAT_DATABASE_CONFLICTS
- SUMMARY_STAT_DATABASE_CONFLICTS
- GLOBAL_STAT_DATABASE_CONFLICTS
- STAT_XACT_ALL_TABLES
- SUMMARY_STAT_XACT_ALL_TABLES
- GLOBAL_STAT_XACT_ALL_TABLES
- STAT_XACT_SYS_TABLES
- SUMMARY_STAT_XACT_SYS_TABLES
- GLOBAL_STAT_XACT_SYS_TABLES
- STAT_XACT_USER_TABLES
- SUMMARY_STAT_XACT_USER_TABLES
- GLOBAL_STAT_XACT_USER_TABLES
- STAT_XACT_USER_FUNCTIONS
- SUMMARY_STAT_XACT_USER_FUNCTIONS
- GLOBAL_STAT_XACT_USER_FUNCTIONS
- STAT_BAD_BLOCK
- SUMMARY_STAT_BAD_BLOCK
- GLOBAL_STAT_BAD_BLOCK
- STAT_USER_FUNCTIONS
- SUMMARY_STAT_USER_FUNCTIONS
- GLOBAL_STAT_USER_FUNCTIONS
- Workload
- Session/Thread
- SESSION_STAT
- GLOBAL_SESSION_STAT
- SESSION_TIME
- GLOBAL_SESSION_TIME
- SESSION_MEMORY
- GLOBAL_SESSION_MEMORY
- SESSION_MEMORY_DETAIL
- GLOBAL_SESSION_MEMORY_DETAIL
- SESSION_STAT_ACTIVITY
- GLOBAL_SESSION_STAT_ACTIVITY
- THREAD_WAIT_STATUS
- GLOBAL_THREAD_WAIT_STATUS
- LOCAL_THREADPOOL_STATUS
- GLOBAL_THREADPOOL_STATUS
- SESSION_CPU_RUNTIME
- SESSION_MEMORY_RUNTIME
- STATEMENT_IOSTAT_COMPLEX_RUNTIME
- Transaction
- Query
- STATEMENT
- SUMMARY_STATEMENT
- STATEMENT_COUNT
- GLOBAL_STATEMENT_COUNT
- SUMMARY_STATEMENT_COUNT
- GLOBAL_STATEMENT_COMPLEX_HISTORY
- GLOBAL_STATEMENT_COMPLEX_HISTORY_TABLE
- GLOBAL_STATEMENT_COMPLEX_RUNTIME
- STATEMENT_RESPONSETIME_PERCENTILE
- STATEMENT_USER_COMPLEX_HISTORY
- STATEMENT_COMPLEX_RUNTIME
- STATEMENT_COMPLEX_HISTORY_TABLE
- STATEMENT_COMPLEX_HISTORY
- STATEMENT_WLMSTAT_COMPLEX_RUNTIME
- STATEMENT_HISTORY
- Cache/IO
- STATIO_USER_TABLES
- SUMMARY_STATIO_USER_TABLES
- GLOBAL_STATIO_USER_TABLES
- STATIO_USER_INDEXES
- SUMMARY_STATIO_USER_INDEXES
- GLOBAL_STATIO_USER_INDEXES
- STATIO_USER_SEQUENCES
- SUMMARY_STATIO_USER_SEQUENCES
- GLOBAL_STATIO_USER_SEQUENCES
- STATIO_SYS_TABLES
- SUMMARY_STATIO_SYS_TABLES
- GLOBAL_STATIO_SYS_TABLES
- STATIO_SYS_INDEXES
- SUMMARY_STATIO_SYS_INDEXES
- GLOBAL_STATIO_SYS_INDEXES
- STATIO_SYS_SEQUENCES
- SUMMARY_STATIO_SYS_SEQUENCES
- GLOBAL_STATIO_SYS_SEQUENCES
- STATIO_ALL_TABLES
- SUMMARY_STATIO_ALL_TABLES
- GLOBAL_STATIO_ALL_TABLES
- STATIO_ALL_INDEXES
- SUMMARY_STATIO_ALL_INDEXES
- GLOBAL_STATIO_ALL_INDEXES
- STATIO_ALL_SEQUENCES
- SUMMARY_STATIO_ALL_SEQUENCES
- GLOBAL_STATIO_ALL_SEQUENCES
- GLOBAL_STAT_DB_CU
- GLOBAL_STAT_SESSION_CU
- Utility
- REPLICATION_STAT
- GLOBAL_REPLICATION_STAT
- REPLICATION_SLOTS
- GLOBAL_REPLICATION_SLOTS
- BGWRITER_STAT
- GLOBAL_BGWRITER_STAT
- GLOBAL_CKPT_STATUS
- GLOBAL_DOUBLE_WRITE_STATUS
- GLOBAL_PAGEWRITER_STATUS
- GLOBAL_RECORD_RESET_TIME
- GLOBAL_REDO_STATUS
- GLOBAL_RECOVERY_STATUS
- CLASS_VITAL_INFO
- USER_LOGIN
- SUMMARY_USER_LOGIN
- GLOBAL_GET_BGWRITER_STATUS
- Lock
- Wait Events
- Configuration
- Operator
- Workload Manager
- Global Plancache
- Appendix
- Error Code Reference
