diff --git a/product/en/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md b/product/en/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
index e89cf30193d3310167cd0fc5ccbadc6e95cafab9..344e33d98a6fb12407fe86880442462bd6a470de 100644
--- a/product/en/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
+++ b/product/en/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
@@ -126,7 +126,7 @@ Connection information has been confirmed.
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
 **NOTE:**
diff --git a/product/en/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md b/product/en/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
index a9ddef4dcd1c0c09799f2084cfdca2b45da4bfc4..4074cd9c16c5a4da9c0c336e4756cc3a92e6ba62 100644
--- a/product/en/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/en/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -283,22 +283,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```sql
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
index 7d02f929814365ddd773930af8b2ba715c5664fd..c8b6ea366c846a1c7db7658b45f9f188dc64aee7 100644
--- a/product/en/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -114,7 +114,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | - |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode. |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | - |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 2](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
- **sha256**
- **cert**
- **gss** (only for authentication within MogDB) |
diff --git a/product/en/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md b/product/en/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
index 59ecca0d1ec66e2d2ce1952b0a38f7a3b073b5ce..95ebca3902ff8243bdc46dbb232f2cd76d9c6203 100644
--- a/product/en/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/en/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -283,22 +283,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```sql
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
index 0e4d8e3ac3eed18ec8feec89a0ab8c49867934a3..9e58379f1a65ca4bdbece677328fdf01851e7a93 100644
--- a/product/en/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -114,7 +114,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | - |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode. |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | - |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 2](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
- **sha256**
- **cert**
- **gss** (only for authentication within MogDB) |
diff --git a/product/en/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md b/product/en/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
index faaa4b277cffbcccd71132765c1f3d75032e8ac4..6ea3bbbc76b3f25e7c68146046f877183598b68f 100644
--- a/product/en/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/en/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -290,22 +290,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
index 88d29cd401273468c44d7f2d8447c6b2af305846..8b97b1e65da8b301b4bc596fb5fbe3c3082f6f4a 100644
--- a/product/en/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -115,7 +115,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | - |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | - |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
diff --git a/product/en/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md b/product/en/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
index 8c87ea6887c28b59355fbbe7773a5a3c5badb6c4..f441ae107a075a4ddd981881366e7d6a091fb932 100644
--- a/product/en/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/en/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -290,22 +290,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
index b052ccdca5a6a7473ec6adf7533b4813e4373432..389f420919561cf8a416a628c1d2e9ceabdb1509 100644
--- a/product/en/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -115,7 +115,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
diff --git a/product/en/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/en/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index 22d3b6061aa2b483363d9281c1e3780cd81dc85f..e70caf790378931025d789ca1a28f71f122c9ee1 100644
--- a/product/en/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/en/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -288,22 +288,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
index f11b8e54a3a07085d2945c9d8bddf326155c5859..368330a3505f84948b39dd77753856449a799e2e 100644
--- a/product/en/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -115,7 +115,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
diff --git a/product/en/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/en/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index 22d3b6061aa2b483363d9281c1e3780cd81dc85f..e70caf790378931025d789ca1a28f71f122c9ee1 100644
--- a/product/en/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/en/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -288,22 +288,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md b/product/en/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
index 2826dd3d59cb10f39183ce3df68bacb9c51155ac..4e4e621369020062226aa121c81111a6fb625837 100644
--- a/product/en/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
+++ b/product/en/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
@@ -9,7 +9,11 @@ date: 2023-07-03
## Objectives
-PTK does not support VIP-related configurations (supported in MogDB 5.1), therefore this section introduces how to manually configure or enable VIP function in a database cluster where CM cluster management software has been deployed.
+This section introduces how to manually configure or enable VIP function in a database cluster where CM cluster management software has been deployed.
+
+>  Note:
+>
+> MogDB 5.0.4 and later versions support automatic VIP mounting via PTK (v1.2.0+), see [PTK documentation](https://docs.mogdb.io/en/ptk/v1.1/ptk-cluster-load-cm-vip#--action-string) for details.
Additionally, this section uses a cluster with one primary node and two standby nodes as an example.
diff --git a/product/en/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
index ef3a07bce03e05c27451b98f195483642cbefe31..b41540229ac681b718b313e078b007175d71f127 100644
--- a/product/en/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
@@ -1,769 +1,769 @@
----
-title: Client Access Authentication
-summary: Client Access Authentication
-author: Guo Huan
-date: 2021-04-26
----
-
-# Client Access Authentication
-
-## Configuring Client Access Authentication
-
-**Background**
-
-If a host needs to connect to a database remotely, you need to add information about the host in configuration file of the database system and perform client access authentication. The configuration file (**pg_hba.conf** by default) is stored in the data directory of the database. HBA is short for host-based authentication.
-
-- The system supports the following three authentication methods, which all require the **pg_hba.conf** file.
-
- - Host-based authentication: A server checks the configuration file based on the IP address, username, and target database of the client to determine whether the user can be authenticated.
- - Password authentication: A password can be an encrypted password for remote connection or a non-encrypted password for local connection.
- - SSL encryption: The OpenSSL is used to provide a secure connection between the server and the client.
-
-- In the **pg_hba.conf** file, each record occupies one row and specifies an authentication rule. An empty row or a row started with a number sign (#) is neglected.
-
-- Each authentication rule consists of multiple columns separated by spaces and forward slashes (/), or spaces and tab characters. If a field is enclosed with quotation marks ("), it can contain spaces. One record cannot span different rows.
-
-**Procedure**
-
-1. Log in as the OS user **omm** to the primary node of the database.
-
-2. Configure the client authentication mode and enable the client to connect to the host as user **jack**. User **omm** cannot be used for remote connection.
-
- Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
-
- ```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
- ```
-
- >  **NOTE:**
- >
- > - Before using user **jack**, connect to the database locally and run the following command in the database to create user **jack**:
- >
- > ```sql
- > CREATE USER jack PASSWORD 'Test@123';
- > ```
- >
- > - **-N all** indicates all hosts in MogDB.
- > - **-I all** indicates all instances on the host.
- > - **-h** specifies statements that need to be added in the **pg_hba.conf** file.
- > - **all** indicates that a client can connect to any database.
- > - **jack** indicates the user that accesses the database.
- > - **10.10.0.30*/*32** indicates that only the client whose IP address is **10.10.0.30** can connect to the host. The specified IP address must be different from those used in MogDB. **32** indicates that there are 32 bits whose value is 1 in the subnet mask. That is, the subnet mask is 255.255.255.255.
- > - **sha256** indicates that the password of user **jack** is encrypted using the SHA-256 algorithm.
-
-This command adds a rule to the **pg_hba.conf** file corresponds to the primary node of the database. The rule is used to authenticate clients that access primary node.
-
-Each record in the **pg_hba.conf** file can be in one of the following four formats. For parameter description of the four formats, see [Configuration File Reference](#configuration-file-reference).
-
-```text
-local DATABASE USER METHOD [OPTIONS]
-host DATABASE USER ADDRESS METHOD [OPTIONS]
-hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
-hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
-```
-
-During authentication, the system checks records in the **pg_hba.conf** file in sequence for connection requests, so the record sequence is vital.
-
->  **NOTE:**
-> Configure records in the **pg_hba.conf** file from top to bottom based on communication and format requirements in the descending order of priorities. The IP addresses of the MogDB cluster and added hosts are of the highest priority and should be configured prior to those manually configured by users. If the IP addresses manually configured by users and those of added hosts are in the same network segment, delete the manually configured IP addresses before the scale-out and configure them after the scale-out.
-
-The suggestions on configuring authentication rules are as follows:
-
-- Records placed at the front have strict connection parameters but weak authentication methods.
-- Records placed at the end have weak connection parameters but strict authentication methods.
-
->  **NOTE:**
->
-> - If a user wants to connect to a specified database, the user must be authenticated by the rules in the **pg_hba.conf** file and have the **CONNECT** permission for the database. If you want to restrict a user from connecting to certain databases, you can grant or revoke the user's **CONNECT** permission, which is easier than setting rules in the **pg_hba.conf** file.
-> - The **trust** authentication mode is insecure for a connection between the MogDB and a client outside the cluster. In this case, set the authentication mode to **sha256**.
-
-**Exception Handling**
-
-There are many reasons for a user authentication failure. You can view an error message returned from a server to a client to determine the exact cause. [Table 1](#Table-1.1.1) lists common error messages and solutions to these errors.
-
-**Table 1** Error messages
-
-| Symptom | Solution |
-| :---------------------------------------------- | :-------------------------------------------------- |
-| The username or password is incorrect.
`FATAL: invalid username/password,login denied` | Retry the authentication with the correct username and password. |
-| The database to connect does not exist.
`FATAL: database "TESTDB" does not exist` | Retry the authentication with the correct database name. |
-| No matched client record is found.
`FATAL: no pg_hba.conf entry for host "10.10.0.60", user "ANDYM", database "TESTDB"` | This message indicates that the server is connected but denies the connection request, because it does not find a matched record in **pg_hba.conf**. Contact the database administrator to add user information to the **pg_hba.conf** file. |
-
-**Example**
-
-```
-TYPE DATABASE USER ADDRESS METHOD
-
-#Allow only the user specified by the -U parameter (omm as default) during installation to establish a connection from the local server.
-local all omm trust
-IPv4 local connections:
-#User jack is allowed to connect to any database from the 10.10.0.50 host. The SHA-256 algorithm is used to encrypt the password.
-host all jack 10.10.0.50/32 sha256
-#Any user is allowed to connect to any database from a host on the 10.10.0.0/24 network segment. The SHA-256 algorithm is used to encrypt the password and SSL transmission is used.
-hostssl all all 10.10.0.0/24 sha256
-#Any user is allowed to connect to any database from a host on the 10.10.0.0/24 network segment. The Kerberos authentication is used. In the current version, Kerberos authentication cannot be used to connect to external clients.
-host all all 10.10.0.0/24 gss include_realm=1 krb_realm=HADOOP.COM
-```
-
-## Configuration File Reference
-
-**Table 2** Parameter description
-
-| Parameter | Description | Value Range |
-| :---------- | :--------------------------- | :----------------------------------|
-| local | Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed.
When **gsql** is used to initiate a connection from a local server and the **-U** parameter is not specified, a Unix-domain-socket connection is established. | N/A |
-| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
-| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
-| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
-| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
-| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
-| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
-
-**Table 3** Authentication modes
-
-| Authentication Mode | Remarks |
-| :------------------ | :----------------------------------------------------------- |
-| trust | In trust mode, only the connection initiated from the local server using **gsql** with the **-U** parameter not specified is trusted. In this case, no password is required.
The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use the trust authentication, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access:
- Set the **unix_socket_permissions** and **unix_socket_group** parameters.
- Set the **unix_socket_directory** parameter to place Unix-domain socket files into a directory requiring certain access permissions.
NOTICE:
Setting the file system permission imposes restrictions on only Unix-domain socket connections, and does not affect local TCP/IP connections. To ensure local TCP/IP security, MogDB does not allow the trust authentication for remote connection. |
-| reject | Rejects connection unconditionally. This authentication mode is usually used for filtering certain hosts. |
-| md5 | Requires that the client must provide an MD5-encrypted password for authentication.
NOTICE:
- The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- MogDB retains MD5 authentication and password storage to facilitate use of third-party tools (such as the TPCC test tool). |
-| sha256 | Requires that the client must provide a sha256-encrypted password for authentication. The password is encrypted based on the unidirectional sha256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security. |
-| sm3 | The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security. |
-| cert | Client certificate authentication mode. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required.
NOTICE:
This authentication mode supports only hostssl rules. |
-| gss | Uses the GSSAPI-based Kerberos authentication.
NOTICE:
- This authentication mode depends on components such as the Kerberos server. It supports only authentication for communication within MogDB. In the current version, Kerberos authentication cannot be used to connect to external clients.
- Enabling Kerberos authentication within MogDB slows down the connection setup among nodes in MogDB. The performance of SQL operations during the setup is affected, but later operations are not. |
-| peer | In this mode, only the initial database user can connect to the database in local mode. You can configure **pg_ident.conf** to establish the mapping between the OS user and the initial database user.
Assume that the OS username is **omm**, the initial database user is **dbAdmin**, and the local mode is set to peer authentication in **pg_hba.conf**.
`local all all peer map=mymap`
In the preceding information, **map=mymap** specifies the username mapping, and the mapping name **mymap** is added to **pg_ident.conf**. The following shows the mapping.
`# MAPNAME SYSTEM-USERNAME PG-USERNAME mymap omm dbAdmin`
NOTE:
You can run the **gs_guc reload** command to modify **pg_hba.conf** for the modification to take effect immediately without restarting the database. After **pg_ident.conf** is modified, the modification automatically takes effect upon the next connection. You do not need to restart the database. |
-
-## Establishing Secure TCP/IP Connections in SSL Mode
-
-**Background**
-
-MogDB supports the standard SSL (TLS 1.2). As a highly secure protocol, SSL authenticates bidirectional identification between the server and client using digital signatures and digital certificates to ensure secure data transmission.
-
-**Prerequisites**
-
-Obtain formal certificates and keys for servers and clients from the Certificate Authority (CA). Assume the private key and certificate for the server are **server.key** and **server.crt**, the private key and certificate for the client are **client.key** and **client.crt**, and the CA root certificate is **cacert.pem**.
-
-**Precautions**
-
-- When a user remotely accesses the primary node of the database, the SHA-256 authentication method is used.
-- If internal servers are connected with each other, the trust authentication mode must be used. IP address whitelist authentication is supported.
-
-**Procedure**
-
-After a cluster is deployed, MogDB enables the SSL authentication mode by default. The server certificate, key, and root certificates have been configured. You need to set client parameters.
-
-Set digital certificate parameters related to SSL authentication. For details, see [Table 4](#Table-1.3.1).
-
-- Configure client parameters.
-
- The default client certificate, key, root certificate, and key encrypted file have been obtained from the CA authentication center. Assume that the certificate, key, and root certificate are stored in the **/home/omm** directory.
-
- For bidirectional authentication, set the following parameters:
-
- ```bash
- export PGSSLCERT="/home/omm/client.crt"
- export PGSSLKEY="/home/omm/client.key"
- export PGSSLMODE="verify-ca"
- export PGSSLROOTCERT="/home/omm/cacert.pem"
- ```
-
- For unidirectional authentication, set the following parameters:
-
- ```bash
- export PGSSLMODE="verify-ca"
- export PGSSLROOTCERT="/home/omm/cacert.pem"
- ```
-
-- Change the client key permission.
-
- The permission of the client root certificate, key, certificate, and encrypted key file should be 600. Otherwise, the client cannot connect to MogDB through SSL.
-
- ```bash
- chmod 600 client.key
- chmod 600 client.crt
- chmod 600 client.key.cipher
- chmod 600 client.key.rand
- chmod 600 cacert.pem
- ```
-
->  **NOTICE:**
-> You are advised to use bidirectional authentication for security purposes.
-> The environment variables configured for a client must contain the absolute file paths.
-
-**Table 4** Authentication modes
-
-| Authentication Mode | Description | Client Environment Variable Setting | Maintenance Suggestion |
-| :----------------------------------------- | :------------------------------------ | :-------------------------------------------| :-------------------------------------------- |
-| Bidirectional authentication (recommended) | The client verifies the server's certificate and the server verifies the client's certificate. Connection can be set up after the verification is successful. | Set the following environment variables:
- PGSSLCERT
- PGSSLKEY
- PGSSLROOTCERT
- PGSSLMODE | This authentication mode is applicable to scenarios that require high data security. When using this method, you are advised to set the **PGSSLMODE** client variable to **verify-ca** for network data security purposes. |
-| Unidirectional authentication | The client verifies the server's certificate, whereas the server does not verify the client's certificate. The server loads the certificate information and sends it to the client. The client verifies the server's certificate according to the root certificate. | Set the following environment variables:
- PGSSLROOTCERT
- PGSSLMODE | To prevent TCP-based link spoofing, you are advised to use the SSL certificate authentication. In addition to configuring client root certificate, you are advised to set the **PGSSLMODE** variable to **verify-ca** on the client. |
-
-**Reference**
-
-In the **postgresql.conf** file on the server, set the related parameters. For details, see [Table 5](#Table-1.3.2).
-
-**Table 5** Server parameters
-
-| Parameter | Description | Value Range |
-| :------------------- | :----------------------------------------------------------- | :----------------------------------------------------------- |
-| ssl | Specifies whether to enable the SSL function. | - **on**: indicates that SSL is enabled.
- **off**: indicates that SSL is disabled.
**Default value**: **on** |
-| require_ssl | Specifies whether the server requires the SSL connection. This parameter is valid only when **ssl** is set to **on**. | - **on**: The server requires the SSL connection.
- **off**: The server does not require the SSL connection.
**Default value**: **off** |
-| ssl_cert_file | Server certificate file, including the server public key. The certificate proves the legal identity of the server and the public key is sent to the peer end for data encryption. | Use the actual certificate name. The relative path is relative to the data directory.
**Default value**: **server.crt** |
-| ssl_key_file | Private key file of the server, used to decrypt data encrypted using the public key. | Use the actual private key name of the server. The relative path is relative to the data directory.
**Default value**: **server.key** |
-| ssl_ca_file | Root certificate of the CA server. This parameter is optional and needs to be set only when the certificate of a client must be verified. | Use the name of the actual root certificate.
**Default value**: **cacert.pem** |
-| ssl_crl_file | Certificate revocation list (CRL). If the certificate of a client is in the list, the certificate is invalid. | Use the actual name of the CRL.
**Default value**: empty, indicating that there is no CRL. |
-| ssl_ciphers | Encryption algorithm used for SSL communication. | For details about the supported encryption algorithms, see [Table 7](#Table-1.3.4).
**Default value**: **ALL**, indicating that all supported encryption algorithms, excluding ADH, LOW, EXP, and MD5) can be used for the peer end. |
-| ssl_cert_notify_time | Specifies the number of days prior to SSL server certificate expiration that a user will receive a reminder. | Set this parameter based on the site requirements.
**Default value:** 90 |
-
-Configure environment variables related to SSL authentication on the client. For details, see [Table 6](#table1.3.3).
-
->  **NOTE:**
-> The path of environment variables is set to **/home/omm** as an example. Replace it with the actual path.
