In order to manage data access control, you can easily implement database role privilege and expiration management.
Operators can easily create roles related to database operations, assign privileges, and manage the expiration dates of database roles with login privileges in order to manage data access control.
Databases contain important data such as personal information, and data protection is important.
Data protection is defined in security protocols and is an important aspect of operations.
In order to protect data from being viewed by a third party, it is necessary to properly set the access control of database roles.
In this feature, it is recommended to divide into the following database roles.
Database administrator: Construction/operation of database system
Confidential administrator: Set appropriate privileges for each database resource
General users: End users of the database
By preparing multiple database operators/administrators and assigning privileges to each, it is possible to distribute privileges. This makes it possible to prevent data from being referenced or tampered with by users with strong privileges.
This section describes the roles of database roles created by this feature.
Database administrators can perform operations related to database operations, such as referencing system tables and canceling back-end queries.
Confidential administrators grant appropriate privileges to tables and roles to prevent third parties from viewing data. With this feature, it is possible to grant the confidential administrator the privilege to use the confidentiality management feature, and to grant the appropriate privilege to each database resource.
In addition, it is not recommended to use roles with SUPERUSER or BYPASSRLS privilege that can see all data for data protection. Therefore, in this feature, the SUPERUSER (postgres) password is isolated by hiding it, and the SUPERUSER and BYPASSRLS privileges are not granted to the created database role.
Create a database role "postgres" with SUPERUSER privileges for the operator when building the database.
By omitting "spec.fepChildCrVal.sysUsers.pgAdminPassword" in the FEPCluster custom resource, the postgres role password is created with a random value, making it impossible for general users to use SUPERUSER privileges. However, a separate method is provided to use the "postgres" role when the administrator needs SUPERUSER privileges for database operations. Therefore, monitor for unexpected usage using the audit feature of pgAudit.
Database role for database management. Defining this role is mandatory.
The user name and password are defined in "pguser" and "pgpassword" under spec.fepChildCrVal.sysUsers in the FEPCluster custom resource. Has CREATE DATABASE privilege and can see system tables/cancel backend queries.
The database administrator role has the following privileges.
NOSUPERUSER
NOREPLICATION
NOBYPASSRLS
CREATEDB
INHERIT
LOGIN
CREATEROLE
However, NOCREATEROLE privileges are granted when the confidential administrator role is created.
I also belong to the following roles:
pg_monitor
pg_signal_backend
A database role that uses the confidentiality management feature to set appropriate privileges for each database resource for database users. Creating this role is optional.
User name and password are defined in "pgSsecurityUser" and "pgSsecurityPassword" under "spec.fepChildCrVal.sysUsers" of FEPCluster custom resource.
Confidential administrator roles can be defined after building FEPCluster. However, you cannot change the role name or delete the role after defining this role.
This role holds the following privileges.
LOGIN
CREATEROLE
NOSUPERUSER
NOREPLICATION
NOBYPASSRLS
NOCREATEDB
NOINHERIT
The Confidential administrator role has ALL privileges for the database defined in the FEPCluster custom resource "spec.fepChildCrVal.sysUsers.pgdb", and can create database objects such as tables in the target database.
Confidential administrator roles are assigned the following privileges necessary to operate the confidentiality management feature of Fujitsu Enterprise Postgres, so the confidentiality management feature can be used immediately after the role is created.
CREATEROLE privilege
SELECT privilege, INSERT privilege, UPDATE privilege, and DELETE privilege to all tables included in the extension of confidentiality management feature
Grant ownership to the confidential administrator role for the database objects managed by the confidentiality management feature.
In addition, by granting the privileges required for the confidential administrator role to operate the confidentiality management feature to other database roles, the number of users who perform confidential management can be increased and the privileges can be distributed.
You can control who can connect to the database by managing role expiration.
This section describes two methods for managing role expiration:
Policy-based password operation
Password operation with the VALID UNTIL clause
In policy-based password operation, you define a policy as a profile and assign the profile to a role. It is possible to define policies other than expiration exactly as follows:. By assigning the same profile to a role, you can apply the same policy at once.
Set a password life time
Restrict password reuse
Lock accounts that have failed to log in continuously
For password operations with the VALID UNTIL clause, only an expiration date can be set. An operator can force a VALID UNTIL clause to be specified within a specified interval of time when a CREATE or ALTER ROLE command is executed.
For information about how to create and apply profiles that define policies, refer to "Policy-based Login Security" in the Fujitsu Enterprise Postgres Operation Guide.
When FEPCluster is deployed, users for streaming replication (User specified in spec.fepChildCrVal.sysUsers.pgrepluser of the FEPCluster custom resource) are automatically assigned membership in the pgx_update_profile_status group role. This ensures that the user lock status and password status detected on the standby server are applied to the entire cluster immediately after the FEPCluster is built.
Operators can use the monitoring feature to monitor metrics such as expiration.
When you deploy FEPExporter, the following metrics collection and alert rules are enabled:
To deploy the FEPExporter, refer to "4.3 Deploying FEPExporter" or "4.4 FEPExporter in Standalone Mode".
For definitions of metric queries and alert rules, refer to "Default Metric Queries" and "Default Alert Rules" in the Reference.
Number of all roles
Number of enabled roles
Number of roles in grace period
Number of roles that have expired
Number of roles locked
You can also add metrics queries to monitor, for example, how many roles expire within a specified date.
When Expired Role is 1 or More
When the Grace Period Expired Role is 1 or More
When the locked role is 1 or more
When you are notified of an alert, you can verify the database role in question from the system catalog.
For more information about the system catalogs for managing profile information, refer to "System Catalogs" in the Fujitsu Enterprise Postgres Operation Guide.
You can manage password expiration for database roles with login privileges.
When defining passwords for database roles with login privileges in the CREATE ROLE or ALTER ROLE statements, it is possible to force them to expire within a specified period.
Specify the following parameters in the FEPCluster custom resource to enable this feature.
Specify "fsep_operator_security" in shared_preload_libraries of spec.fepChildCrVal.customPgParams
"spec.fepChildCrVal.sysUsers.passwordValid.days" specifies the number of days that can be specified from the time the password is changed to the expiration date
FEPCluster custom resource definition example
fepChildCrVal:
customPgParams: |
shared_preload_libraries='pgx_datamasking,pg_prewarm,pg_stat_statements,fsep_operator_security'
…
sysUsers:
passwordValid:
days: 30
pgdb: mydb
pgpassword: mydbpassword
pguser: mydbuserWhen this feature is enabled, the password expiration for pgpassword and pgSecurityPassword, as defined in spec.fepChildCrVal.sysUsers in the FEPCluster custom resource, is defined after the length of time specified in spec.fepChildCrVal.sysUsers.passwordValid.days since the password was changed.
However, passwords defined in pgAdminPassword, pgreplpassword, pgRewindUserPassword, and pgMetricsUserPassword are database role passwords required for database operation management, so their expiration dates are not managed.
In addition, if the CREATE ROLE or ALTER ROLE statement defines/changes the password for a database role that has login privileges, and the password for the database role does not expire or is longer than the length of time specified by pec.fepChildCrVal.sysUsers.passwordValid.days, the executed SQL will fail.
spec.fepChildCrVal.sysUsers.passwordValid.days can be defined or changed after building the FEPCluster. Changing this parameter updates the password expiration period for all managing database roles that have not expired.
Removing spec.fepChildCrVal.sysUsers.passwordValid.days or setting it to 0 will stop password expiration management.
By using the FEPExporter custom resource feature, it is possible to monitor the password expiration date of database roles and send an alert using AlertManager when there is a database role that is about to expire or has passed.