- Description of SQL Error Codes
- Third-Party Library Error Codes
- GAUSS-00001 - GAUSS-00100
- GAUSS-00101 - GAUSS-00200
- GAUSS 00201 - GAUSS 00300
- GAUSS 00301 - GAUSS 00400
- GAUSS 00401 - GAUSS 00500
- GAUSS 00501 - GAUSS 00600
- GAUSS 00601 - GAUSS 00700
- GAUSS 00701 - GAUSS 00800
- GAUSS 00801 - GAUSS 00900
- GAUSS 00901 - GAUSS 01000
- GAUSS 01001 - GAUSS 01100
- GAUSS 01101 - GAUSS 01200
- GAUSS 01201 - GAUSS 01300
- GAUSS 01301 - GAUSS 01400
- GAUSS 01401 - GAUSS 01500
- GAUSS 01501 - GAUSS 01600
- GAUSS 01601 - GAUSS 01700
- GAUSS 01701 - GAUSS 01800
- GAUSS 01801 - GAUSS 01900
- GAUSS 01901 - GAUSS 02000
- GAUSS 02001 - GAUSS 02100
- GAUSS 02101 - GAUSS 02200
- GAUSS 02201 - GAUSS 02300
- GAUSS 02301 - GAUSS 02400
- GAUSS 02401 - GAUSS 02500
- GAUSS 02501 - GAUSS 02600
- GAUSS 02601 - GAUSS 02700
- GAUSS 02701 - GAUSS 02800
- GAUSS 02801 - GAUSS 02900
- GAUSS 02901 - GAUSS 03000
- GAUSS 03001 - GAUSS 03100
- GAUSS 03101 - GAUSS 03200
- GAUSS 03201 - GAUSS 03300
- GAUSS 03301 - GAUSS 03400
- GAUSS 03401 - GAUSS 03500
- GAUSS 03501 - GAUSS 03600
- GAUSS 03601 - GAUSS 03700
- GAUSS 03701 - GAUSS 03800
- GAUSS 03801 - GAUSS 03900
- GAUSS 03901 - GAUSS 04000
- GAUSS 04001 - GAUSS 04100
- GAUSS 04101 - GAUSS 04200
- GAUSS 04201 - GAUSS 04300
- GAUSS 04301 - GAUSS 04400
- GAUSS 04401 - GAUSS 04500
- GAUSS 04501 - GAUSS 04600
- GAUSS 04601 - GAUSS 04700
- GAUSS 04701 - GAUSS 04800
- GAUSS 04801 - GAUSS 04900
- GAUSS 04901 - GAUSS 05000
- GAUSS 05001 - GAUSS 05100
- GAUSS 05101 - GAUSS 05200
- GAUSS 05201 - GAUSS 05300
- GAUSS 05301 - GAUSS 05400
- GAUSS 05401 - GAUSS 05500
- GAUSS 05501 - GAUSS 05600
- GAUSS 05601 - GAUSS 05700
- GAUSS 05701 - GAUSS 05800
- GAUSS 05801 - GAUSS 05900
- GAUSS 05901 - GAUSS 06000
- GAUSS 06001 - GAUSS 06100
- GAUSS 06101 - GAUSS 06200
- GAUSS 06201 - GAUSS 06300
- GAUSS 06301 - GAUSS 06400
- GAUSS 06401 - GAUSS 06500
- GAUSS 06501 - GAUSS 06600
- GAUSS 06601 - GAUSS 06700
- GAUSS 06701 - GAUSS 06800
- GAUSS 06801 - GAUSS 06900
- GAUSS 06901 - GAUSS 07000
- GAUSS 07001 - GAUSS 07100
- GAUSS 07101 - GAUSS 07200
- GAUSS 07201 - GAUSS 07300
- GAUSS 07301 - GAUSS 07400
- GAUSS 07401 - GAUSS 07480
- GAUSS 50000 - GAUSS 50999
- GAUSS 51000 - GAUSS 51999
- GAUSS 52000 - GAUSS 52999
- GAUSS 53000 - GAUSS 53699
- System Catalogs and System Views
- Glossary
Configuring Database Audit
Overview
Background
Database security is essential for a database system. MogDB writes all user operations in the database to audit logs. Database security administrators can use the audit logs to reproduce a series of events that cause faults in the database and identify unauthorized users, unauthorized operations, and the time when these operations are performed.