-
-**Table 6** Client parameters
-
-| Environment Variable | Description | Value Range |
-| :------------------- | :------------------------------------------| :------------------------------------------------|
-| PGSSLCERT | Client certificate file, including the client public key. The certificate proves the legal identity of the client and the public key is sent to the peer end for data encryption. | Absolute path of a certificate file, for example:
**`export PGSSLCERT='/home/omm/client.crt'`**
**Default value**: empty |
-| PGSSLKEY | Private key file of the client, used to decrypt data encrypted using the public key | Absolute path of a certificate file, for example:
**`export PGSSLKEY='/home/omm/client.key'`**
**Default value**: empty |
-| PGSSLMODE | Specifies whether to negotiate with the server about SSL connection and specifies the priority of the SSL connection. | **Values and meanings:**
- **disable**: only tries to setting up a non-SSL connection.
- **allow**: tries setting up a non-SSL connection first, and then an SSL connection if the attempt fails.
- **prefer**: tries setting up an SSL connection first, and then a non-SSL connection if the attempt fails.
- **require**: only tries setting up an SSL connection. If there is a CA file, perform the verification according to the scenario in which the parameter is set to **verify-ca**.
- **verify-ca**: tries setting up an SSL connection, checks whether the server certificate is issued by a trusted CA.
- **verify-full**: tries setting up an SSL connection, checks whether the server certificate is issued by a trusted CA, and checking whether the host name of the server is the same as that in the certificate.**
Default value**: **prefer** |
-| PGSSLROOTCERT | Root certificate file for issuing client certificates. The root certificate is used to verify the server certificate. | Absolute path of a certificate file, for example:
**`export PGSSLROOTCERT='/home/omm/certca.pem'`**
**Default value**: empty |
-| PGSSLCRL | CRL file for checking whether the server certificate is in the CRL. If it is, the certificate is invalid. | Absolute path of a certificate file, for example:
**`export PGSSLCRL='/home/omm/sslcrl-file.crl'`**
**Default value**: empty |
-
-The following tables describe the connection results based on the settings of the server parameters **ssl** and **require_ssl** and the client parameter **sslmode**.
-
-- Server ssl = on
-
- | sslmode (Client) | require_ssl (Client) | Result |
- |:----------------|:--------------------|:-------------------------------------------|
- | disable | on | The connection fails, because the server requires SSL but the client has disabled it. |
- | disable | off | The connection is not encrypted. |
- | allow | on | The connection is encrypted. |
- | allow | off | The connection is not encrypted. |
- | prefer | on | The connection is encrypted. |
- | prefer | off | The connection is encrypted. |
- | require | on | The connection is encrypted. |
- | require | off | The connection is encrypted. |
- | verify-ca | on | The connection is encrypted and the server certificate is verified. |
- | verify-ca | off | The connection is encrypted and the server certificate is verified. |
- | verify-full | on | The connection is encrypted and the server certificate and host name are verified. |
- | verify-full | off | The connection is encrypted and the server certificate and host name are verified. |
-
-- Server ssl = off
-
- | sslmode (Client) | require_ssl (Client) | Result |
- |:----------------|:--------------------|:-------------------------------------------|
- | disable | on | The connection is not encrypted. |
- | disable | off | The connection is not encrypted. |
- | allow | on | The connection is not encrypted. |
- | allow | off | The connection is not encrypted. |
- | prefer | on | The connection is not encrypted. |
- | prefer | off | The connection is not encrypted. |
- | require | on | The connection fails, because the client requires SSL but the server has disabled it. |
- | require | off | The connection fails, because the client requires SSL but the server has disabled it. |
- | verify-ca | on | The connection fails, because the client requires SSL but the server has disabled it. |
- | verify-ca | off | The connection fails, because the client requires SSL but the server has disabled it. |
- | verify-full | on | The connection fails, because the client requires SSL but the server has disabled it. |
- | verify-full | off | The connection fails, because the client requires SSL but the server has disabled it. |
-
-A series of encryption and authentication algorithms with different strength are supported for SSL transmission. You can modify **ssl_ciphers** in **postgresql.conf** to specify the encryption algorithm used by the database server. [Table 7](#Table-1.3.4) lists the encryption algorithms supported by the SSL.
-
-**Table 7** Encryption algorithms
-
-| OpenSSL Suite Name | IANA Suite Name | Security |
-| :---------------------------- | :-------------------------------------- | :------- |
-| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
-| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | HIGH |
-| DHE-RSA-AES128-GCM-SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| DHE-RSA-AES256-GCM-SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
-
->  **NOTE:**
->
-> - Currently, only the six encryption algorithm suites listed in the preceding table are supported.
-> - The default value of **ssl_ciphers** is **ALL**, indicating that all encryption algorithms listed in the table are supported. The DHE algorithm suite is retained for forward compatibility, i.e., DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384. According to the CVE-2002-20001 vulnerability disclosure DHE algorithms have a certain security risk, and their use is not recommended for non-compatible scenarios, which can be configured to support only ECDHE-type algorithm suites by setting the ssl_ciphers parameter can be configured to support only ECDHE type algorithm suites.
-> - To specify the preceding cipher suites, set **ssl_ciphers** to the OpenSSL suite names in the preceding table. Use semicolons (;) to separate cipher suites. For example, set **ssl_ciphers** in **postgresql.conf** as follows: ssl_ciphers='ECDHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256'
-> - SSL authentication increases the time spent for login (creating the SSL environment) and logout processes (clearing the SSL environment), and requires extra time for encrypting the data to be transferred. It affects performance especially in frequent login, logout, and short-time query scenarios.
-> - If the certificate validity period is less than seven days, an alarm is generated in the log when a user logs in to the system.
-
-## Establishing Secure TCP/IP Connections in SSH Tunnel Mode
-
-**Background**
-
-To ensure secure communication between the database server and its clients, secure SSH tunnels can be established between the database server and clients. SSH is a reliable security protocol dedicated to remote login session and other network services.
-
-Regarding the SSH client, the SSH provides the following two security authentication levels:
-
-- Password-based security authentication: Use an account and a password to log in to a remote host. All transmitted data is encrypted. However, the connected server may not be the target server. Another server may pretend to be the real server and perform the man-in-the-middle attack.
-- Key-based security authentication: A user must create a pair of keys and put the public key on the target server. This mode prevents man-in-the-middle attacks while encrypting all transmitted data. However, the entire login process may last 10s.
-
-**Prerequisites**
-
-The SSH service and the database must run on the same server.
-
-**Procedure**
-
-OpenSSH is used as an example to describe how to configure SSH tunnels. The process of configuring key-based security authentication is not described here. OpenSSH provides multiple configurations to adapt to different networks. For more details, see documents related to OpenSSH.
-
-Establish the SSH tunnel from a local host to the database server.
-
-```bash
-ssh -L 63333:localhost:8000 username@hostIP
-```
-
->  **NOTE:**
->
-> - The first digit string (**63333**) of the **-L** parameter indicates the local port ID of the tunnel and can be randomly selected.
-> - The second digit string (**8000**) indicates the remote port ID of the tunnel, which is the port ID on the server.
-> - **localhost** is the IP address of the local host, **username** is the username on the database server to be connected, and **hostIP** is the IP address of the database server to be connected.
-
-## Checking the Number of Database Connections
-
-**Background**
-
-If the number of connections reaches its upper limit, new connections cannot be created. Therefore, if a user fails to connect a database, the administrator must check whether the number of connections has reached the upper limit. The following are details about database connections:
-
-- The maximum number of global connections is specified by the **max_connections** parameter. Its default value is **5000**.
-- The number of a user's connections is specified by **CONNECTION LIMIT connlimit** in the **CREATE ROLE** statement and can be changed using **CONNECTION LIMIT connlimit** in the **ALTER ROLE** statement.
-- The number of a database's connections is specified by the **CONNECTION LIMIT connlimit** parameter in the **CREATE DATABASE** statement.
-
-**Procedure**
-
-1. Log in as the OS user **omm** to the primary node of the database.
-
-2. Run the following command to connect to the database:
-
- ```bash
- gsql -d mogdb -p 8000
- ```
-
- **mogdb** is the name of the database to be connected, and **8000** is the port number of the database primary node.
-
-3. View the upper limit of the number of global connections.
-
- ```sql
- MogDB=# SHOW max_connections;
- max_connections
- -----------------
- 800
- (1 row)
- ```
-
- **800** is the maximum number of session connections.
-
-4. View the number of connections that have been used.
-
- >  **NOTICE:**
- >
- > Except for database and usernames that are enclosed in double quotation marks (") during creation, uppercase letters are not allowed in the database and usernames in the commands in the following table.
-
- - View the maximum number of sessions connected to a specific user.
-
- Run the following commands to view the upper limit of the number of omm's session connections. -1 indicates that no upper limit is set for the number of omm's session connections.
-
- ```sql
- MogDB=# SELECT ROLNAME,ROLCONNLIMIT FROM PG_ROLES WHERE ROLNAME='omm';
- rolname | rolconnlimit
- ---------+--------------
- omm | -1
- (1 row)
- ```
-
- - View the number of session connections that have been used by a user.
-
- Run the following commands to view the number of session connections that have been used by omm. 1 indicates the number of session connections that have been used by omm.
-
- ```sql
- MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
- SELECT
- sa.sessionid AS SID,
- 0::integer AS SERIAL#,
- sa.usesysid AS USER#,
- ad.rolname AS USERNAME
- FROM pg_stat_get_activity(NULL) AS sa
- LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
- WHERE sa.application_name <> 'JobScheduler';
- MogDB=# SELECT COUNT() FROM DV_SESSIONS WHERE USERNAME='omm';
- count
- -------
- 1
- (1 row)
- ```
-
- - View the maximum number of sessions connected to a specific database
-
- Run the following commands to view the upper limit of the number of mogdb's session connections. -1 indicates that no upper limit is set for the number of mogdb's session connections.
-
- ```sql
- MogDB=# SELECT DATNAME,DATCONNLIMIT FROM PG_DATABASE WHERE DATNAME='mogdb';
- datname | datconnlimit
- ---------+--------------
- mogdb | -1
- (1 row)
- ```
-
- - View the number of session connections that have been used by a specific database.
-
- Run the following commands to view the number of session connections that have been used by mogdb. 1 indicates the number of session connections that have been used by mogdb.
-
- ```sql
- MogDB=# SELECT COUNT(*) FROM PG_STAT_ACTIVITY WHERE DATNAME='mogdb';
- count
- -------
- 1
- (1 row)
- ```
-
- - View the number of session connections that have been used by all users.
-
- Run the following commands to view the number of session connections that have been used by all users:
-
- ```sql
- MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
- SELECT
- sa.sessionid AS SID,
- 0::integer AS SERIAL#,
- sa.usesysid AS USER#,
- ad.rolname AS USERNAME
- FROM pg_stat_get_activity(NULL) AS sa
- LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
- WHERE sa.application_name <>'JobScheduler';
- MogDB=# SELECT COUNT(*) FROM DV_SESSIONS;
- count
- -------
- 23
- (1 row)
- ```
-
-## Managing SSL Certificates
-
-Security certificates and keys generated using OpenSSL are configured in MogDB by default. In addition, MogDB provides certificate replacement interfaces to allow users to replace their certificates.
-
-### Generating Certificates
-
-**Scenarios**
-
-In the test environment, users can use either of the following methods to test digital certificates. In a customer's operating environment, only a digital certificate obtained from a CA can be used.
-
-**Prerequisites**
-
-The OpenSSL component has been installed in the Linux environment.
-
-**Generating an Automatic Authentication Certificate**
-
-1. Establish a CA environment.
-
- ```
- # Suppose that user omm exists, and the CA path is test.
- # Log in to the Linux environment as user root and switch to user omm:
- mkdir test
- cd /etc/pki/tls
- # Copy the configuration file openssl.cnf to test.
- cp openssl.cnf ~/test
- cd ~/test
- # Establish the CA environment under the test folder.
- # Create folder demoCA./demoCA/newcerts./demoCA/private.
- mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
- chmod 700 ./demoCA/private
- # Create the serial file and write it to 01.
- echo '01'>./demoCA/serial
- # Create the index.txt file.
- touch ./demoCA/index.txt
- # Modify parameters in the openssl.cnf configuration file.
- dir = ./demoCA
- default_md = sha256
- # The CA environment has been established.
- ```
-
-2. Generate a root private key.
-
- ```
- # Generate a CA private key.
- openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
- Generating RSA private key, 2048 bit long modulus
- .................+++
- ..................+++
- e is 65537 (0x10001)
- # Set the protection password of the root private key, for example, Test@123.
- Enter pass phrase for demoCA/private/cakey.pem:
- # Enter the private key password Test@123 again.
- Verifying - Enter pass phrase for demoCA/private/cakey.pem:
- ```
-
-3. Generate a root certificate request file.
-
- ```
- # Generate a CA root certificate application file named careq.pem.
- openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
- Enter pass phrase for demoCA/private/cakey.pem:
- # Enter the root private key password Test@123.
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
-
- # Note down the following names and use them when entering information in the generated server certificate and client certificate.
- Country Name (2 letter code) [AU]:CN
- State or Province Name (full name) [Some-State]:shanxi
- Locality Name (eg, city) []:xian
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
- Organizational Unit Name (eg, section) []:hello
- # Common Name can be randomly set.
- Common Name (eg, YOUR name) []:world
- # The email address is optional.
- Email Address []:
-
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- ```
-
-4. Generate a self-signed root certificate.
-
- ```
- # When generating the root certificate, modify the openssl.cnf file and set basicConstraints to CA:TRUE.
- vi openssl.cnf
- # Generate a CA self-signed root certificate.
- openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
- Using configuration from openssl.cnf
- Enter pass phrase for demoCA/private/cakey.pem:
- # Enter the root private key password Test@123.
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Feb 28 02:17:11 2017 GMT
- Not After : Feb 28 02:17:11 2018 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = shanxi
- organizationName = Abc
- organizationalUnitName = hello
- commonName = world
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
- X509v3 Authority Key Identifier:
- keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
-
- Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
- Sign the certificate? [y/n]:y
-
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
- # A CA root certificate named demoCA/cacert.pem has been issued.
- ```
-
-5. Generate a private key for the server certificate.
-
- ```
- # Generate a private key file named server.key.
- openssl genrsa -aes256 -out server.key 2048
- Generating a 2048 bit RSA private key
- .......++++++
- ..++++++
- e is 65537 (0x10001)
- Enter pass phrase for server.key:
- # Password of the server private key, for example, Test@123.
- Verifying - Enter pass phrase for server.key:
- # Confirm the protection password for the server private key Test@123 again.
- ```
-
-6. Generate a server certificate request file.
-
- ```
- # Generate a server certificate request file server.req.
- openssl req -config openssl.cnf -new -key server.key -out server.req
- Enter pass phrase for server.key:
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
-
- # Set the following information and make sure that it is same as that when CA is created.
- Country Name (2 letter code) [AU]:CN
- State or Province Name (full name) [Some-State]:shanxi
- Locality Name (eg, city) []:xian
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
- Organizational Unit Name (eg, section) []:hello
- # Common Name can be randomly set.
- Common Name (eg, YOUR name) []:world
- Email Address []:
- # The following information is optional.
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- ```
-
-7. Generate a server certificate.
-
- ```
- # When generating the server certificate or client certificate, modify the openssl.cnf file and set basicConstraints to CA:FALSE.
- vi openssl.cnf
- # Change the demoCA/index.txt.attr attribute to no.
- vi demoCA/index.txt.attr
-
- # Issue the generated server certificate request file. After it is issued, an official server certificate server.crt is generated.
- openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
- Using configuration from /etc/ssl/openssl.cnf
- Enter pass phrase for ./demoCA/private/cakey.pem:
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 2 (0x2)
- Validity
- Not Before: Feb 27 10:11:12 2017 GMT
- Not After : Feb 25 10:11:12 2027 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = shanxi
- organizationName = Abc
- organizationalUnitName = hello
- commonName = world
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
- X509v3 Authority Key Identifier:
- keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
-
- Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
- # Enter y to sign and issue the certificate.
- Sign the certificate? [y/n]:y
-
- # Enter y. The certificate singing and issuing is complete.
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
- ```
-
- Disable password protection for the private key.
-
- ```
- # Disable the password protection for the server private key.
- openssl rsa -in server.key -out server.key
- # If the password protection for the server private key is not disabled, you need to use the gs_guc tool to encrypt the password.
- gs_guc encrypt -M server -D ./
- # Enter the passowrd of the the server private key as prompted. After the password is encrypted, two private key password protection files server.key.cipher and server.key.rand are generated.
- ```
-
-8. Generate the client certificate and private key.
-
- Methods and requirements for generating client certificates and private keys are the same as that for server certificates and private keys.
-
- ```
- # Generate a client private key.
- openssl genrsa -aes256 -out client.key 2048
- # Generate a certificate request file for a client.
- openssl req -config openssl.cnf -new -key client.key -out client.req
- # After the generated certificate request file for client is signed and issued, a formal client certificate client.crt is generated.
- openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256
- ```
-
- Disable password protection for the private key:
-
- ```
- # Disable the protection for a client private key password.
- openssl rsa -in client.key -out client.key
- # If password protection for a client private key is not removed, you need to use the gs_guc tool to encrypt the password.
- gs_guc encrypt -M client -D ./
- Enter the passowrd of the the client private key as prompted. After the password is encrypted, two private key password protection files client.key.cipher and client.key.rand are generated.
- ```
-
- Convert the client key to the DER format.
-
- ```bash
- openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
- ```
-
-9. Generate a CRL.
-
- If the CRL is required, you can generate it by following the following procedure:
-
- ```
- # Create a crlnumber file.
- echo '00'>./demoCA/crlnumber
- # Revoke a server certificate.
- openssl ca -config openssl.cnf -revoke server.crt
- # Generate the CRL sslcrl-file.crl.
- openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl
- ```
-
-### Replacing Certificates
-
-**Scenarios**
-
-Default security certificates and private keys required for SSL connection are configured in MogDB. You can change them as needed.
-
-**Prerequisites**
-
-The formal certificates and keys for the server and client have been obtained from the CA.
-
-**Precautions**
-
-Currently, MogDB supports only the X509v3 certificate in PEM format.
-
-**Procedure**
-
-1. Prepare for a certificate and a key.
-
- Conventions for configuration file names on the server:
-
- - Certificate name: server.crt
- - Key name: server.key
- - Key password and encrypted file: server.key.cipher and server.key.rand
-
- Conventions for configuration file names on the client:
-
- - Certificate name: client.crt
- - Key name: client.key
- - Key password and encrypted file: client.key.cipher and client.key.rand
- - Certificate name: cacert.pem
- - CRL file name: sslcrl-file.crl
-
-2. Create a compressed package.