You need to know the following about the audit function:
- The overall audit switch audit_enabled supports dynamic loading. After you change the switch status when the database is running, the change takes effect immediately and you do not need to restart the database. Its default value is on, indicating that the audit function is enabled.
- In addition to the overall audit switch, each audit item has an independent switch. The audit function takes effect only after its own switch is enabled.
- The switch of each audit supports dynamic loading. After changing the switch status of an audit item when the database is running, the modification takes effect immediately and you do not need to restart the database.
[Table 1](#Table 3.1.1) describes the audit items supported by MogDB.
| Configuration Item | Description |
|---|---|
| User login and logout audit | Parameter:audit_login_logout Its default value is 7, which indicates that the function of user login and logout audit is enabled. 0 indicates that the function of user login and logout audit is disabled. Other values are not recommended. |
| Database startup, stop, recovery, and switchover audit | Parameter:audit_database_process Its default value is 1, which indicates that the audit of database startup, stop, recovery, and switchover is enabled. |
| User locking and unlocking audit | Parameter:audit_user_locked Its default value is 1, which indicates that the audit of user locking and unlocking is enabled. |
| Unauthorized access audit | Parameter:audit_user_violation Its default value is 0, which indicates that the audit of unauthorized access is disabled. |
| Permission granting and revoking audit | Parameter:audit_grant_revoke Its default value is 1, which indicates that the audit of permission granting and revoking is enabled. |
| Audit of CREATE, ALTER, and DROP operations on database objects | Parameter:audit_system_object Its default value is 12295, which indicates that the CREATE, ALTER, and DROP operations only on databases, schemas, users, data sources, and node groups are audited. |
| Audit of INSERT, UPDATE, and DELETE operations on a specific table | Parameter:audit_dml_state Its default value is 0, which indicates that the audit of DML operations (except SELECT) on a specific table is disabled. |
| SELECT operation audit | Parameter:audit_dml_state_select Its default value is 0, which indicates that the audit of the SELECT operation is disabled. |
| COPY operation audit | Parameter:audit_copy_exec Its default value is 0, which indicates that the audit of the COPY operation is disabled. |
| Execution of stored procedures and customized functions | Parameter:audit_function_exec Its default value is 0, which indicates that no execution audit logs of stored procedures and customized functions are recorded. |
| SET operation audit | Parameter:audit_set_parameter Its default value is 1, which indicates that the audit of the SET operation is enabled. |
[Table 2](#Table 3.1.2) lists security-related parameters and their default values.