-
- Package name: db-cert-replacement.zip
-
- Package format: ZIP
-
- Package file list: server.crt, server.key, server.key.cipher, server.key.rand, client.crt, client.key, client.key.cipher, client.key.rand, cacert.pem If you need to configure the CRL, the list must contain sslcrl-file.crl.
-
-3. Invoke the certificate replacement interface to replace a certificate.
-
- a. Upload the prepared package **db-cert-replacement.zip** to any path of an MogDB user.
-
- For example: /home/**xxxx**/db-cert-replacement.zip
-
- b. Run the following command to perform the replacement:
-
- ```bash
- gs_om -t cert --cert-file=/home/xxxx/db-cert-replacement.zip
- ```
-
-4. Restart the MogDB.
-
- ```bash
- gs_om -t stop
- gs_om -t start
- ```
-
- >  **NOTE:**
- > Certificates can be rolled back to the version before the replacement. You can run the **gs_om -t cert -rollback** command to remotely invoke the interface or **gs_om -t cert -rollback -L** to locally invoke the interface. The certificate will be rolled back to the latest version that was successfully replaced.
+---
+title: Client Access Authentication
+summary: Client Access Authentication
+author: Guo Huan
+date: 2021-04-26
+---
+
+# Client Access Authentication
+
+## Configuring Client Access Authentication
+
+**Background**
+
+If a host needs to connect to a database remotely, you need to add information about the host in configuration file of the database system and perform client access authentication. The configuration file (**pg_hba.conf** by default) is stored in the data directory of the database. HBA is short for host-based authentication.
+
+- The system supports the following three authentication methods, which all require the **pg_hba.conf** file.
+
+ - Host-based authentication: A server checks the configuration file based on the IP address, username, and target database of the client to determine whether the user can be authenticated.
+ - Password authentication: A password can be an encrypted password for remote connection or a non-encrypted password for local connection.
+ - SSL encryption: The OpenSSL is used to provide a secure connection between the server and the client.
+
+- In the **pg_hba.conf** file, each record occupies one row and specifies an authentication rule. An empty row or a row started with a number sign (#) is neglected.
+
+- Each authentication rule consists of multiple columns separated by spaces and forward slashes (/), or spaces and tab characters. If a field is enclosed with quotation marks ("), it can contain spaces. One record cannot span different rows.
+
+**Procedure**
+
+1. Log in as the OS user **omm** to the primary node of the database.
+
+2. Configure the client authentication mode and enable the client to connect to the host as user **jack**. User **omm** cannot be used for remote connection.
+
+ Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
+
+ ```bash
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ ```
+
+ >  **NOTE:**
+ >
+ > - Before using user **jack**, connect to the database locally and run the following command in the database to create user **jack**:
+ >
+ > ```sql
+ > CREATE USER jack PASSWORD 'Test@123';
+ > ```
+ >
+ > - **-N all** indicates all hosts in MogDB.
+ > - **-I all** indicates all instances on the host.
+ > - **-h** specifies statements that need to be added in the **pg_hba.conf** file.
+ > - **all** indicates that a client can connect to any database.
+ > - **jack** indicates the user that accesses the database.
+ > - **10.10.0.30*/*32** indicates that only the client whose IP address is **10.10.0.30** can connect to the host. The specified IP address must be different from those used in MogDB. **32** indicates that there are 32 bits whose value is 1 in the subnet mask. That is, the subnet mask is 255.255.255.255.
+ > - **sha256** indicates that the password of user **jack** is encrypted using the SHA-256 algorithm.
+
+This command adds a rule to the **pg_hba.conf** file corresponds to the primary node of the database. The rule is used to authenticate clients that access primary node.
+
+Each record in the **pg_hba.conf** file can be in one of the following four formats. For parameter description of the four formats, see [Configuration File Reference](#configuration-file-reference).
+
+```text
+local DATABASE USER METHOD [OPTIONS]
+host DATABASE USER ADDRESS METHOD [OPTIONS]
+hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
+hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
+```
+
+During authentication, the system checks records in the **pg_hba.conf** file in sequence for connection requests, so the record sequence is vital.
+
+>  **NOTE:**
+> Configure records in the **pg_hba.conf** file from top to bottom based on communication and format requirements in the descending order of priorities. The IP addresses of the MogDB cluster and added hosts are of the highest priority and should be configured prior to those manually configured by users. If the IP addresses manually configured by users and those of added hosts are in the same network segment, delete the manually configured IP addresses before the scale-out and configure them after the scale-out.
+
+The suggestions on configuring authentication rules are as follows:
+
+- Records placed at the front have strict connection parameters but weak authentication methods.
+- Records placed at the end have weak connection parameters but strict authentication methods.
+
+>  **NOTE:**
+>
+> - If a user wants to connect to a specified database, the user must be authenticated by the rules in the **pg_hba.conf** file and have the **CONNECT** permission for the database. If you want to restrict a user from connecting to certain databases, you can grant or revoke the user's **CONNECT** permission, which is easier than setting rules in the **pg_hba.conf** file.
+> - The **trust** authentication mode is insecure for a connection between the MogDB and a client outside the cluster. In this case, set the authentication mode to **sha256**.
+
+**Exception Handling**
+
+There are many reasons for a user authentication failure. You can view an error message returned from a server to a client to determine the exact cause. [Table 1](#Table-1.1.1) lists common error messages and solutions to these errors.
+
+**Table 1** Error messages
+
+| Symptom | Solution |
+| :---------------------------------------------- | :-------------------------------------------------- |
+| The username or password is incorrect.
`FATAL: invalid username/password,login denied` | Retry the authentication with the correct username and password. |
+| The database to connect does not exist.
`FATAL: database "TESTDB" does not exist` | Retry the authentication with the correct database name. |
+| No matched client record is found.
`FATAL: no pg_hba.conf entry for host "10.10.0.60", user "ANDYM", database "TESTDB"` | This message indicates that the server is connected but denies the connection request, because it does not find a matched record in **pg_hba.conf**. Contact the database administrator to add user information to the **pg_hba.conf** file. |
+
+**Example**
+
+```
+TYPE DATABASE USER ADDRESS METHOD
+
+#Allow only the user specified by the -U parameter (omm as default) during installation to establish a connection from the local server.
+local all omm trust
+IPv4 local connections:
+#User jack is allowed to connect to any database from the 10.10.0.50 host. The SHA-256 algorithm is used to encrypt the password.
+host all jack 10.10.0.50/32 sha256
+#Any user is allowed to connect to any database from a host on the 10.10.0.0/24 network segment. The SHA-256 algorithm is used to encrypt the password and SSL transmission is used.
+hostssl all all 10.10.0.0/24 sha256
+#Any user is allowed to connect to any database from a host on the 10.10.0.0/24 network segment. The Kerberos authentication is used. In the current version, Kerberos authentication cannot be used to connect to external clients.
+host all all 10.10.0.0/24 gss include_realm=1 krb_realm=HADOOP.COM
+```
+
+## Configuration File Reference
+
+**Table 2** Parameter description
+
+| Parameter | Description | Value Range |
+| :---------- | :--------------------------- | :----------------------------------|
+| local | Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed.
When **gsql** is used to initiate a connection from a local server and the **-U** parameter is not specified, a Unix-domain-socket connection is established. | N/A |
+| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
+| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
+| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
+| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
+| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
+
+**Table 3** Authentication modes
+
+| Authentication Mode | Remarks |
+| :------------------ | :----------------------------------------------------------- |
+| trust | In trust mode, only the connection initiated from the local server using **gsql** with the **-U** parameter not specified is trusted. In this case, no password is required.
The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use the trust authentication, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access:
- Set the **unix_socket_permissions** and **unix_socket_group** parameters.
- Set the **unix_socket_directory** parameter to place Unix-domain socket files into a directory requiring certain access permissions.
NOTICE:
Setting the file system permission imposes restrictions on only Unix-domain socket connections, and does not affect local TCP/IP connections. To ensure local TCP/IP security, MogDB does not allow the trust authentication for remote connection. |
+| reject | Rejects connection unconditionally. This authentication mode is usually used for filtering certain hosts. |
+| md5 | Requires that the client must provide an MD5-encrypted password for authentication.
NOTICE:
- The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- MogDB retains MD5 authentication and password storage to facilitate use of third-party tools (such as the TPCC test tool). |
+| sha256 | Requires that the client must provide a sha256-encrypted password for authentication. The password is encrypted based on the unidirectional sha256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security. |
+| sm3 | The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security. |
+| cert | Client certificate authentication mode. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required.
NOTICE:
This authentication mode supports only hostssl rules. |
+| gss | Uses the GSSAPI-based Kerberos authentication.
NOTICE:
- This authentication mode depends on components such as the Kerberos server. It supports only authentication for communication within MogDB. In the current version, Kerberos authentication cannot be used to connect to external clients.
- Enabling Kerberos authentication within MogDB slows down the connection setup among nodes in MogDB. The performance of SQL operations during the setup is affected, but later operations are not. |
+| peer | In this mode, only the initial database user can connect to the database in local mode. You can configure **pg_ident.conf** to establish the mapping between the OS user and the initial database user.
Assume that the OS username is **omm**, the initial database user is **dbAdmin**, and the local mode is set to peer authentication in **pg_hba.conf**.
`local all all peer map=mymap`
In the preceding information, **map=mymap** specifies the username mapping, and the mapping name **mymap** is added to **pg_ident.conf**. The following shows the mapping.
`# MAPNAME SYSTEM-USERNAME PG-USERNAME mymap omm dbAdmin`
NOTE:
You can run the **gs_guc reload** command to modify **pg_hba.conf** for the modification to take effect immediately without restarting the database. After **pg_ident.conf** is modified, the modification automatically takes effect upon the next connection. You do not need to restart the database. |
+
+## Establishing Secure TCP/IP Connections in SSL Mode
+
+**Background**
+
+MogDB supports the standard SSL (TLS 1.2). As a highly secure protocol, SSL authenticates bidirectional identification between the server and client using digital signatures and digital certificates to ensure secure data transmission.
+
+**Prerequisites**
+
+Obtain formal certificates and keys for servers and clients from the Certificate Authority (CA). Assume the private key and certificate for the server are **server.key** and **server.crt**, the private key and certificate for the client are **client.key** and **client.crt**, and the CA root certificate is **cacert.pem**.
+
+**Precautions**
+
+- When a user remotely accesses the primary node of the database, the SHA-256 authentication method is used.
+- If internal servers are connected with each other, the trust authentication mode must be used. IP address whitelist authentication is supported.
+
+**Procedure**
+
+After a cluster is deployed, MogDB enables the SSL authentication mode by default. The server certificate, key, and root certificates have been configured. You need to set client parameters.
+
+Set digital certificate parameters related to SSL authentication. For details, see [Table 4](#Table-1.3.1).
+
+- Configure client parameters.
+
+ The default client certificate, key, root certificate, and key encrypted file have been obtained from the CA authentication center. Assume that the certificate, key, and root certificate are stored in the **/home/omm** directory.
+
+ For bidirectional authentication, set the following parameters:
+
+ ```bash
+ export PGSSLCERT="/home/omm/client.crt"
+ export PGSSLKEY="/home/omm/client.key"
+ export PGSSLMODE="verify-ca"
+ export PGSSLROOTCERT="/home/omm/cacert.pem"
+ ```
+
+ For unidirectional authentication, set the following parameters:
+
+ ```bash
+ export PGSSLMODE="verify-ca"
+ export PGSSLROOTCERT="/home/omm/cacert.pem"
+ ```
+
+- Change the client key permission.
+
+ The permission of the client root certificate, key, certificate, and encrypted key file should be 600. Otherwise, the client cannot connect to MogDB through SSL.
+
+ ```bash
+ chmod 600 client.key
+ chmod 600 client.crt
+ chmod 600 client.key.cipher
+ chmod 600 client.key.rand
+ chmod 600 cacert.pem
+ ```
+
+>  **NOTICE:**
+> You are advised to use bidirectional authentication for security purposes.
+> The environment variables configured for a client must contain the absolute file paths.
+
+**Table 4** Authentication modes
+
+| Authentication Mode | Description | Client Environment Variable Setting | Maintenance Suggestion |
+| :----------------------------------------- | :------------------------------------ | :-------------------------------------------| :-------------------------------------------- |
+| Bidirectional authentication (recommended) | The client verifies the server's certificate and the server verifies the client's certificate. Connection can be set up after the verification is successful. | Set the following environment variables:
- PGSSLCERT
- PGSSLKEY
- PGSSLROOTCERT
- PGSSLMODE | This authentication mode is applicable to scenarios that require high data security. When using this method, you are advised to set the **PGSSLMODE** client variable to **verify-ca** for network data security purposes. |
+| Unidirectional authentication | The client verifies the server's certificate, whereas the server does not verify the client's certificate. The server loads the certificate information and sends it to the client. The client verifies the server's certificate according to the root certificate. | Set the following environment variables:
- PGSSLROOTCERT
- PGSSLMODE | To prevent TCP-based link spoofing, you are advised to use the SSL certificate authentication. In addition to configuring client root certificate, you are advised to set the **PGSSLMODE** variable to **verify-ca** on the client. |
+
+**Reference**
+
+In the **postgresql.conf** file on the server, set the related parameters. For details, see [Table 5](#Table-1.3.2).
+
+**Table 5** Server parameters
+
+| Parameter | Description | Value Range |
+| :------------------- | :----------------------------------------------------------- | :----------------------------------------------------------- |
+| ssl | Specifies whether to enable the SSL function. | - **on**: indicates that SSL is enabled.
- **off**: indicates that SSL is disabled.
**Default value**: **on** |
+| require_ssl | Specifies whether the server requires the SSL connection. This parameter is valid only when **ssl** is set to **on**. | - **on**: The server requires the SSL connection.
- **off**: The server does not require the SSL connection.
**Default value**: **off** |
+| ssl_cert_file | Server certificate file, including the server public key. The certificate proves the legal identity of the server and the public key is sent to the peer end for data encryption. | Use the actual certificate name. The relative path is relative to the data directory.
**Default value**: **server.crt** |
+| ssl_key_file | Private key file of the server, used to decrypt data encrypted using the public key. | Use the actual private key name of the server. The relative path is relative to the data directory.
**Default value**: **server.key** |
+| ssl_ca_file | Root certificate of the CA server. This parameter is optional and needs to be set only when the certificate of a client must be verified. | Use the name of the actual root certificate.
**Default value**: **cacert.pem** |
+| ssl_crl_file | Certificate revocation list (CRL). If the certificate of a client is in the list, the certificate is invalid. | Use the actual name of the CRL.
**Default value**: empty, indicating that there is no CRL. |
+| ssl_ciphers | Encryption algorithm used for SSL communication. | For details about the supported encryption algorithms, see [Table 7](#Table-1.3.4).
**Default value**: **ALL**, indicating that all supported encryption algorithms, excluding ADH, LOW, EXP, and MD5) can be used for the peer end. |
+| ssl_cert_notify_time | Specifies the number of days prior to SSL server certificate expiration that a user will receive a reminder. | Set this parameter based on the site requirements.
**Default value:** 90 |
+
+Configure environment variables related to SSL authentication on the client. For details, see [Table 6](#table1.3.3).
+
+>  **NOTE:**
+> The path of environment variables is set to **/home/omm** as an example. Replace it with the actual path.
+
+**Table 6** Client parameters
+
+| Environment Variable | Description | Value Range |
+| :------------------- | :------------------------------------------| :------------------------------------------------|
+| PGSSLCERT | Client certificate file, including the client public key. The certificate proves the legal identity of the client and the public key is sent to the peer end for data encryption. | Absolute path of a certificate file, for example:
**`export PGSSLCERT='/home/omm/client.crt'`**
**Default value**: empty |
+| PGSSLKEY | Private key file of the client, used to decrypt data encrypted using the public key | Absolute path of a certificate file, for example:
**`export PGSSLKEY='/home/omm/client.key'`**
**Default value**: empty |
+| PGSSLMODE | Specifies whether to negotiate with the server about SSL connection and specifies the priority of the SSL connection. | **Values and meanings:**
- **disable**: only tries to setting up a non-SSL connection.
- **allow**: tries setting up a non-SSL connection first, and then an SSL connection if the attempt fails.
- **prefer**: tries setting up an SSL connection first, and then a non-SSL connection if the attempt fails.
- **require**: only tries setting up an SSL connection. If there is a CA file, perform the verification according to the scenario in which the parameter is set to **verify-ca**.
- **verify-ca**: tries setting up an SSL connection, checks whether the server certificate is issued by a trusted CA.
- **verify-full**: tries setting up an SSL connection, checks whether the server certificate is issued by a trusted CA, and checking whether the host name of the server is the same as that in the certificate.**
Default value**: **prefer** |
+| PGSSLROOTCERT | Root certificate file for issuing client certificates. The root certificate is used to verify the server certificate. | Absolute path of a certificate file, for example:
**`export PGSSLROOTCERT='/home/omm/certca.pem'`**
**Default value**: empty |
+| PGSSLCRL | CRL file for checking whether the server certificate is in the CRL. If it is, the certificate is invalid. | Absolute path of a certificate file, for example:
**`export PGSSLCRL='/home/omm/sslcrl-file.crl'`**
**Default value**: empty |
+
+The following tables describe the connection results based on the settings of the server parameters **ssl** and **require_ssl** and the client parameter **sslmode**.
+
+- Server ssl = on
+
+ | sslmode (Client) | require_ssl (Client) | Result |
+ |:----------------|:--------------------|:-------------------------------------------|
+ | disable | on | The connection fails, because the server requires SSL but the client has disabled it. |
+ | disable | off | The connection is not encrypted. |
+ | allow | on | The connection is encrypted. |
+ | allow | off | The connection is not encrypted. |
+ | prefer | on | The connection is encrypted. |
+ | prefer | off | The connection is encrypted. |
+ | require | on | The connection is encrypted. |
+ | require | off | The connection is encrypted. |
+ | verify-ca | on | The connection is encrypted and the server certificate is verified. |
+ | verify-ca | off | The connection is encrypted and the server certificate is verified. |
+ | verify-full | on | The connection is encrypted and the server certificate and host name are verified. |
+ | verify-full | off | The connection is encrypted and the server certificate and host name are verified. |
+
+- Server ssl = off
+
+ | sslmode (Client) | require_ssl (Client) | Result |
+ |:----------------|:--------------------|:-------------------------------------------|
+ | disable | on | The connection is not encrypted. |
+ | disable | off | The connection is not encrypted. |
+ | allow | on | The connection is not encrypted. |
+ | allow | off | The connection is not encrypted. |
+ | prefer | on | The connection is not encrypted. |
+ | prefer | off | The connection is not encrypted. |
+ | require | on | The connection fails, because the client requires SSL but the server has disabled it. |
+ | require | off | The connection fails, because the client requires SSL but the server has disabled it. |
+ | verify-ca | on | The connection fails, because the client requires SSL but the server has disabled it. |
+ | verify-ca | off | The connection fails, because the client requires SSL but the server has disabled it. |
+ | verify-full | on | The connection fails, because the client requires SSL but the server has disabled it. |
+ | verify-full | off | The connection fails, because the client requires SSL but the server has disabled it. |
+
+A series of encryption and authentication algorithms with different strength are supported for SSL transmission. You can modify **ssl_ciphers** in **postgresql.conf** to specify the encryption algorithm used by the database server. [Table 7](#Table-1.3.4) lists the encryption algorithms supported by the SSL.
+
+**Table 7** Encryption algorithms
+
+| OpenSSL Suite Name | IANA Suite Name | Security |
+| :---------------------------- | :-------------------------------------- | :------- |
+| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
+| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | HIGH |
+| DHE-RSA-AES128-GCM-SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| DHE-RSA-AES256-GCM-SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
+
+>  **NOTE:**
+>
+> - Currently, only the six encryption algorithm suites listed in the preceding table are supported.
+> - The default value of **ssl_ciphers** is **ALL**, indicating that all encryption algorithms listed in the table are supported. The DHE algorithm suite is retained for forward compatibility, i.e., DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384. According to the CVE-2002-20001 vulnerability disclosure DHE algorithms have a certain security risk, and their use is not recommended for non-compatible scenarios, which can be configured to support only ECDHE-type algorithm suites by setting the ssl_ciphers parameter can be configured to support only ECDHE type algorithm suites.
+> - To specify the preceding cipher suites, set **ssl_ciphers** to the OpenSSL suite names in the preceding table. Use semicolons (;) to separate cipher suites. For example, set **ssl_ciphers** in **postgresql.conf** as follows: ssl_ciphers='ECDHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256'
+> - SSL authentication increases the time spent for login (creating the SSL environment) and logout processes (clearing the SSL environment), and requires extra time for encrypting the data to be transferred. It affects performance especially in frequent login, logout, and short-time query scenarios.
+> - If the certificate validity period is less than seven days, an alarm is generated in the log when a user logs in to the system.
+
+## Establishing Secure TCP/IP Connections in SSH Tunnel Mode
+
+**Background**
+
+To ensure secure communication between the database server and its clients, secure SSH tunnels can be established between the database server and clients. SSH is a reliable security protocol dedicated to remote login session and other network services.
+
+Regarding the SSH client, the SSH provides the following two security authentication levels:
+
+- Password-based security authentication: Use an account and a password to log in to a remote host. All transmitted data is encrypted. However, the connected server may not be the target server. Another server may pretend to be the real server and perform the man-in-the-middle attack.
+- Key-based security authentication: A user must create a pair of keys and put the public key on the target server. This mode prevents man-in-the-middle attacks while encrypting all transmitted data. However, the entire login process may last 10s.
+
+**Prerequisites**
+
+The SSH service and the database must run on the same server.
+
+**Procedure**
+
+OpenSSH is used as an example to describe how to configure SSH tunnels. The process of configuring key-based security authentication is not described here. OpenSSH provides multiple configurations to adapt to different networks. For more details, see documents related to OpenSSH.
+
+Establish the SSH tunnel from a local host to the database server.
+
+```bash
+ssh -L 63333:localhost:8000 username@hostIP
+```
+
+>  **NOTE:**
+>
+> - The first digit string (**63333**) of the **-L** parameter indicates the local port ID of the tunnel and can be randomly selected.
+> - The second digit string (**8000**) indicates the remote port ID of the tunnel, which is the port ID on the server.
+> - **localhost** is the IP address of the local host, **username** is the username on the database server to be connected, and **hostIP** is the IP address of the database server to be connected.
+
+## Checking the Number of Database Connections
+
+**Background**
+
+If the number of connections reaches its upper limit, new connections cannot be created. Therefore, if a user fails to connect a database, the administrator must check whether the number of connections has reached the upper limit. The following are details about database connections:
+
+- The maximum number of global connections is specified by the **max_connections** parameter. Its default value is **5000**.
+- The number of a user's connections is specified by **CONNECTION LIMIT connlimit** in the **CREATE ROLE** statement and can be changed using **CONNECTION LIMIT connlimit** in the **ALTER ROLE** statement.
+- The number of a database's connections is specified by the **CONNECTION LIMIT connlimit** parameter in the **CREATE DATABASE** statement.
+
+**Procedure**
+
+1. Log in as the OS user **omm** to the primary node of the database.
+
+2. Run the following command to connect to the database:
+
+ ```bash
+ gsql -d mogdb -p 8000
+ ```
+
+ **mogdb** is the name of the database to be connected, and **8000** is the port number of the database primary node.
+
+3. View the upper limit of the number of global connections.
+
+ ```sql
+ MogDB=# SHOW max_connections;
+ max_connections
+ -----------------
+ 800
+ (1 row)
+ ```
+
+ **800** is the maximum number of session connections.
+
+4. View the number of connections that have been used.
+
+ >  **NOTICE:**
+ >
+ > Except for database and usernames that are enclosed in double quotation marks (") during creation, uppercase letters are not allowed in the database and usernames in the commands in the following table.
+
+ - View the maximum number of sessions connected to a specific user.
+
+ Run the following commands to view the upper limit of the number of omm's session connections. -1 indicates that no upper limit is set for the number of omm's session connections.
+
+ ```sql
+ MogDB=# SELECT ROLNAME,ROLCONNLIMIT FROM PG_ROLES WHERE ROLNAME='omm';
+ rolname | rolconnlimit
+ ---------+--------------
+ omm | -1
+ (1 row)
+ ```
+
+ - View the number of session connections that have been used by a user.
+
+ Run the following commands to view the number of session connections that have been used by omm. 1 indicates the number of session connections that have been used by omm.
+
+ ```sql
+ MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
+ SELECT
+ sa.sessionid AS SID,
+ 0::integer AS SERIAL#,
+ sa.usesysid AS USER#,
+ ad.rolname AS USERNAME
+ FROM pg_stat_get_activity(NULL) AS sa
+ LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
+ WHERE sa.application_name <> 'JobScheduler';
+ MogDB=# SELECT COUNT() FROM DV_SESSIONS WHERE USERNAME='omm';
+ count
+ -------
+ 1
+ (1 row)
+ ```
+
+ - View the maximum number of sessions connected to a specific database
+
+ Run the following commands to view the upper limit of the number of mogdb's session connections. -1 indicates that no upper limit is set for the number of mogdb's session connections.
+
+ ```sql
+ MogDB=# SELECT DATNAME,DATCONNLIMIT FROM PG_DATABASE WHERE DATNAME='mogdb';
+ datname | datconnlimit
+ ---------+--------------
+ mogdb | -1
+ (1 row)
+ ```
+
+ - View the number of session connections that have been used by a specific database.
+
+ Run the following commands to view the number of session connections that have been used by mogdb. 1 indicates the number of session connections that have been used by mogdb.
+
+ ```sql
+ MogDB=# SELECT COUNT(*) FROM PG_STAT_ACTIVITY WHERE DATNAME='mogdb';
+ count
+ -------
+ 1
+ (1 row)
+ ```
+
+ - View the number of session connections that have been used by all users.
+
+ Run the following commands to view the number of session connections that have been used by all users:
+
+ ```sql
+ MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
+ SELECT
+ sa.sessionid AS SID,
+ 0::integer AS SERIAL#,
+ sa.usesysid AS USER#,
+ ad.rolname AS USERNAME
+ FROM pg_stat_get_activity(NULL) AS sa
+ LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
+ WHERE sa.application_name <>'JobScheduler';
+ MogDB=# SELECT COUNT(*) FROM DV_SESSIONS;
+ count
+ -------
+ 23
+ (1 row)
+ ```
+
+## Managing SSL Certificates
+
+Security certificates and keys generated using OpenSSL are configured in MogDB by default. In addition, MogDB provides certificate replacement interfaces to allow users to replace their certificates.
+
+### Generating Certificates
+
+**Scenarios**
+
+In the test environment, users can use either of the following methods to test digital certificates. In a customer's operating environment, only a digital certificate obtained from a CA can be used.
+
+**Prerequisites**
+
+The OpenSSL component has been installed in the Linux environment.
+
+**Generating an Automatic Authentication Certificate**
+
+1. Establish a CA environment.
+
+ ```
+ # Suppose that user omm exists, and the CA path is test.
+ # Log in to the Linux environment as user root and switch to user omm:
+ mkdir test
+ cd /etc/pki/tls
+ # Copy the configuration file openssl.cnf to test.
+ cp openssl.cnf ~/test
+ cd ~/test
+ # Establish the CA environment under the test folder.
+ # Create folder demoCA./demoCA/newcerts./demoCA/private.
+ mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
+ chmod 700 ./demoCA/private
+ # Create the serial file and write it to 01.
+ echo '01'>./demoCA/serial
+ # Create the index.txt file.
+ touch ./demoCA/index.txt
+ # Modify parameters in the openssl.cnf configuration file.
+ dir = ./demoCA
+ default_md = sha256
+ # The CA environment has been established.
+ ```
+
+2. Generate a root private key.
+
+ ```
+ # Generate a CA private key.
+ openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
+ Generating RSA private key, 2048 bit long modulus
+ .................+++
+ ..................+++
+ e is 65537 (0x10001)
+ # Set the protection password of the root private key, for example, Test@123.
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # Enter the private key password Test@123 again.
+ Verifying - Enter pass phrase for demoCA/private/cakey.pem:
+ ```
+
+3. Generate a root certificate request file.
+
+ ```
+ # Generate a CA root certificate application file named careq.pem.
+ openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # Enter the root private key password Test@123.
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+
+ # Note down the following names and use them when entering information in the generated server certificate and client certificate.
+ Country Name (2 letter code) [AU]:CN
+ State or Province Name (full name) [Some-State]:shanxi
+ Locality Name (eg, city) []:xian
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
+ Organizational Unit Name (eg, section) []:hello
+ # Common Name can be randomly set.
+ Common Name (eg, YOUR name) []:world
+ # The email address is optional.
+ Email Address []:
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []:
+ An optional company name []:
+ ```
+
+4. Generate a self-signed root certificate.
+
+ ```
+ # When generating the root certificate, modify the openssl.cnf file and set basicConstraints to CA:TRUE.
+ vi openssl.cnf
+ # Generate a CA self-signed root certificate.
+ openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
+ Using configuration from openssl.cnf
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # Enter the root private key password Test@123.
+ Check that the request matches the signature
+ Signature ok
+ Certificate Details:
+ Serial Number: 1 (0x1)
+ Validity
+ Not Before: Feb 28 02:17:11 2017 GMT
+ Not After : Feb 28 02:17:11 2018 GMT
+ Subject:
+ countryName = CN
+ stateOrProvinceName = shanxi
+ organizationName = Abc
+ organizationalUnitName = hello
+ commonName = world
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
+ X509v3 Authority Key Identifier:
+ keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
+
+ Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
+ Sign the certificate? [y/n]:y
+
+ 1 out of 1 certificate requests certified, commit? [y/n]y
+ Write out database with 1 new entries
+ Data Base Updated
+ # A CA root certificate named demoCA/cacert.pem has been issued.
+ ```
+
+5. Generate a private key for the server certificate.
+
+ ```
+ # Generate a private key file named server.key.
+ openssl genrsa -aes256 -out server.key 2048
+ Generating a 2048 bit RSA private key
+ .......++++++
+ ..++++++
+ e is 65537 (0x10001)
+ Enter pass phrase for server.key:
+ # Password of the server private key, for example, Test@123.
+ Verifying - Enter pass phrase for server.key:
+ # Confirm the protection password for the server private key Test@123 again.
+ ```
+
+6. Generate a server certificate request file.
+
+ ```
+ # Generate a server certificate request file server.req.
+ openssl req -config openssl.cnf -new -key server.key -out server.req
+ Enter pass phrase for server.key:
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+
+ # Set the following information and make sure that it is same as that when CA is created.
+ Country Name (2 letter code) [AU]:CN
+ State or Province Name (full name) [Some-State]:shanxi
+ Locality Name (eg, city) []:xian
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
+ Organizational Unit Name (eg, section) []:hello
+ # Common Name can be randomly set.
+ Common Name (eg, YOUR name) []:world
+ Email Address []:
+ # The following information is optional.
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []:
+ An optional company name []:
+ ```
+
+7. Generate a server certificate.
+
+ ```
+ # When generating the server certificate or client certificate, modify the openssl.cnf file and set basicConstraints to CA:FALSE.
+ vi openssl.cnf
+ # Change the demoCA/index.txt.attr attribute to no.
+ vi demoCA/index.txt.attr
+
+ # Issue the generated server certificate request file. After it is issued, an official server certificate server.crt is generated.
+ openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
+ Using configuration from /etc/ssl/openssl.cnf
+ Enter pass phrase for ./demoCA/private/cakey.pem:
+ Check that the request matches the signature
+ Signature ok
+ Certificate Details:
+ Serial Number: 2 (0x2)
+ Validity
+ Not Before: Feb 27 10:11:12 2017 GMT
+ Not After : Feb 25 10:11:12 2027 GMT
+ Subject:
+ countryName = CN
+ stateOrProvinceName = shanxi
+ organizationName = Abc
+ organizationalUnitName = hello
+ commonName = world
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
+ X509v3 Authority Key Identifier:
+ keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
+
+ Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
+ # Enter y to sign and issue the certificate.
+ Sign the certificate? [y/n]:y
+
+ # Enter y. The certificate singing and issuing is complete.
+ 1 out of 1 certificate requests certified, commit? [y/n]y
+ Write out database with 1 new entries
+ Data Base Updated
+ ```
+
+ Disable password protection for the private key.
+
+ ```
+ # Disable the password protection for the server private key.
+ openssl rsa -in server.key -out server.key
+ # If the password protection for the server private key is not disabled, you need to use the gs_guc tool to encrypt the password.
+ gs_guc encrypt -M server -D ./
+ # Enter the passowrd of the the server private key as prompted. After the password is encrypted, two private key password protection files server.key.cipher and server.key.rand are generated.
+ ```
+
+8. Generate the client certificate and private key.
+
+ Methods and requirements for generating client certificates and private keys are the same as that for server certificates and private keys.
+
+ ```
+ # Generate a client private key.
+ openssl genrsa -aes256 -out client.key 2048
+ # Generate a certificate request file for a client.
+ openssl req -config openssl.cnf -new -key client.key -out client.req
+ # After the generated certificate request file for client is signed and issued, a formal client certificate client.crt is generated.
+ openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256
+ ```
+
+ Disable password protection for the private key:
+
+ ```
+ # Disable the protection for a client private key password.
+ openssl rsa -in client.key -out client.key
+ # If password protection for a client private key is not removed, you need to use the gs_guc tool to encrypt the password.
+ gs_guc encrypt -M client -D ./
+ Enter the passowrd of the the client private key as prompted. After the password is encrypted, two private key password protection files client.key.cipher and client.key.rand are generated.
+ ```
+
+ Convert the client key to the DER format.
+
+ ```bash
+ openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
+ ```
+
+9. Generate a CRL.
+
+ If the CRL is required, you can generate it by following the following procedure:
+
+ ```
+ # Create a crlnumber file.
+ echo '00'>./demoCA/crlnumber
+ # Revoke a server certificate.
+ openssl ca -config openssl.cnf -revoke server.crt
+ # Generate the CRL sslcrl-file.crl.
+ openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl
+ ```
+
+### Replacing Certificates
+
+**Scenarios**
+
+Default security certificates and private keys required for SSL connection are configured in MogDB. You can change them as needed.
+
+**Prerequisites**
+
+The formal certificates and keys for the server and client have been obtained from the CA.
+
+**Precautions**
+
+Currently, MogDB supports only the X509v3 certificate in PEM format.
+
+**Procedure**
+
+1. Prepare for a certificate and a key.
+
+ Conventions for configuration file names on the server:
+
+ - Certificate name: server.crt
+ - Key name: server.key
+ - Key password and encrypted file: server.key.cipher and server.key.rand
+
+ Conventions for configuration file names on the client:
+
+ - Certificate name: client.crt
+ - Key name: client.key
+ - Key password and encrypted file: client.key.cipher and client.key.rand
+ - Certificate name: cacert.pem
+ - CRL file name: sslcrl-file.crl
+
+2. Create a compressed package.
+
+ Package name: db-cert-replacement.zip
+
+ Package format: ZIP
+
+ Package file list: server.crt, server.key, server.key.cipher, server.key.rand, client.crt, client.key, client.key.cipher, client.key.rand, cacert.pem If you need to configure the CRL, the list must contain sslcrl-file.crl.
+
+3. Invoke the certificate replacement interface to replace a certificate.
+
+ a. Upload the prepared package **db-cert-replacement.zip** to any path of an MogDB user.
+
+ For example: /home/**xxxx**/db-cert-replacement.zip
+
+ b. Run the following command to perform the replacement:
+
+ ```bash
+ gs_om -t cert --cert-file=/home/xxxx/db-cert-replacement.zip
+ ```
+
+4. Restart the MogDB.
+
+ ```bash
+ gs_om -t stop
+ gs_om -t start
+ ```
+
+ >  **NOTE:**
+ > Certificates can be rolled back to the version before the replacement. You can run the **gs_om -t cert -rollback** command to remotely invoke the interface or **gs_om -t cert -rollback -L** to locally invoke the interface. The certificate will be rolled back to the latest version that was successfully replaced.
diff --git a/product/en/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/en/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index 22d3b6061aa2b483363d9281c1e3780cd81dc85f..e70caf790378931025d789ca1a28f71f122c9ee1 100644
--- a/product/en/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/en/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -288,22 +288,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- Description: Process ID of the server process attached to the current session
-
- Return type: int
-
- Example:
-
- ```
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
Description: Configures load time. **pg_conf_load_time** returns the timestamp with time zone when the server configuration files were last loaded.
diff --git a/product/en/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md b/product/en/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
index 2826dd3d59cb10f39183ce3df68bacb9c51155ac..4e4e621369020062226aa121c81111a6fb625837 100644
--- a/product/en/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
+++ b/product/en/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
@@ -9,7 +9,11 @@ date: 2023-07-03
## Objectives
-PTK does not support VIP-related configurations (supported in MogDB 5.1), therefore this section introduces how to manually configure or enable VIP function in a database cluster where CM cluster management software has been deployed.