Table 2 Security-related parameters and their default values
| Parameter | Default Value | Description |
|---|---|---|
| ssl | on | Specifies whether the SSL connection is enabled. |
| require_ssl | off | Specifies whether the server requires the SSL connection. |
| ssl_ciphers | ALL | Encryption algorithm list supported by the SSL |
| ssl_cert_file | server.crt | File containing the SSL server certificate |
| ssl_key_file | server.key | File containing the SSL private key |
| ssl_ca_file | cacert.pem | File containing CA information |
| ssl_crl_file | NULL | File containing CRL information |
| password_policy | 1 | Specifies whether to check the password complexity. |
| password_reuse_time | 60 | Specifies whether to check the reuse days of a new password. |
| password_reuse_max | 0 | Specifies whether to check the reuse times of a new password. |
| password_lock_time | 1 | Duration before a locked account is automatically unlocked |
| failed_login_attempts | 10 | If the number of consecutive login attempts with incorrect passwords reaches this value, the account is locked. |
| password_encryption_type | 2 | Password storage encryption mode |
| password_min_uppercase | 0 | Minimum number of uppercase letters in a password |
| password_min_lowercase | 0 | Minimum number of lowercase letters in a password |
| password_min_digital | 0 | Minimum number of digits in a password |
| password_min_special | 0 | Minimum number of special characters in a password |
| password_min_length | 8 | Minimum password length NOTE: The value of this parameter must be less than or equal to that of password_max_length. Otherwise, a password length error message is displayed upon all password-related operations. |
| password_max_length | 32 | Maximum password length NOTE: The value of this parameter must be greater than or equal to that of password_min_length. Otherwise, a password length error message is displayed upon all password-related operations. |
| password_effect_time | 90 | Password validity period |
| password_notify_time | 7 | Number of days prior to account password expiration that a user is notified |
| audit_enabled | on | Specifies whether the audit process is enabled or disabled. |
| audit_directory | pg_audit | Audit file storage directory |
| audit_data_format | binary | Audit log file format. Currently, only the binary format is supported. |
| audit_rotation_interval | 1d | Time interval of creating an audit log file. If the interval between the creation time of the last audit log file and the current time exceeds the parameter value, the server generates a new audit log file. |
| audit_rotation_size | 10MB | Maximum capacity of an audit log file. If the total number of messages in an audit log exceeds the value of audit_rotation_size, the server will generate a new audit log file. |
| audit_resource_policy | on | Policy for determining whether audit logs are preferentially stored by space or time. on indicates that audit logs are preferentially stored by space. |
| audit_file_remain_time | 90 | Minimum duration required for recording audit logs. This parameter is valid only when audit_resource_policy is set to off. |
| audit_space_limit | 1GB | Maximum total size of audit log files in a disk |
| audit_file_remain_threshold | 1048576 | Maximum number of audit files in the audit directory |
| audit_login_logout | 7 | Specifies whether to audit user logins (including login successes and failures) and logouts. |
| audit_database_process | 1 | Specifies whether to audit database startup, stop, switchover, and restoration operations. |
| audit_user_locked | 1 | Specifies whether to audit database user locking and unlocking. |
| audit_user_violation | 0 | Specifies whether to audit unauthorized access of database users. |
| audit_grant_revoke | 1 | Specifies whether to audit user permission granting and reclaiming operations. |
| audit_system_object | 12295 | Specifies whether to audit the CREATE, DROP, and ALTER operations on database objects. |
| audit_dml_state | 0 | Specifies whether to audit the INSERT, UPDATE, and DELETE operations on a specific table. |
| audit_dml_state_select | 0 | Specifies whether to audit the SELECT operation. |
| audit_copy_exec | 0 | Specifies whether to audit the COPY operation. |
| audit_function_exec | 0 | Specifies whether to record audit information during execution of stored procedures, anonymous blocks, or customized functions (excluding system functions). |
| audit_set_parameter | 1 | Specifies whether to audit the SET operation. |
| enableSeparationOfDuty | off | Specifies whether the separation of duties is enabled. |
| session_timeout | 10min | If the duration of a connection session exceeds the parameter value, the session is automatically disconnected. |
| auth_iteration_count | 10000 | Number of iterations during the generation of encrypted information for authentication |
Procedure
-
Log in as the OS user omm to the primary node of the database.
-
Run the following command to connect to the database:
gsql -d mogdb -p 8000mogdb is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((MogDB 1.1.0 build 5be05d82) compiled at 2020-05-08 02:59:43 commit 2143 last mr 131 Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. mogdb=# -
Check the status of the overall audit switch.
-
Run the show command to view the value of audit_enabled.
mogdb=# SHOW audit_enabled;If the status is off, run the \q command to exit the database.
-
Run the following command to enable the audit function. The parameter settings take effect immediately.
gs_guc set -N all -I all -c "audit_enabled=on"
-
-
Configure specific audit items.
NOTE:- After the audit function is enabled, user operations can be recorded into an audit file.