+This section introduces how to manually configure or enable VIP function in a database cluster where CM cluster management software has been deployed.
+
+>  Note:
+>
+> MogDB 5.0.4 and later versions support automatic VIP mounting via PTK (v1.2.0+), see [PTK documentation](https://docs.mogdb.io/en/ptk/v1.1/ptk-cluster-load-cm-vip#--action-string) for details.
Additionally, this section uses a cluster with one primary node and two standby nodes as an example.
diff --git a/product/en/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md b/product/en/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
index 0411fb138d29272393c5ae128b1401be4a8201d1..b41540229ac681b718b313e078b007175d71f127 100644
--- a/product/en/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
+++ b/product/en/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
@@ -32,7 +32,7 @@ If a host needs to connect to a database remotely, you need to add information a
Assume you are to allow the client whose IP address is **10.10.0.30** to access the current host.
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **NOTE:**
@@ -115,7 +115,7 @@ host all all 10.10.0.0/24 gss incl
| host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
| hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see [Establishing Secure TCP/IP Connections in SSL Mode](#establishing-secure-tcpip-connections-in-ssl-mode). |
| hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
-| DATABASEGUC | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
+| DATABASE | Database that a record matches and can access | - **all**: indicates that this record matches all databases.
- **sameuser**: indicates that the database must have the same name as the user who requests database access.
- **samerole**: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- **samegroup**: is the same as that of **samerole** and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases.
- A specific database name or a list of databases separated by commas (,)
NOTE:
**replication** indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named **replication**, specify it in the database column. |
| USER | Users who match the record and are allowed to access databases | - **all**: indicates that this record matches all users.
- **+User role**: indicates that this record matches all members that directly or indirectly belong to the role.
NOTE:
**+** is a prefix character.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,) |
| ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats:
- **IP address/mask length** Example: 10.10.0.0/24
- **IP address Subnet mask** Example: 10.10.0.0 255.255.255.0
NOTE:
An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
| METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see [Table 3](#Table 1.2.2).
- **trust**
- **reject**
- **md5** (not recommended and not supported by default. This authentication mode can be configured using the **password_encryption_type** parameter.)
NOTE:
The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- **sha256**
- **sm3**
- **cert**
- **gss** (only for authentication within MogDB)
- **peer** (only for the local mode) |
diff --git a/product/zh/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md b/product/zh/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
index 4cf4196199a050d84ca6f5cb1690820caf3129ba..d4f140cfd1f95d952ca31a34aa9675be48e027f3 100644
--- a/product/zh/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
+++ b/product/zh/docs-mogdb/v1.1/quick-start/using-the-gsql-client-for-connection.md
@@ -138,7 +138,7 @@ gsql是MogDB提供的在命令行下运行的数据库连接工具。此工具
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
 **说明:**
diff --git a/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md b/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
index de46c5d6a863465656b50f237dd6acf7df9c7c85..4d211e5ad6b7e0c04a32c84d7a30f942c194bdf2 100644
--- a/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -273,22 +273,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述: 当前会话连接的服务进程的进程ID。
-
- 返回值类型: int
-
- 示例:
-
- ```sql
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述: 配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
index 317022f3d4e535b5f2fd8c00345a00eb5c617562..85986855d1f787a9388f9941514d2a644c82d940 100644
--- a/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v1.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
@@ -871,7 +871,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述: 截断为s位小数。
+ 描述: 截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型: numeric
diff --git a/product/zh/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
index 68df85926490352bb6ea5612338781c23a581211..ddc723fb7e4c0f9279ba491e2f7aac29e60759c2 100644
--- a/product/zh/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v1.1/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
-gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -122,7 +122,7 @@ host all all 10.10.0.0/24 gss incl
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用SSL进行安全的TCP/IP连接)。 |
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表2](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
- sha256
- cert
- gss(仅用于MogDB内部节点间认证) |
diff --git a/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md b/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
index 5817e1ed899122a91846a6aafcc132e61612ce9e..3f637a637d87a32e489c27b4ba84e1c53748c154 100644
--- a/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -273,22 +273,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述: 当前会话连接的服务进程的进程ID。
-
- 返回值类型: int
-
- 示例:
-
- ```sql
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述: 配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
index c74b0df28de35e8602fa665006debf355ab15dbd..27e8060f19778065541738b9a4c1d01d7d8391cf 100644
--- a/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v2.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
@@ -871,7 +871,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述: 截断为s位小数。
+ 描述: 截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型: numeric
diff --git a/product/zh/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
index 75b7023a1e1ac4c0fdf8b1f6f944fb1790211ed1..3a3af47cd296355561b2e17550357038a221e24e 100644
--- a/product/zh/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v2.0/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
-gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -122,7 +122,7 @@ host all all 10.10.0.0/24 gss include_realm=1
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用SSL进行安全的TCP/IP连接)。 |
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表2](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
- sha256
- cert
- gss(仅用于MogDB内部节点间认证) |
diff --git a/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md b/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
index 493eae679cc4f503ca4d9b2afae2285b91b7d4ca..1ed73bd560b4358df15c0db94c3969548030de4a 100644
--- a/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -290,22 +290,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述:当前会话连接的服务进程的进程ID。
-
- 返回值类型:int
-
- 示例:
-
- ```sql
- mogdb=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述:配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
index eadfaa158291a831217826e27402da9c46190f58..b34cdef215104f0b8840c8dc2c8bfc39c42e43c5 100644
--- a/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v2.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
@@ -871,7 +871,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述:截断为s位小数。
+ 描述:截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型:numeric
diff --git a/product/zh/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
index 0d03fd39a824a0aa1c524481f37503ec64c34aa9..c8d0489f29dc7fa4923b4177d4920dc653a1056a 100644
--- a/product/zh/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v2.1/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -122,7 +122,7 @@ host all all 10.10.0.0/24 gss incl
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用SSL进行安全的TCP/IP连接)。|
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |
diff --git a/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md b/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
index 5ead85d77fa50f321610e5bc43f8d5fc4f09bd78..05c5eac94baa2f5ee655494221c0277e772e1230 100644
--- a/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
+++ b/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/23-system-information-functions.md
@@ -290,22 +290,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述:当前会话连接的服务进程的进程ID。
-
- 返回值类型:int
-
- 示例:
-
- ```sql
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述:配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
index 6c419ec1d88b67697e51c8a91362a4ba2ff98fcd..e4a8f7fb42a5ee09dc3261ce0bbf28597f237b3c 100644
--- a/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v3.0/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
@@ -829,22 +829,6 @@ date: 2021-04-20
(1 row)
```
-- remainder(n2 numeric,n1 numeric)
-
- 描述:返回n2 除以 n1 的余数。
-
- 返回值类型:numeric
-
- 示例:
-
- ```sql
- MogDB=# select REMAINDER(11,3);
- remainder
- -----------
- -1
- (1 row)
- ```
-
- round(x)
描述:离输入参数最近的整数。
@@ -981,7 +965,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述:截断为s位小数。
+ 描述:截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型:numeric
diff --git a/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md b/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
index 7e95ef6ccc36640d393f80e60f187693fd0f7bd0..568a97d9fb311ca48fc1229d91cd577fb2cb23dd 100644
--- a/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
+++ b/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
@@ -156,6 +156,20 @@ date: 2021-04-20
**默认值**: 空字符串
+## enable_availablezone
+
+**参数说明**: 设置本端级联备节点能否连接跨available_zone的备机。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../30-appendix.md)中对应设置方法进行设置。
+
+**取值范围**:布尔型
+
+- on表示级联备只能连接相同available_zone中的备机。
+
+- off表示级联备可以连接不同available_zone中的备机。
+
+**默认值**:off
+
## pgxc_node_name
**参数说明**: 指定节点名称。
diff --git a/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/guc-parameter-list.md b/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/guc-parameter-list.md
index 2e6a04c8a9aaad65533b5fad2ef79acf01e4682a..08b10fd6b5d92b8cb303b679b213817cdd715f31 100644
--- a/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/guc-parameter-list.md
+++ b/product/zh/docs-mogdb/v3.0/reference-guide/guc-parameters/guc-parameter-list.md
@@ -200,6 +200,7 @@ date: 2022-05-26
| [enable_asp](27-system-performance-snapshot.md#enable_asp) |
| [enable_auto_clean_unique_sql](26-query.md#enable_auto_clean_unique_sql) |
| [enable_auto_explain](../../reference-guide/guc-parameters/9-query-planning/4-other-optimizer-options.md#enable_auto_explain) |
+| [enable_availablezone](../../reference-guide/guc-parameters/7-ha-replication/1-sending-server.md#enable_availablezone) |
| [enable_bbox_dump](13-load-management.md#enable_bbox_dump) |
| [enable_beta_features](../../reference-guide/guc-parameters/17-version-and-platform-compatibility/1-compatibility-with-earlier-versions.md#enable_beta_features) |
| [enable_beta_opfusion](21-developer-options.md#enable_beta_opfusion) |
diff --git a/product/zh/docs-mogdb/v3.0/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md b/product/zh/docs-mogdb/v3.0/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
index d5d64f5243fc5145bc40b7d78dd423890604a874..f12952952a156c7a23e10947c6140af127231233 100644
--- a/product/zh/docs-mogdb/v3.0/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
+++ b/product/zh/docs-mogdb/v3.0/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
@@ -14,7 +14,7 @@ MogDB提供了gs_expansion工具对数据库的备机进行扩容。支持从单
## 注意事项
- 扩容后不会自动更新synchronous_standby_names参数。如果需要为该参数增加扩容的机器,请在扩容完成后手动更新。
-- 扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
+- 当待扩容的级联备GUC参数enable_availablezone开启时,扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
- 对数据库集群进行扩容前,需要关注主机及新扩容节点CPU、IO、网络等情况,不建议在硬件压力较大时执行扩容,否则可能导致扩容耗时较长甚至扩容失败。
- 当原集群数据量较大时,在进行扩容操作前应当在主机上先执行checkpoint,否则可能导致扩容耗时较长甚至扩容失败。
- 在单节点扩容时,如果节点hot_standby被关闭过,则需要在每个备节点上也按照如下流程修改:
diff --git a/product/zh/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
index 47f0812716fef2bf725afce67b6cc2ca14cece96..43815ced9865a8a0eb6a662e95dd7faae68c0653 100644
--- a/product/zh/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v3.0/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -122,7 +122,7 @@ host all all 10.10.0.0/24 gss incl
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用SSL进行安全的TCP/IP连接)。|
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |
diff --git a/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
index abb485d8fae75bbaf626cb9afa7e198d31e1afcc..787b8165fb0ab318c3496f67a5a6b49e02a3df5d 100644
--- a/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/7-mathematical-functions-and-operators.md
@@ -815,22 +815,6 @@ date: 2021-04-20
(1 row)
```
-- remainder(n2 numeric,n1 numeric)
-
- 描述:返回n2 除以 n1 的余数。
-
- 返回值类型:numeric
-
- 示例:
-
- ```sql
- MogDB=# select REMAINDER(11,3);
- remainder
- -----------
- -1
- (1 row)
- ```
-
- round(x)
描述:离输入参数最近的整数。
@@ -967,7 +951,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述:截断为s位小数。
+ 描述:截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型:numeric
diff --git a/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index 8dbeaf42cb7d0a7efd525bed215d215bd5442d4a..b6084c57b075e500faaad52fd0a270820c5dbbb4 100644
--- a/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/zh/docs-mogdb/v3.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -288,22 +288,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述:当前会话连接的服务进程的进程ID。
-
- 返回值类型:int
-
- 示例:
-
- ```sql
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述:配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md b/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
index 80c4aae7fd3697f9678f822a6e397fd5574cd8b0..f79364e8a1a017b33d29c61670b3328d3b5f78df 100644
--- a/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
+++ b/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/7-ha-replication/1-sending-server.md
@@ -153,3 +153,17 @@ date: 2021-04-20
**取值范围**: 字符串。其中空字符串表示没有配置节点信息。
**默认值**: 空字符串
+
+## enable_availablezone
+
+**参数说明**: 设置本端级联备节点能否连接跨available_zone的备机。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../30-appendix.md)中对应设置方法进行设置。
+
+**取值范围**:布尔型
+
+- on表示级联备只能连接相同available_zone中的备机。
+
+- off表示级联备可以连接不同available_zone中的备机。
+
+**默认值**:off
\ No newline at end of file
diff --git a/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/guc-parameter-list.md b/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/guc-parameter-list.md
index 5a07c7f126347a26659cd9464d97c1e909e14e35..f998e7468ca576300f5cab56987ce3fa736727b0 100644
--- a/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/guc-parameter-list.md
+++ b/product/zh/docs-mogdb/v3.1/reference-guide/guc-parameters/guc-parameter-list.md
@@ -237,6 +237,7 @@ date: 2022-05-26
| [enable_asp](27-system-performance-snapshot.md#enable_asp) |
| [enable_auto_clean_unique_sql](26-query.md#enable_auto_clean_unique_sql) |
| [enable_auto_explain](../../reference-guide/guc-parameters/9-query-planning/4-other-optimizer-options.md#enable_auto_explain) |
+| [enable_availablezone](../../reference-guide/guc-parameters/7-ha-replication/1-sending-server.md#enable_availablezone) |
| [enable_az_auto_switchover](../../reference-guide/guc-parameters/cm-parameters/cm_server.md#enable_az_auto_switchover) |
| [enable_bbox_dump](13-load-management.md#enable_bbox_dump) |
| [enable_beta_features](../../reference-guide/guc-parameters/17-version-and-platform-compatibility/1-compatibility-with-earlier-versions.md#enable_beta_features) |
diff --git a/product/zh/docs-mogdb/v3.1/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md b/product/zh/docs-mogdb/v3.1/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
index f393e9266d2e55a3fbf7fded654bdeaff2b9265b..1983156f656e75739cdb638cbbfbdf0bef9a17ed 100644
--- a/product/zh/docs-mogdb/v3.1/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
+++ b/product/zh/docs-mogdb/v3.1/reference-guide/tool-reference/tools-used-in-the-internal-system/13-gs_expansion.md
@@ -14,7 +14,7 @@ MogDB提供了gs_expansion工具对数据库的备机进行扩容。支持从单
## 注意事项
- 扩容后不会自动更新synchronous_standby_names参数。如果需要为该参数增加扩容的机器,请在扩容完成后手动更新。
-- 扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
+- 当待扩容的级联备GUC参数enable_availablezone开启时,扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
- 对数据库集群进行扩容前,需要关注主机及新扩容节点CPU、IO、网络等情况,不建议在硬件压力较大时执行扩容,否则可能导致扩容耗时较长甚至扩容失败。
- 当原集群数据量较大时,在进行扩容操作前应当在主机上先执行checkpoint,否则可能导致扩容耗时较长甚至扩容失败。
- 在单节点扩容时,如果节点hot_standby被关闭过,则需要在每个备节点上也按照如下流程修改:
diff --git a/product/zh/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
index aa0ae1d4111f8513c5d3fb510a6690ac2d4d796e..8f78035a0bb0715663def1ed0edf66a12f4c5a2a 100644
--- a/product/zh/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v3.1/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -125,7 +125,7 @@ host all all 10.10.0.1/32 reject
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用ssl进行安全的tcpip连接)。 |
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |
diff --git a/product/zh/docs-mogdb/v5.0/about-mogdb/mogdb-new-feature/5.0.6.md b/product/zh/docs-mogdb/v5.0/about-mogdb/mogdb-new-feature/5.0.6.md
index 2cf58d9aab375f7cb15572cd7451ca294ba607a7..40f061b4945557408e04ce6544bd2e184045f166 100644
--- a/product/zh/docs-mogdb/v5.0/about-mogdb/mogdb-new-feature/5.0.6.md
+++ b/product/zh/docs-mogdb/v5.0/about-mogdb/mogdb-new-feature/5.0.6.md
@@ -79,7 +79,7 @@ MogDB对读写请求的处理全部放在事务机制下,这与Oracle读不启
**相关页面**:[支持在建表后修改表日志属性](../../characteristic-description/compatibility/modify-table-log-property.md)
-3. 优化like'xxx'和like'xxx%'语句,提升执行性能
+3. 支持通过SET [sql_beta_feature](../../reference-guide/guc-parameters/query-planning/other-optimizer-options.md#sql_beta_feature) = index_like_prefix_opt; 优化like'xxx'和like'xxx%'语句,提升执行性能
4. 支持在query的子查询中对于无用的order by子句的消除,提升执行性能
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
index dc90198f7840ad85fa0748c1a9ba1f59ef224a7b..163b0a22ed9a3c536e8924069832a9eb0eef99d9 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
@@ -815,22 +815,6 @@ date: 2021-04-20
(1 row)
```
-- remainder(n2 numeric,n1 numeric)
-
- 描述:返回n2 除以 n1 的余数。
-
- 返回值类型:numeric
-
- 示例:
-
- ```sql
- MogDB=# select REMAINDER(11,3);
- remainder
- -----------
- -1
- (1 row)
- ```
-
- round(x)
描述:离输入参数最近的整数。
@@ -967,7 +951,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述:截断为s位小数。
+ 描述:截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型:numeric
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index fb9158750cf0a430aed59766dedd135f780eb3c1..d68952565faf944421627757b680d144585e09b7 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -306,22 +306,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述:当前会话连接的服务进程的进程ID。
-
- 返回值类型:bigint
-
- 示例:
-
- ```sql
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述:配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/guc-parameter-list.md b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/guc-parameter-list.md
index 53aac7e421237bab8e0cffd5f688d189e169e341..90192bcd89854baa748a2e7933c012cb30e4207d 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/guc-parameter-list.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/guc-parameter-list.md
@@ -228,6 +228,7 @@ date: 2023-04-07
| [enable_asp](system-performance-snapshot.md#enable_asp) |
| [enable_auto_clean_unique_sql](query.md#enable_auto_clean_unique_sql) |
| [enable_auto_explain](query-planning/other-optimizer-options.md#enable_auto_explain) |
+| [enable_availablezone](./ha-replication/sending-server.md#enable_availablezone) |
| [enable_batch_dispatch](write-ahead-log/log-replay.md#enable_batch_dispatch) |
| [enable_bbox_dump](load-management.md#enable_bbox_dump) |
| [enable_beta_features](version-and-platform-compatibility/compatibility-with-earlier-versions.md#enable_beta_features) |
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/ha-replication/sending-server.md b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/ha-replication/sending-server.md
index f34f70ef018b7a4f60674cac7b5b4a347981e688..0e2655990909d833ac1196392943649938a91f3d 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/ha-replication/sending-server.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/ha-replication/sending-server.md
@@ -206,6 +206,20 @@ date: 2021-04-20
**默认值**: 空字符串
+## enable_availablezone
+
+**参数说明**: 设置本端级联备节点能否连接跨available_zone的备机。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+
+**取值范围**:布尔型
+
+- on表示级联备只能连接相同available_zone中的备机。
+
+- off表示级联备可以连接不同available_zone中的备机。
+
+**默认值**:off
+
## max_keep_log_seg
**参数说明**:流控参数,逻辑复制在DN本地会解析物理日志转换成逻辑日志,当未被解析的物理日志文件数量大于该参数时会触发限流。此参数为0表示关闭限流功能。
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
index b20254a870b356b69a3e3cc2671dc672cbf23fa2..67d2862841771c7fa42381f863819e7659111501 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
@@ -98,7 +98,7 @@ date: 2021-04-20
**参数说明**:表示算子在并行执行的时候和单一线程以及其余线程之间通信同步的代价。将该值调低可以促使优化器优先选择并行。
-该参数属于session级别参数,请参考[GUC参数设置方式](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于USERSET类型参数,请参考[GUC参数设置方式](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**:整型,0~1000
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/other-optimizer-options.md b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/other-optimizer-options.md
index 04f3384f35328b3d893374acec57e173df9fe29f..b6380acdc8d8d4b6d45aa7cddc5f501b7833d900 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/other-optimizer-options.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/query-planning/other-optimizer-options.md
@@ -354,6 +354,7 @@ set sql_beta_feature=none;
- predpush_same_level:开启predpush hint控制同层参数化路径的功能。
- disable_bitmap_cost_with_lossy_pages:关闭bitmap路径代价中对lossy pages代价的计算。
- extract_pushdown_or_clause:开启支持or表达式的提取下推。
+- index_like_prefix_opt:优化like'xxx'和like'xxx%'语句,消除多余的Filter操作,提升like查询的性能。
**默认值**: none
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/write-ahead-log/log-replay.md b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/write-ahead-log/log-replay.md
index 8eda584f469921ca081c54f411a243db5f4b929c..25b21e671caa8be0d8b73354016b3627e9b5c701 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/write-ahead-log/log-replay.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/guc-parameters/write-ahead-log/log-replay.md
@@ -11,9 +11,9 @@ date: 2021-04-20
**参数说明**: 开启“批量优化+负载均衡优化”开关。
-该参数属于SIGHUP类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
-**取值范围**: boolean, on/off
+**取值范围**: 布尔型
**默认值**: on
@@ -21,17 +21,17 @@ date: 2021-04-20
**参数说明**: 是否统计redo_time_detail()所需的信息。
-该参数属于SIGHUP类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
-**取值范围**: boolean,true/false
+**取值范围**: 布尔型
-**默认值**: false
+**默认值**: off
## parallel_recovery_batch
**参数说明**: 在页级别并行恢复时,startup线程暂存wal记录的数量。
-该参数属于SIGHUP类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**: integer,1~100000
@@ -41,7 +41,7 @@ date: 2021-04-20
**参数说明**: 页级别并行恢复情况下,在一段时间内没有新wal到达时,立即分发目前在startup暂存的WAL记录。
-该参数属于SIGHUP类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**: integer,1~1000
@@ -158,3 +158,18 @@ date: 2021-04-20
- 'cpubind: 0-30':利用0-30号CPU core进行绑核。
**默认值**: 'nobind'
+
+**表 1** 不同CPU、内存和部署模式下的参数设置参考
+
+| 编号 | CPU个数 | 内存(GB) | 是否混合部署 | recovery_parse_workers | recovery_redo_workers | 回放线程总数 | 备注 |
+| :--- | :------ | :-------- | :----------- | :--------------------- | :-------------------- | :----------- | :----------------------- |
+| 1 | 4 | - | - | 1 | 1 | - | 不推荐开 |
+| 2 | 8 | - | 是 | 1 | 1 | - | 不推荐开 |
+| 3 | 8 | 64 | 否 | 1 | 1 | - | 不推荐开 |
+| 4 | 16 | 128 | 是 | 1 | 1 | - | 不推荐开 |
+| 5 | 16 | 128 | 否 | 2 | 3 | 15 | - |
+| 6 | 32 | 256 | 是 | 2 | 2 | 13 | - |
+| 7 | 32 | 256 | 否 | 2 | 8 | 25 | - |
+| 8 | 64 | 512 | 是 | 2 | 4 | 17 | - |
+| 9 | 64 | 512 | 否 | 2 | 8 | 25 | 大于此规格的均按照此参数 |
+| 10 | 96 | 768 | - | 2 | 8 | 25 | 大于此规格的均按照此参数 |
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/sql-reference/transaction/transaction-auto-commit.md b/product/zh/docs-mogdb/v5.0/reference-guide/sql-reference/transaction/transaction-auto-commit.md
index 695be86fc0acc76027984ad7ffe934e84bd40b38..c36467b739b600aa14f2596d1c4622bbc5c8492e 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/sql-reference/transaction/transaction-auto-commit.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/sql-reference/transaction/transaction-auto-commit.md
@@ -73,95 +73,93 @@ GUC参数[behavior_compat_options](../../guc-parameters/version-and-platform-com
## 各种SQL在不同场景下的行为描述
-目前统计到有150种stmt命令,下表列出了实际验证的86种stmt,其中86条SQL在单语句场景全部验证通过,31条SQL在事务块/函数/存储过程(含子事务)下的场景验证通过(标记粗体的为没有在相应场景验证,但是说明了预期行为)。其他stmt在各种场景下的行为表现可参见表格中已经验证过的相似stmt的情况(后续会补充完善)。
-
-| 数据库对象 | 对象操作 | 单条语句 | 语句放在事务块 | 语句在函数/存储过程里面 |
-| ----------------------- | ------------------------- | ------------------------------------------------------------ | ------------------------- | ------------------------------------------------------------ |
-| TABLE | SELECT | 自动提交 | 显式提交 | 函数内部只有 select 读命令,执行完函数自动提交 |
-| | SELECT FOR UPDATE | 显式提交 | 显式提交 | 显式提交 |
-| | SELECT FOR SHARE | 显式提交 | 显式提交 | 显式提交 |
-| | SELECT FOR KEY SHARE | 显式提交 | 显式提交 | 显式提交 |
-| | SELECT FOR NO KEY UPDATE | 显式提交 | 显式提交 | 显式提交 |
-| | INSERT | 显式提交 | 显式提交 | 显式提交 |
-| | UPDATE | 显式提交 | 显式提交 | 显式提交 |
-| | DELETE | 显式提交 | 显式提交 | 显式提交 |
-| | MERGE INTO | 显式提交 | 显式提交 | 显式提交 |
-| DECLARE CURSOR | DECLARE CURSOR | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
-| CLOSE CURSOR | CLOSE CURSOR | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
-| MOVE/FETCH | MOVE/FETCH | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
-| TABLESPACE | CREATE TABLESPACE | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER TABLESPACE | 自动提交 | **显式提交** | **显式提交** |
-| | DROP TABLESPACE | 自动提交 | **显式提交** | **显式提交** |
-| DATABASE | CREATE DATABASE | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER DATABASE | 自动提交 | **显式提交** | **显式提交** |
-| | DROP DATABASE | 自动提交 | **显式提交** | **显式提交** |
-| TABLE | CREATE TABLE | 自动提交 | 显式提交 | 显式提交 |
-| | ALTER TABLE | 自动提交 | 显式提交 | 显式提交 |
-| | TRUNCATE TABLE | 自动提交 | 显式提交 | 显式提交 |
-| | DROP TABLE | 自动提交 | 显式提交 | 显式提交 |
-| SCHEMA | CREATE SCHEMA | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER SCHEMA | 自动提交 | **显式提交** | **显式提交** |
-| | DROP SCHEMA | 自动提交 | **显式提交** | **显式提交** |
-| VIEW | CREATE VIEW | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER VIEW | 自动提交 | **显式提交** | **显式提交** |
-| | DROP VIEW | 自动提交 | **显式提交** | **显式提交** |
-| PACKAGE | CERATE PACKAGE | 自动提交 | **显式提交** | **显式提交** |
-| | CERATE PACKAGE BODY | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER PACKAGE | 自动提交 | **显式提交** | **显式提交** |
-| | DROP PACKAGE | 自动提交 | **显式提交** | **显式提交** |
-| TRIGGER | CREATE TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| | DROP TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| FUNCTION | CREATE FUNCTION | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER FUNCTION | 自动提交 | **显式提交** | **显式提交** |
-| | DROP FUNCTION | 自动提交 | **显式提交** | **显式提交** |
-| ROLE | CREATE ROLE | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER ROLE | 自动提交 | **显式提交** | **显式提交** |
-| | DROP ROLE | 自动提交 | **显式提交** | **显式提交** |
-| INDEX | CREATE INDEX | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER INDEX | 自动提交 | **显式提交** | **显式提交** |
-| | REINDEX | 自动提交 | **显式提交** | **显式提交** |
-| | DROP INDEX | 自动提交 | **显式提交** | **显式提交** |
-| SEQUENCE | CREATE SEQUENCE | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER SEQUENCE | 自动提交 | **显式提交** | **显式提交** |
-| | DROP SEQUENCE | 自动提交 | **显式提交** | **显式提交** |
-| USER | CREATE USER | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER USER | 自动提交 | **显式提交** | **显式提交** |
-| | DROP USER | 自动提交 | **显式提交** | **显式提交** |
-| COMMENT | COMMENT | 自动提交 | 显式提交 | 显式提交 |
-| VACUUM | VACUUM | 自动提交 | vacuum 不能放到事务块里面 | vacuum 不能放到函数里面 |
-| EXPLAIN | EXPLAIN | 如果explain 语句存在写行为, 比如:explain analyze insert into tb1 values(1); 需要显式提交,否则自动提交 | 显式提交 | 如果explain 语句存在写行为, 比如:explain analyze insert into tb1 values(1); 需要显式提交,否则执行完函数自动提交 |
-| SHOW | SHOW | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
-| ALTER SYSTEM SET | ALTER SYSTEM SET | 自动提交 | **显式提交** | **执行完函数之后,自动提交** |
-| SET | SET | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
-| SHUTDOWN | SHUTDOWN | 自动提交 | **显式提交** | **执行完函数之后,自动提交** |