- The default parameter value of each audit item meets security standards. You can enable other audit functions, but doing so may affect the system performance.
For example, you can enable the audit switch of the CREATE, DROP, and ALTER operations on all database objects. The methods of modifying other configuration items are similar to it.
gs_guc reload -N all -I all -c "audit_system_object=12295"audit_system_object indicates the switch of the audit item, and 12295 indicates the value of the audit switch.
Querying Audit Results
Prerequisites
- Audit has been enabled.
- Audit of required items has been enabled.
- The database is running properly and a series of addition, modification, deletion, and query operations have been executed in the database. Otherwise, no audit result is generated.
- Audit logs are separately recorded on the database nodes.
Background
-
Only users with the AUDITADMIN permission can view audit records. For details about database users and how to create users, see Users.
-
The SQL function pg_query_audit is provided by the database for audit query. Its syntax is as follows:
pg_query_audit(timestamptz startime,timestamptz endtime,audit_log)startime and endtime indicate the start time and end time of the audit record, respectively. audit_log indicates the physical file path of the queried audit logs. If audit_log is not specified, the audit log information of the current instance is queried.
NOTE:
The difference between the values of the startime and endtime parameters indicates the query period, which can be any value ranging from 00:00:00 of the startime parameter to 23:59:9 of the endtime parameter. Therefore, the startime and endtime parameters must be properly set to ensure that the required audit information is displayed.
Procedure
-
Log in as the OS user omm to the primary node of the database.
-
Run the following command to connect to the database:
gsql -d mogdb -p 8000mogdb is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((MogDB 1.1.0 build 5be05d82) compiled at 2020-05-08 02:59:43 commit 2143 last mr 131 Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. mogdb=# -
Run the following command to query the audit record:
mogdb=# SELECT * FROM pg_query_audit('2015-07-15 08:00:00','2015-07-15 09:47:33');The command output is similar to the following:
time | type | result | username | database | client_conninfo | object_name | detail_info | node_name | thread_id | local_port | remote_port ------------------------+---------------+--------+----------+----------------+-----------------+----------------+---------------------------------------------------------------+-----------+---------------------------------+------------+------------- 2015-07-15 08:03:55+08 | login_success | ok | omm | mogdb | gsql@::1 | mogdb | login db(mogdb) success,the current user is:omm | dn_5003 | 139808902997776@490233835920483 | 9000 | 55805This audit record indicates that user omm logged in to the mogdb database at 08:03:55+08 on July 15, 2015. After the host specified by log_hostname is started and a client is connected to its IP address, the host name found by reverse DNS resolution is displayed following the at sign (@) in the value of client_conninfo.
Maintaining Audit Logs
Prerequisites
You have the audit permission.
Background
-
[Table 1](#Table 3.3.1) lists the configuration parameters related to audit logs and the parameter descriptions.
Table 1 Configuration parameters of audit logs
Parameter Description Default Value audit_directory Audit file storage directory /var/log/mogdb/User name/pg_audit audit_resource_policy Policy for saving audit logs on (indicating that the space configuration policy is used) audit_space_limit Maximum storage space occupied by audit files 1GB audit_file_remain_time Minimum period for storing audit log files 90 audit_file_remain_threshold Maximum number of audit files in the audit directory 1048576 NOTE:If gs_om is used for MogDB deployment, audit logs are stored in /var/log/mogdb/Username/pg_audit.
-
The pg_delete_audit function is used to delete audit logs and is an internal SQL function of the database. Its syntax is as follows:
pg_delete_audit(timestamp startime,timestamp endtime)startime and endtime indicate the audit record start time and end time, respectively.
-
Audit content is commonly recorded to database tables or OS files. [Table 2](#Table 3.3.2) lists the advantages and disadvantages of the two record methods.
Table 2 Comparison between the two record methods
Mode Advantage Disadvantage Record in tables Users do not need to maintain audit logs. Any users having certain permissions to access database objects can access the audit tables. If a user illegally performs operations on the audit tables, the audit records may become inaccurate. Record in OS files This method has higher security because a user with the permission to access the database may not have the permission to access the OS files. Users need to maintain audit logs. For database security purposes, MogDB adopts the second method to save audit results for reliability.