-| ANONYMOUS BLOCK EXECUTE | ANONYMOUS BLOCK EXECUTE | 如果匿名块语句存在写行为, 比如: begin insert into tb1 values(1); end; / 需要显式提交,否则自动提交 | **显式提交** | **如果匿名块语句存在写行为, 比如: begin insert into tb1 values(1); end; / 需要显式提交,否则执行完函数自动提交** |
-| LOCK TABLE | LOCK TABLE | 显式提交 | 显式提交 | 显式提交 |
-| SET CONSTRAINTS | SET CONSTRAINTS | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
-| CHECKPOINT | CHECKPOINT | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
-| SHRINK | SHRINK | 自动提交 | 显式提交 | 显式提交 |
-| CREATE RULE | CREATE RULE | 自动提交 | **显式提交** | **显式提交** |
-| TYPE | CREATE TYPE | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER TYPE | 自动提交 | **显式提交** | **显式提交** |
-| EVENT TRIGGER | CREATE EVENT TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER EVENT TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| | DROP EVENT TRIGGER | 自动提交 | **显式提交** | **显式提交** |
-| PURGE | PURGE TABLE | 自动提交 | 显式提交 | 显式提交 |
-| | PURGE INDEX | 自动提交 | 显式提交 | 显式提交 |
-| | PURGE RECYCLEBIN | 自动提交 | 显式提交 | 显式提交 |
-| TimeCapsule Table | TimeCapsule Table | 自动提交 | 显式提交 | 显式提交 |
-| PREPARE | PREPARE | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
-| EXECUTE | EXECUTE | 如果execute 语句存在写行为, 比如:execute (insert into tb1 values(1)); 需要显式提交,否则自动提交 | 显式提交 | 如果execute 语句存在写行为, 比如:execute (insert into tb1 values(1)); 需要显式提交,否则执行完函数自动提交 |
-| COPY | COPY | 自动提交 | 显式提交 | 显式提交 |
-| LOAD | LOAD | 自动提交 | 显式提交 | 显式提交 |
-| DEALLOCATE | DEALLOCATE | 自动提交 | **显式提交** | **执行完函数之后,自动提交** |
-| | GRANT | 自动提交 | **显式提交** | **显式提交** |
-| | REVOKE | 自动提交 | **显式提交** | **显式提交** |
-| GRANT ROLE | GRANT ROLE | 自动提交 | **显式提交** | **显式提交** |
-| REVOKE ROLE | REVOKE ROLE | 自动提交 | **显式提交** | **显式提交** |
-| EVENT | CREATE EVENT | 自动提交 | **显式提交** | **显式提交** |
-| | ALTER EVENT | 自动提交 | **显式提交** | **显式提交** |
-| | DROP EVENT | 自动提交 | **显式提交** | **显式提交** |
-| OWNED | DROP OWNED | 自动提交 | **显式提交** | **显式提交** |
-| DEFAULT PRIVILEGES | ALTER DEFAULT PRIVILEGES | 自动提交 | **显式提交** | **显式提交** |
-| MATERIALIZED VIEW | REFRESH MATERIALIZED VIEW | 自动提交 | 显式提交 | 显式提交 |
\ No newline at end of file
+| 数据库对象 | 对象操作 | 单条语句 | 语句放在事务块 | 语句在函数/存储过程里面 |
+| ----------------------- | ------------------------- | ------------------------------------------------------------ | --------------------------------------- | ------------------------------------------------------------ |
+| TABLE | SELECT | 自动提交 | 显式提交 | 函数内部只有 select 读命令,执行完函数自动提交 |
+| | SELECT FOR UPDATE | 显式提交 | 显式提交 | 显式提交 |
+| | SELECT FOR SHARE | 显式提交 | 显式提交 | 显式提交 |
+| | SELECT FOR KEY SHARE | 显式提交 | 显式提交 | 显式提交 |
+| | SELECT FOR NO KEY UPDATE | 显式提交 | 显式提交 | 显式提交 |
+| | INSERT | 显式提交 | 显式提交 | 显式提交 |
+| | UPDATE | 显式提交 | 显式提交 | 显式提交 |
+| | DELETE | 显式提交 | 显式提交 | 显式提交 |
+| | MERGE INTO | 显式提交 | 显式提交 | 显式提交 |
+| DECLARE CURSOR | DECLARE CURSOR | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
+| CLOSE CURSOR | CLOSE CURSOR | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
+| MOVE/FETCH | MOVE/FETCH | 显式提交 | 显式提交 | 函数内部只有游标操作,没有写命令的话,执行完函数自动提交 |
+| TABLESPACE | CREATE TABLESPACE | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| | ALTER TABLESPACE | 自动提交 | 显式提交 | 显式提交 |
+| | DROP TABLESPACE | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| DATABASE | CREATE DATABASE | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| | ALTER DATABASE | 自动提交 | 显式提交 | 显式提交 |
+| | DROP DATABASE | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| TABLE | CREATE TABLE | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER TABLE | 自动提交 | 显式提交 | 显式提交 |
+| | TRUNCATE TABLE | 自动提交 | 显式提交 | 显式提交 |
+| | DROP TABLE | 自动提交 | 显式提交 | 显式提交 |
+| SCHEMA | CREATE SCHEMA | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER SCHEMA | 自动提交 | 显式提交 | 显式提交 |
+| | DROP SCHEMA | 自动提交 | 显式提交 | 显式提交 |
+| VIEW | CREATE VIEW | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER VIEW | 自动提交 | 显式提交 | 显式提交 |
+| | DROP VIEW | 自动提交 | 显式提交 | 显式提交 |
+| PACKAGE | CERATE PACKAGE | 自动提交 | 不支持 | 不支持 |
+| | CERATE PACKAGE BODY | 自动提交 | 不支持 | 不支持 |
+| | ALTER PACKAGE | 自动提交 | 显式提交 | 显式提交 |
+| | DROP PACKAGE | 自动提交 | 显式提交 | 显式提交 |
+| TRIGGER | CREATE TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| | DROP TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| FUNCTION | CREATE FUNCTION | 自动提交 | 不支持 | 不支持 |
+| | ALTER FUNCTION | 自动提交 | 显式提交 | 显式提交 |
+| | DROP FUNCTION | 自动提交 | 显式提交 | 显式提交 |
+| ROLE | CREATE ROLE | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER ROLE | 自动提交 | 显式提交 | 显式提交 |
+| | DROP ROLE | 自动提交 | 显式提交 | 显式提交 |
+| INDEX | CREATE INDEX | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER INDEX | 自动提交 | 显式提交 | 显式提交 |
+| | REINDEX | 自动提交 | 显式提交 | 显式提交 |
+| | DROP INDEX | 自动提交 | 显式提交 | 显式提交 |
+| SEQUENCE | CREATE SEQUENCE | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER SEQUENCE | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| | DROP SEQUENCE | 自动提交 | 显式提交 | 显式提交 |
+| USER | CREATE USER | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER USER | 自动提交 | 显式提交 | 显式提交 |
+| | DROP USER | 自动提交 | 显式提交 | 显式提交 |
+| COMMENT | COMMENT | 自动提交 | 显式提交 | 显式提交 |
+| VACUUM | VACUUM | 自动提交 | vacuum 不能放到事务块里面 | vacuum 不能放到函数里面 |
+| EXPLAIN | EXPLAIN | 如果explain 语句存在写行为, 比如:explain analyze insert into tb1 values(1); 需要显式提交,否则自动提交 | 显式提交 | 如果explain 语句存在写行为, 比如:explain analyze insert into tb1 values(1); 需要显式提交,否则执行完函数自动提交 |
+| SHOW | SHOW | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| ALTER SYSTEM SET | ALTER SYSTEM SET | 自动提交 | 语句不支持在事务块中执行 | 语句不支持在函数/存储过程中执行 |
+| SET | SET | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| SHUTDOWN | SHUTDOWN | 自动提交 | 会在提交前执行,提交后当前session会关闭 | 会在提交前执行,提交后当前session会关闭 |
+| ANONYMOUS BLOCK EXECUTE | ANONYMOUS BLOCK EXECUTE | 如果匿名块语句存在写行为, 比如: begin insert into tb1 values(1); end; / 需要显式提交,否则自动提交 | 显式提交 | 如果匿名块语句存在写行为, 比如: begin insert into tb1 values(1); end; / 需要显式提交,否则执行完函数自动提交 |
+| LOCK TABLE | LOCK TABLE | 显式提交 | 显式提交 | 显式提交 |
+| SET CONSTRAINTS | SET CONSTRAINTS | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| CHECKPOINT | CHECKPOINT | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| SHRINK | SHRINK | 自动提交 | 显式提交 | 显式提交 |
+| CREATE RULE | CREATE RULE | 自动提交 | 显式提交 | 显式提交 |
+| TYPE | CREATE TYPE | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER TYPE | 自动提交 | 显式提交 | 显式提交 |
+| EVENT TRIGGER | CREATE EVENT TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER EVENT TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| | DROP EVENT TRIGGER | 自动提交 | 显式提交 | 显式提交 |
+| PURGE | PURGE TABLE | 自动提交 | 显式提交 | 显式提交 |
+| | PURGE INDEX | 自动提交 | 显式提交 | 显式提交 |
+| | PURGE RECYCLEBIN | 自动提交 | 显式提交 | 显式提交 |
+| TimeCapsule Table | TimeCapsule Table | 自动提交 | 显式提交 | 显式提交 |
+| PREPARE | PREPARE | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| EXECUTE | EXECUTE | 如果execute 语句存在写行为, 比如:execute (insert into tb1 values(1)); 需要显式提交,否则自动提交 | 显式提交 | 如果execute 语句存在写行为, 比如:execute (insert into tb1 values(1)); 需要显式提交,否则执行完函数自动提交 |
+| COPY | COPY | 自动提交 | 显式提交 | 显式提交 |
+| LOAD | LOAD | 自动提交 | 显式提交 | 显式提交 |
+| DEALLOCATE | DEALLOCATE | 自动提交 | 显式提交 | 执行完函数之后,自动提交 |
+| | GRANT | 自动提交 | 显式提交 | 显式提交 |
+| | REVOKE | 自动提交 | 显式提交 | 显式提交 |
+| GRANT ROLE | GRANT ROLE | 自动提交 | 显式提交 | 显式提交 |
+| REVOKE ROLE | REVOKE ROLE | 自动提交 | 显式提交 | 显式提交 |
+| EVENT | CREATE EVENT | 自动提交 | 显式提交 | 显式提交 |
+| | ALTER EVENT | 自动提交 | 显式提交 | 显式提交 |
+| | DROP EVENT | 自动提交 | 显式提交 | 显式提交 |
+| OWNED | DROP OWNED | 自动提交 | 显式提交 | 显式提交 |
+| DEFAULT PRIVILEGES | ALTER DEFAULT PRIVILEGES | 自动提交 | 显式提交 | 显式提交 |
+| MATERIALIZED VIEW | REFRESH MATERIALIZED VIEW | 自动提交 | 显式提交 | 显式提交 |
\ No newline at end of file
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/client-tool/gsql/gsql-release-notes.md b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/client-tool/gsql/gsql-release-notes.md
index 997c6920618cc50894aebf232ef87e04db1e4ef3..676c6781061b5e4d6b42fa189a5118df016b8755 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/client-tool/gsql/gsql-release-notes.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/client-tool/gsql/gsql-release-notes.md
@@ -1,6 +1,6 @@
---
-title: libpq release note
-summary: libpq release note
+title: gsql release note
+summary: gsql release note
author: 齐永江 郭欢
date: 2024-04-02
---
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
index 2ec7a4ddda0445099c2534270ef0fbcfe4989dec..85587e518bd42f46922c3704a0ce6fcb327f0934 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
@@ -9,7 +9,11 @@ date: 2023-07-03
## 目标
-因PTK安装部署时暂未支持VIP相关配置(预计5.1版本会支持),故本文重点讲解如何基于已经安装部署成功的带有CM集群管理软件的数据库集群手动配置/启用VIP功能。
+本文讲解如何基于已经安装部署成功的带有CM集群管理软件的数据库集群手动配置/启用VIP功能。
+
+>  说明:
+>
+> MogDB 5.0.4及以上版本支持通过PTK(V1.2.0+)自动挂载VIP,具体操作参见[PTK文档](https://docs.mogdb.io/zh/ptk/v1.1/ptk-cluster-load-cm-vip#--action-string)。
此外,本文示例集群为单AZ一主两备集群。
diff --git a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
index eb0b0b3241711c96003904b9a2247a827ad7368c..72a2ae4407ec0ee0c838032fb9819343cfc46cb7 100644
--- a/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
+++ b/product/zh/docs-mogdb/v5.0/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
@@ -14,7 +14,7 @@ MogDB提供了gs_expansion工具对数据库的备机进行扩容。支持从单
## 注意事项
- 扩容后不会自动更新synchronous_standby_names参数。如果需要为该参数增加扩容的机器,请在扩容完成后手动更新。
-- 扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
+- 当待扩容的级联备GUC参数enable_availablezone开启时,扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
- 对数据库集群进行扩容前,需要关注主机及新扩容节点CPU、IO、网络等情况,不建议在硬件压力较大时执行扩容,否则可能导致扩容耗时较长甚至扩容失败。
- 当原集群数据量较大时,在进行扩容操作前应当在主机上先执行checkpoint,否则可能导致扩容耗时较长甚至扩容失败。
- 在单节点扩容时,如果节点hot_standby被关闭过,则需要在每个备节点上也按照如下流程修改:
diff --git a/product/zh/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
index 3a23c284669c304c43458256d6bd830972e85f52..659cdc3d75bce5ccac0da3bda6d587fece39b75a 100644
--- a/product/zh/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v5.0/security-guide/security/1-client-access-authentication.md
@@ -1,820 +1,820 @@
----
-title: 客户端接入认证
-summary: 客户端接入认证
-author: Guo Huan
-date: 2021-03-04
----
-
-# 客户端接入认证
-
-
-
-## 配置客户端接入认证
-
-**背景信息**
-
-如果主机需要远程连接数据库,必须在数据库系统的配置文件中增加此主机的信息,并且进行客户端接入认证。配置文件(默认名称为pg_hba.conf)存放在数据库的数据目录里。hba(host-based authentication)表示是基于主机的认证。
-
-- 本产品支持如下三种认证方式,这三种方式都需要配置"pg_hba.conf"文件。
- - 基于主机的认证: 服务端根据客户端的IP地址、用户名及要访问的数据库来查看配置文件从而判断用户是否通过认证。
- - 口令认证: 包括远程连接的加密口令认证和本地连接的非加密口令认证。
- - SSL加密: 使用OpenSSL(开源安全通信库)提供服务端和客户端安全连接的环境。
-- "pg_hba.conf"文件的格式是一行写一条信息,表示一个认证规则,空白和注释(以#开头)被忽略。
-- 每个认证规则是由若干空格和/,空格和制表符分隔的字段组成。如果字段用引号包围,则它可以包含空白。一条记录不能跨行存在。
-
-
-
-**操作步骤**
-
-1. 以操作系统用户omm登录数据库主节点。
-
-2. 配置客户端认证方式,允许客户端以"jack"用户连接到本机,此处远程连接禁止使用"omm"用户(即数据库初始化用户)。
-
- 例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
-
- ```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
- ```
-
->  **说明:**
->
-> - 使用"jack"用户前,需先本地连接数据库,并在数据库中使用如下语句建立"jack"用户:
->
-> ```sql
-> MogDB=# CREATE USER jack PASSWORD 'Test@123';
-> ```
->
-> - -N all表示MogDB的所有主机。
-> - -I all表示主机的所有实例。
-> - -h表示指定需要在"pg_hba.conf"增加的语句。
-> - all表示允许客户端连接到任意的数据库。
-> - jack表示连接数据库的用户。
-> - 10.10.0.30/32表示只允许IP地址为10.10.0.30的主机连接。此处的IP地址不能为MogDB内的IP,在使用过程中,请根据用户的网络进行配置修改。32表示子网掩码为1的位数,即255.255.255.255。
-> - sha256表示连接时jack用户的密码使用sha256算法加密。
-
-这条命令在数据库主节点实例对应的"pg_hba.conf"文件中添加了一条规则,用于对连接数据库主节点的客户端进行鉴定。
-
-"pg_hba.conf"文件中的每条记录可以是下面四种格式之一,四种格式的参数说明请参见[配置文件参考](#配置文件参考)。
-
-```text
-local DATABASE USER METHOD [OPTIONS]
-host DATABASE USER ADDRESS METHOD [OPTIONS]
-hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
-hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
-```
-
-因为认证时系统是为每个连接请求顺序检查"pg_hba.conf"里的记录的,所以这些记录的顺序是非常关键的。
-
->  **说明:**
-> 在配置"pg_hba.conf"文件时,请依据通讯需求按照格式内容从上至下配置记录,优先级高的需求需要配置在前面。MogDB和扩容配置的IP优先级最高,用户手动配置的IP请放在这二者之后,如果已经进行的客户配置和扩容节点的IP在同一网段,请在扩容前删除,扩容成功后再进行配置。
-
-因此对于认证规则的配置建议如下:
-
-- 靠前的记录有比较严格的连接参数和比较弱的认证方法。
-- 靠后的记录有比较宽松的连接参数和比较强的认证方法。
-
->  **说明:**
->
-> - 一个用户要想成功连接到特定的数据库,不仅需要通过pg_hba.conf中的规则检查,还必须要有该数据库上的CONNECT权限。如果希望控制某些用户只能连接到指定数据库,赋予/撤销CONNECT权限通常比在pg_hba.conf中设置规则更为简单。
-> - 对应MogDB外部客户端连接,trust为不安全的认证方式,请将认证方式设置为sha256。
-
-
-
-**异常处理**
-
-用户认证失败有很多原因,通过服务端返回给客户端的提示信息,可以看到用户认证失败的原因。常见的错误提示请参见[表1](#表1.1.1)。
-
-**表 1** 错误提示
-
-| 问题现象 | 解决方法 |
-| :------------------------- | :------------------------------- |
-| 用户名或密码错误:
`FATAL: invalid username/password,login denied` | 这条信息说明用户名或者密码错误,请检查输入是否有误。 |
-| 连接的数据库不存在:
`FATAL: database "TESTDB" does not exist` | 这条信息说明尝试连接的数据库不存在,请检查连接的数据库名输入是否有误。 |
-| 未找到客户端匹配记录:
`FATAL: no pg_hba.conf entry for host "10.10.0.60", user "ANDYM", database "TESTDB"` | 这条信息说明已经连接了服务器,但服务器拒绝了连接请求,因为没有在它的pg_hba.conf配置文件里找到匹配的记录。请联系数据库管理员在pg_hba.conf配置文件加入用户的信息。 |
-| 未找到客户端匹配记录:
`failed to connect 10.10.0.1:12000.` | 这条信息说明无法连接到指定IP和端口的服务器,请联系数据库管理员检查pg_hba.conf配置文件里是否有配置对应IP白名单。 |
-| 连接时的用户名不可以包含@字符
`@ can't be allowed in username` | 这条报错说明客户端在连接数据库时使用了包含@的用户名,这是不允许的。 |
-
-
-
-**示例**
-
-```
-TYPE DATABASE USER ADDRESS METHOD
-
-"local" is for Unix domain socket connections only
-#表示只允许以安装时-U参数指定的用户从服务器本机进行连接。
-local all all trust
-IPv4 local connections:
-#表示允许jack用户从10.10.0.50主机上连接到任意数据库,使用sha256算法对密码进行加密。
-host all jack 10.10.0.50/32 sha256
-#表示允许任何用户从10.10.0.0/24网段的主机上连接到任意数据库,使用sha256算法对密码进行加密,并且经过SSL加密传输。
-hostssl all all 10.10.0.0/24 sha256
-#表示禁止任何用户从10.10.0.1/32网段的主机上连接到任意数据库。
-host all all 10.10.0.1/32 reject
-```
-
-
-
-## 配置文件参考
-
-**表 2** 参数说明
-
-| 参数名称 | 描述 | 取值范围 |
-| :---------- | :------------------- | :------------------|
-| local | 表示这条记录只接受通过Unix域套接字进行的连接。没有这种类型的记录,就不允许Unix域套接字的连接。
只有在从服务器本机使用gsql连接且在不指定-h参数的情况下,才是通过Unix域套接字连接。 | - |
-| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
-| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用ssl进行安全的tcpip连接)。 |
-| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
-| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
-| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
-| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |
-
-
-
-**表 3** 认证方式
-
-| 认证方式 | 说明 |
-| :------------ | :----------------------------------------------- |
-| trust | 采用这种认证模式时,本产品只完全信任从服务器本机使用gsql且不指定-U参数的连接,此时不需要口令。
trust认证对于单用户工作站的本地连接是非常合适和方便的,通常不适用于多用户环境。如果想使用这种认证方法,可利用文件系统权限限制对服务器的Unix域套接字文件的访问。要使用这种限制有两个方法:
- 设置参数unix_socket_permissions和unix_socket_group。
- 设置参数unix_socket_directory,将Unix域套接字文件放在一个经过恰当限制的目录里。
须知: 设置文件系统权限只能Unix域套接字连接,它不会限制本地TCP/IP连接。为保证本地TCP/IP安全,MogDB不允许远程连接使用trust认证方法。 |
-| reject | 无条件地拒绝连接。常用于过滤某些主机。 |