Procedure
-
Log in as the OS user omm to the primary node of the database.
-
Run the following command to connect to the database:
gsql -d mogdb -p 8000mogdb is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((MogDB 1.1.0 build 5be05d82) compiled at 2020-05-08 02:59:43 commit 2143 last mr 131 Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. mogdb=# -
Select a method to maintain audit logs.
-
Automatic deletion of audit logs
If the storage space occupied by audit files or the number of audit files reaches the upper limit, the system automatically deletes the oldest audit files and records deletion information to audit logs.
NOTE:
By default, the allowed maximum storage space that can be occupied by audit files is set to 1024 MB. Users can set the value as required.Configure the allowed maximum size of storage space occupied by audit files (audit_space_limit).
-
View the current value.
mogdb=# SHOW audit_space_limit; audit_space_limit ------------------- 1GB (1 row)If the command output is not 1 GB (1024 MB), run the \q command to exit the database.
-
Run the following command to set the parameter to its default value 1024MB:
gs_guc reload -N all -I all -c "audit_space_limit=1024MB"
Configure the maximum number of audit files (audit_file_remain_threshold).
-
View the current value.
mogdb=# SHOW audit_file_remain_threshold; audit_file_remain_threshold ----------------------------- 1048576 (1 row)If the command output is not 1048576, run the \q command to exit the database.
-
Run the following command to set the parameter to its default value 1048576:
gs_guc reload -N all -I all -c "audit_file_remain_threshold=1048576"
-
-
Manual backup of audit files
If the storage space occupied by audit files or the number of audit logs exceeds the threshold specified by the configuration file, the system automatically deletes the oldest audit files. Therefore, you are advised to periodically save important audit logs.
-
Run the show command to view the directory (audit_directory) where audit files are saved.
mogdb=# SHOW audit_directory; -
Copy the entire audit directory elsewhere to save it.
-
-
Manual deletion of audit files
Run the pg_delete_audit command to manually delete the audit records generated during a specified period of time.
Example: Manually delete the audit records generated from September 20, 2012 to September 21, 2012.
mogdb=# SELECT pg_delete_audit('2012-09-20 ','2012-09-21');
-
Configuring File Permission Security Policies
Background
During its installation, the database sets permissions for its files, including files (such as log files) generated during the running process. File permissions are set as follows:
-
The permission of program directories in the database is set to 0750.
-
The permission for data file directories in the database is set to 0700.
During MogDB deployment, the directory specified by the tmpMppdbPath parameter in the XML configuration file is created for storing .s.PGSQL.* files. If the parameter is not specified, the /tmp/$USER_mppdb directory is created. The directory and file permission is set to 0700.
-
The permissions of data files and audit logs of the database, as well as data files generated by other database programs, are set to 0600. The permission of run logs is equal to or lower than 0640 by default.
-
Common OS users are not allowed to modify or delete database files and log files.
Directory and File Permissions of Database Programs
[Table 1](#Table 3.4.1) lists some of program directories and file permissions of the installed database.
Table 1 Program directories and file permissions
| File or Directory | Parent Contents | Permissions |
|---|---|---|
| bin | - | 0700 |
| lib | - | 0700 |
| share | - | 0700 |
| data (database node/primary database node) | - | 0700 |
| base | Instance data directory | 0700 |
| global | Instance data directory | 0700 |
| pg_audit | Instance data directory (configurable) | 0700 |
| pg_log | Instance data directory (configurable) | 0700 |
| pg_xlog | Instance data directory | 0700 |
| postgresql.conf | Instance data directory | 0600 |
| pg_hba.conf | Instance data directory | 0600 |
| postmaster.opts | Instance data directory | 0600 |
| pg_ident.conf | Instance data directory | 0600 |
| gs_initdb | bin | 0700 |
| gs_dump | bin | 0700 |
| gs_ctl | bin | 0700 |
| gs_guc | bin | 0700 |
| gsql | bin | 0700 |
| archive_status | pg_xlog | 0700 |
| libpq.so.5.5 | lib | 0600 |
Suggestion
During the installation, the database automatically sets permissions for its files, including files (such as log files) generated during the running process. The specified permissions meet permission requirements in most scenarios. If you have any special requirements for the related permissions, you are advised to periodically check the permission settings to ensure that the permissions meet the product requirements.