-| md5 | 要求客户端提供一个md5加密的口令进行认证。
须知:
- MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- MogDB保留md5认证和密码存储,是为了便于第三方工具的使用(比如TPCC评测工具)。 |
-| sha256 | 要求客户端提供一个sha256算法加密的口令进行认证,该口令在传送过程中结合salt(服务器发送给客户端的随机数)的单向sha256加密,增强了安全性。 |
-| sm3 | 要求客户端提供一个sm3算法加密口令进行认证,该口令在传送过程中结合salt(服务器发送给客户端的随机数)的单项sm3的加密,增加了安全性。 |
-| cert | 客户端证书认证模式,此模式需进行SSL连接配置且需要客户端提供有效的SSL证书,不需要提供用户密码。
须知:
该认证方式只支持hostssl类型的规则。 |
-| gss | 使用基于gssapi的kerberos认证。
须知:
- 该认证方式依赖kerberos server等组件,仅支持MogDB内部通信认证。当前版本暂不支持外部客户端通过kerberos认证连接。
- 开启MogDB内部kerberos认证会使增加内部节点建连时间,即影响首次涉及内部建连的SQL操作性能,内部连接建立好后, 后续操作不受影响。 |
-| peer | 获取客户端所在操作系统用户名,并检查与数据库初始用户名是否一致。此方式只支持local模式本地连接,并支持通过配置pg_ident.conf建立操作系统用户与数据库用户映射关系。
假设操作系统用户名为omm,数据库初始用户为dbAdmin,在pg_hba.conf中配置local模式为peer认证:
`local all all peer map=mymap`
其中map=mymap指定使用的用户名映射,并在pg_ident.conf中添加映射名称为mymap的用户名映射如下:
`# MAPNAME SYSTEM-USERNAME PG-USERNAME mymap omm dbAdmin`
说明:
通过gs_guc reload方式修改pg_hba.conf配置可以立即生效无需重启数据库。直接编辑修改pg_ident.conf配置后下次连接时自动生效无需重启数据库。 |
-
-
-
-## 用SSL进行安全的TCP/IP连接
-
-**背景信息**
-
-MogDB支持SSL标准协议(TLS 1.2),SSL协议是安全性更高的协议标准,它们加入了数字签名和数字证书来实现客户端和服务器的双向身份验证,保证了通信双方更加安全的数据传输。
-
-
-
-**前提条件**
-
-从CA认证中心申请到正式的服务器、客户端的证书和密钥。(假设服务器的私钥为server.key,证书为server.crt,客户端的私钥为client.key,证书为client.crt,CA根证书名称为cacert.pem。)
-
-
-
-**注意事项**
-
-- 当用户远程连接到数据库主节点时,需要使用sha256的认证方式。
-- 当内部服务器之间连接时,需要使用trust的认证方式,支持IP白名单认证。
-
-
-
-**操作步骤**
-
-MogDB在服务器部署完成后,默认已开启SSL认证模式。服务器端证书,私钥以及根证书已经默认配置完成。用户需要配置客户端的相关参数。
-
-配置SSL认证相关的数字证书参数,具体要求请参见[表4](#表1.3.1)。
-
-- 配置客户端参数。
-
- 已从CA认证中心申请到客户端默认证书,私钥,根证书以及私钥密码加密文件。假设证书、私钥和根证书都放在"/home/omm"目录。
-
- 双向认证需配置如下参数:
-
- ```bash
- export PGSSLCERT="/home/omm/client.crt"
- export PGSSLKEY="/home/omm/client.key"
- export PGSSLMODE="verify-ca"
- export PGSSLROOTCERT="/home/omm/cacert.pem"
- ```
-
- 单向认证需要配置如下参数:
-
- ```bash
- export PGSSLMODE="verify-ca"
- export PGSSLROOTCERT="/home/omm/cacert.pem"
- ```
-
-- 修改客户端密钥的权限。
-
- 客户端根证书,密钥,证书以及密钥密码加密文件的权限,需保证权限为600。如果权限不满足要求,则客户端无法以SSL连接到MogDB。
-
- ```bash
- chmod 600 client.key
- chmod 600 client.crt
- chmod 600 client.key.cipher
- chmod 600 client.key.rand
- chmod 600 cacert.pem
- ```
-
->  **须知:**
-> 从安全性考虑,建议使用双向认证方式。
-> 配置客户端环境变量,必须包含文件的绝对路径。
-
-**表 4** 认证方式
-
-| 认证方式 | 含义 | 配置客户端环境变量 | 维护建议 |
-| :---------------------- | :----------------------------| :------------------------------- |:------------------------------- |
-| 双向认证(推荐) | 客户端验证服务器证书的有效性,同时服务器端也要验证客户端证书的有效性,只有认证成功,连接才能建立。 | 设置如下环境变量:
- PGSSLCERT
- PGSSLKEY
- PGSSLROOTCERT
- PGSSLMODE | 该方式应用于安全性要求较高的场景。使用此方式时,建议设置客户端的PGSSLMODE变量为verify-ca。确保了网络数据的安全性。 |
-| 单向认证 | 客户端只验证服务器证书的有效性,而服务器端不验证客户端证书的有效性。服务器加载证书信息并发送给客户端,客户端使用根证书来验证服务器端证书的有效性。 | 设置如下环境变量:
- PGSSLROOTCERT
- PGSSLMODE | 为防止基于TCP链接的欺骗,建议使用SSL证书认证功能。除配置客户端根证书外,建议客户端使用PGSSLMODE变量为verify-ca方式连接。 |
-
-
-
-**相关参考**
-
-在服务器端的postgresql.conf文件中配置相关参数,详细信息请参见[表5](#表1.3.2)。
-
-**表 5** 服务器参数
-
-| 参数 | 描述 | 取值范围 |
-| :------------ | :-------------------- | :-------------------|
-| ssl | 表示是否启动SSL功能。 | - on: 开启SSL功能。
- off: 关闭SSL功能。
**默认值** : on |
-| require_ssl | 设置服务器端是否强制要求SSL连接。该参数只有当参数ssl为on时才有效。 | - on: 服务器端强制要求SSL连接。
- off: 服务器端对是否通过SSL连接不作强制要求。
**默认值** : off |
-| ssl_cert_file | 指定服务器证书文件,包含服务器端的公钥。服务器证书用以表明服务器身份的合法性,公钥将发送给对端用来对数据进行加密。 | 请以实际的证书名为准,其相对路径是相对于数据目录的。
**默认值** : server.crt |
-| ssl_key_file | 指定服务器私钥文件,用以对公钥加密的数据进行解密。 | 请以实际的服务器私钥名称为准,其相对路径是相对于数据目录的。
**默认值** : server.key |
-| ssl_ca_file | CA服务器的根证书。此参数可选择配置,需要验证客户端证书的合法性时才需要配置。 | 请以实际的CA服务器根证书名称为准。
**默认值** : cacert.pem |
-| ssl_crl_file | 证书吊销列表,如果客户端证书在该列表中,则当前客户端证书被视为无效证书。 | 请以实际的证书吊销列表名称为准。
**默认值** : 空,表示没有吊销列表。 |
-| ssl_ciphers | SSL通讯使用的加密算法。 | 本产品支持的加密算法的详细信息请参见[表7](#表1.3.4)。
**默认值**: ALL,表示允许对端使用产品支持的所有加密算法,但不包含ADH、LOW、EXP、MD5算法。 |
-| ssl_cert_notify_time | SSL服务器证书到期前提醒的天数。 | 请按照需求配置证书过期前提醒天数。
**默认值**: 90 |
-
-在客户端配置SSL认证相关的环境变量,详细信息请参见[表6](#表1.3.3)。
-
->  **说明:**
-> 客户端环境变量的路径以“\_/home/omm\_”为例,在实际操作中请使用实际路径进行替换。
-
-**表 6** 客户端参数
-
-| 环境变量 | 描述 | 取值范围 |
-| :------------ | :--------------------------- | :-------------------------- |
-| PGSSLCERT | 指定客户端证书文件,包含客户端的公钥。客户端证书用以表明客户端身份的合法性,公钥将发送给对端用来对数据进行加密。 | 必须包含文件的绝对路径,如:
`export PGSSLCERT='/home/omm/client.crt'`
**默认值**: 空 |
-| PGSSLKEY | 指定客户端私钥文件,用以对公钥加密的数据进行解密。 | 必须包含文件的绝对路径,如:
`export PGSSLKEY='/home/omm/client.key'`
**默认值**: 空 |
-| PGSSLMODE | 设置是否和服务器进行SSL连接协商,以及指定SSL连接的优先级。 | **取值及含义**:
- disable:只尝试非SSL连接。
- allow:首先尝试非SSL连接,如果连接失败,再尝试SSL连接。
- prefer:首先尝试SSL连接,如果连接失败,将尝试非SSL连接。
- require:只尝试SSL连接。如果存在CA文件,则按设置成verify-ca的方式验证。
- verify-ca:只尝试SSL连接,并且验证服务器是否具有由可信任的证书机构签发的证书。
- verify-full:只尝试SSL连接,并且验证服务器是否具有由可信任的证书机构签发的证书,以及验证服务器主机名是否与证书中的一致。
**默认值**:prefer |
-| PGSSLROOTCERT | 指定为客户端颁发证书的根证书文件,根证书用于验证服务器证书的有效性。 | 必须包含文件的绝对路径,如:
`export PGSSLROOTCERT='/home/omm/certca.pem'`
**默认值**:空 |
-| PGSSLCRL | 指定证书吊销列表文件,用于验证服务器证书是否在废弃证书列表中,如果在,则服务器证书将会被视为无效证书。 | 必须包含文件的绝对路径,如:
`export PGSSLCRL='/home/omm/sslcrl-file.crl'`
**默认值**:空 |
-
-服务器端参数ssl、require_ssl与客户端参数sslmode配置组合结果如下:
-
-- 服务器 ssl = on
-
- | sslmode(客户端) | require_ssl(服务器) | 结果 |
- | :------- | :------- | :------- |
- | disable | on | 由于服务器端要求使用SSL,但客户端连接禁用了SSL,无法建立连接。 |
- | disable | off | 连接未加密。 |
- | allow | on | 连接经过加密。 |
- | allow | off | 连接未加密。 |
- | prefer | on | 连接经过加密。 |
- | prefer | off | 连接经过加密。 |
- | require | on | 连接经过加密。 |
- | require | off | 连接经过加密。 |
- | verify-ca | on | 连接经过加密,且验证了服务器证书。 |
- | verify-ca | off | 连接经过加密,且验证了服务器证书。 |
- | verify-full | on | 连接经过加密,且验证了服务器证书和主机名。 |
- | verify-full | off | 连接经过加密,且验证了服务器证书和主机名。 |
-
-- 服务器 ssl = off
-
- | sslmode(客户端) | require_ssl(服务器) | 结果 |
- | :------- | :------- | :------- |
- | disable | on | 连接未加密。 |
- | disable | off | 连接未加密。 |
- | allow | on | 连接未加密。 |
- | allow | off | 连接未加密。 |
- | prefer | on | 连接未加密。 |
- | prefer | off | 连接未加密。 |
- | require | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
- | require | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
- | verify-ca | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
- | verify-ca | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
- | verify-full | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
- | verify-full | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
-
-SSL传输支持一系列不同强度的加密和认证算法。用户可以通过修改postgresql.conf中的ssl_ciphers参数指定数据库服务器使用的加密算法。目前本产品SSL支持的加密算法如[表7](#表1.3.4)所示。
-
-**表 7** 加密算法套件
-
-| OpenSSL套件名 | **IANA套件名** | 安全程度 |
-| :---------------------------- | :-------------------------------------- | :------- |
-| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
-| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | HIGH |
-| DHE-RSA-AES128-GCM-SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
-| DHE-RSA-AES256-GCM-SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
-
->  **说明:**
->
-> - 目前只支持上表中的6种加密算法套件。
->
-> - 配置参数ssl_ciphers的默认值为ALL,表示支持上表中的所有加密算法。为保持前向兼容保留了DHE算法套件,即DHE-RSA-AES128-GCM-SHA256和DHE-RSA-AES256-GCM-SHA384,根据CVE-2002-20001漏洞披露DHE算法存在一定安全风险,非兼容场景不建议使用,可将ssl_ciphers参数配置为仅支持ECDHE类型算法套件。
->
-> - 如需指定以上加密算法套件,可以设置ssl_ciphers为上表中OpenSSL套件名称,加密算法套件之间需要使用分号分割,如在postgresql.conf设置: ssl_ciphers='ECDHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256'。
->
-> - SSL连接认证不仅增加了登录(创建SSL环境)及退出过程(清理SSL环境)的时间消耗,同时需要消耗额外的时间用于加解密所需传输的内容,因此对性能有一定影响。特别的,对于频繁的登录登出,短时查询等场景有较大的影响。
->
-> - 在证书有效期小于7天的时候,连接登录会在日志中产生告警提醒。
->
-
-
-
-## 用SSH隧道进行安全的TCP/IP连接
-
-**背景信息**
-
-为了保证服务器和客户端之间的安全通讯,可以在服务器和客户端之间构建安全的SSH隧道。SSH是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。
-
-从SSH客户端来看,SSH提供了两种级别的安全验证:
-
-- 基于口令的安全验证:使用帐号和口令登录到远程主机。所有传输的数据都会被加密,但是不能保证正在连接的服务器就是需要连接的服务器。可能会有其他服务器冒充真正的服务器,也就是受到"中间人"方式的攻击。
-- 基于密钥的安全验证: 用户必须为自己创建一对密钥,并把公用密钥放在需要访问的服务器上。这种级别的认证不仅加密所有传送的数据,而且避免"中间人"攻击方式。但是整个登录的过程可能需要10秒。
-
-
-
-**前提条件**
-
-SSH服务和数据库运行在同一台服务器上。
-
-
-
-**操作步骤**
-
-以OpenSSH为例介绍配置SSH隧道,对于如何配置基于密钥的安全验证不作赘述,OpenSSH提供了多种配置适应网络的各种限制,更多详细信息请参考OpenSSH的相关文档。
-
-从本地主机建立到服务器的SSH隧道。
-
-```bash
-ssh -L 63333:localhost:8000 username@hostIP
-```
-
->  **说明:**
->
-> - -L参数的第一串数字(63333)是通道本端的端口号,可以自由选择。
-> - 第二串数字(8000)是通道远端的端口号,也就是服务器使用的端口号。
-> - localhost是本机IP地址,username是要连接的服务器上的用户名,hostIP是要连接的主机IP地址。
-
-
-
-## 查看数据库连接数
-
-**背景信息**
-
-当用户连接数达到上限后,无法建立新的连接。因此,当数据库管理员发现某用户无法连接到数据库时,需要查看是否连接数达到了上限。控制数据库连接的主要以下几种选项。
-
-- 全局的最大连接数:由运行参数max_connections指定,默认值为5000。
-- 某用户的连接数:在创建用户时由CREATE ROLE命令的CONNECTION LIMIT connlimit子句直接设定,也可以在设定以后用ALTER ROLE的CONNECTION LIMIT connlimit子句修改。
-- 某数据库的连接数:在创建数据库时,由CREATE DATABASE的CONNECTION LIMIT connlimit参数指定。
-
-
-
-**操作步骤**
-
-1. 以操作系统用户omm登录数据库主节点。
-
-2. 使用如下命令连接数据库。
-
- ```bash
- gsql -d mogdb -p 8000
- ```
-
- mogdb为需要连接的数据库名称,8000为数据库主节点的端口号。
-
-3. 查看全局会话连接数限制。
-
- ```sql
- MogDB=# SHOW max_connections;
- max_connections
- -----------------
- 800
- (1 row)
- ```
-
- 其中800是最大会话连接数。
-
-4. 查看已使用的会话连接数。
-
- >  **须知:**
- > 除了创建的时候用双引号引起的数据库和用户名称外,以下命令中用到的数据库名称和用户名称,其中包含的英文字母必须使用小写。
-
- + 查看指定用户的会话连接数上限
-
- 执行如下命令查看连接到指定用户omm的会话连接数上限。其中-1表示没有对用户omm设置连接数的限制。
-
- ```sql
- MogDB=# SELECT ROLNAME,ROLCONNLIMIT FROM PG_ROLES WHERE ROLNAME='omm';
- rolname | rolconnlimit
- ---------+--------------
- omm | -1
- (1 row)
- ```
-
- + 查看指定用户已使用的会话连接数
-
- 执行如下命令查看指定用户omm已使用的会话连接数。其中,1表示omm已使用的会话连接数。
-
- ```sql
- MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
- SELECT
- sa.sessionid AS SID,
- 0::integer AS SERIAL#,
- sa.usesysid AS USER#,
- ad.rolname AS USERNAME
- FROM pg_stat_get_activity(NULL) AS sa
- LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
- WHERE sa.application_name <> 'JobScheduler';
- MogDB=# SELECT COUNT(*) FROM DV_SESSIONS WHERE USERNAME='omm';
- count
- -------
- 1
- (1 row)
- ```
-
- + 查看指定数据库的会话连接数上限
-
- 执行如下命令查看连接到指定数据库mogdb的会话连接数上限。其中-1表示没有对数据库mogdb设置连接数的限制。
-
- ```sql
- MogDB=# SELECT DATNAME,DATCONNLIMIT FROM PG_DATABASE WHERE DATNAME='mogdb';
- datname | datconnlimit
- ---------+--------------
- mogdb | -1
- (1 row)
- ```
-
- + 查看指定数据库已使用的会话连接数
-
- 执行如下命令查看指定数据库mogdb上已使用的会话连接数。其中,1表示数据库mogdb上已使用的会话连接数。
-
- ```sql
- MogDB=# SELECT COUNT() FROM PG_STAT_ACTIVITY WHERE DATNAME='mogdb';
- count
- -------
- 1
- (1 row)
- ```
-
- + 查看所有用户已使用会话连接数
-
- 执行如下命令查看所有用户已使用的会话连接数。
-
- ```sql
- MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
- SELECT
- sa.sessionid AS SID,
- 0::integer AS SERIAL#,
- sa.usesysid AS USER#,
- ad.rolname AS USERNAME
- FROM pg_stat_get_activity(NULL) AS sa
- LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
- WHERE sa.application_name <> 'JobScheduler';
- MogDB=# SELECT COUNT(*) FROM DV_SESSIONS;
- count
- -------
- 23
- (1 row)
- ```
-
-## SSL证书管理
-
-MogDB默认配置了通过openssl生成的安全证书、私钥。并且提供证书替换的接口,方便用户进行证书的替换。
-
-
-
-### 证书生成
-
-**操作场景**
-
-在测试环境下,用户可以用通过以下方式进行数字证书测试。在客户的运行环境中,请使用从CA认证中心申请的数字证书。
-
-
-
-**前提条件**
-
-Linux环境安装了openssl组件。
-
-
-
-**自认证证书生成过程**
-
-1. 搭建CA环境。
-
- ```bash
- # 假设用户为omm已存在,搭建CA的路径为test
- # 以root用户身份登录Linux环境,切换到用户omm
- mkdir test
- cd /etc/pki/tls
- # copy 配置文件openssl.cnf到test下
- cp openssl.cnf ~/test
- cd ~/test
- # 到test文件夹下,开始搭建CA环境
- # 创建文件夹demoCA./demoCA/newcerts./demoCA/private
- mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
- chmod 700 ./demoCA/private
- # 创建serial文件,写入01
- echo '01'>./demoCA/serial
- # 创建文件index.txt
- touch ./demoCA/index.txt
- # 修改openssl.cnf配置文件中的参数
- dir = ./demoCA
- default_md = sha256
- # 至此CA环境搭建完成
- ```
-
-2. 生成根私钥。
-
- ```bash
- # 生成CA私钥
- openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
- Generating RSA private key, 2048 bit long modulus
- .................+++
- ..................+++
- e is 65537 (0x10001)
- # 设置根私钥的保护密码,假设为Test@123
- Enter pass phrase for demoCA/private/cakey.pem:
- # 再次输入私钥密码 Test@123
- Verifying - Enter pass phrase for demoCA/private/cakey.pem:
- ```
-
-3. 生成根证书请求文件。
-
- ```bash
- # 生成CA根证书申请文件careq.pem
- openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
- Enter pass phrase for demoCA/private/cakey.pem:
- # 输入根私钥密码 Test@123
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
-
- # 以下名称请牢记,生成服务端证书和客户端证书时填写的信息需要与此处的一致
- Country Name (2 letter code) [AU]:CN
- State or Province Name (full name) [Some-State]:shanxi
- Locality Name (eg, city) []:xian
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
- Organizational Unit Name (eg, section) []:hello
- # Common Name可以随意命名
- Common Name (eg, YOUR name) []:world
- # Email可以选择性填写
- Email Address []:
-
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- ```
-
-4. 生成自签发根证书。
-
- ```bash
- # 生成根证书时,需要修改openssl.cnf文件,设置basicConstraints=CA:TRUE
- vi openssl.cnf
- # 生成CA自签发根证书
- openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
- Using configuration from openssl.cnf
- Enter pass phrase for demoCA/private/cakey.pem:
- # 输入根私钥密码 Test@123
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Feb 28 02:17:11 2017 GMT
- Not After : Feb 28 02:17:11 2018 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = shanxi
- organizationName = Abc
- organizationalUnitName = hello
- commonName = world
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
- X509v3 Authority Key Identifier:
- keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
-
- Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
- Sign the certificate? [y/n]:y
-
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
- # 至此CA根证书自签发完成,根证书demoCA/cacert.pem。
- ```
-
-5. 生成服务端证书私钥。
-
- ```bash
- # 生成服务端私钥文件server.key
- openssl genrsa -aes256 -out server.key 2048
- Generating a 2048 bit RSA private key
- .......++++++
- ..++++++
- e is 65537 (0x10001)
- Enter pass phrase for server.key:
- # 服务端私钥的保护密码,假设为Test@123
- Verifying - Enter pass phrase for server.key:
- # 再次确认服务端私钥的保护密码,即为Test@123
- ```
-
-6. 生成服务端证书请求文件。
-
- ```bash
- # 生成服务端证书请求文件server.req
- openssl req -config openssl.cnf -new -key server.key -out server.req
- Enter pass phrase for server.key:
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
-
- # 以下填写的信息与创建CA时的信息一致
- Country Name (2 letter code) [AU]:CN
- State or Province Name (full name) [Some-State]:shanxi
- Locality Name (eg, city) []:xian
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
- Organizational Unit Name (eg, section) []:hello
- # Common Name可以随意命名
- Common Name (eg, YOUR name) []:world
- Email Address []:
- # 以下信息可以选择性填写
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- ```
-
-7. 生成服务端证书。
-
- ```bash
- # 生成服务端/客户端证书时,修改openssl.cnf文件,设置basicConstraints=CA:FALSE
- vi openssl.cnf
- # 修改demoCA/index.txt.attr中属性为no。
- vi demoCA/index.txt.attr
-
- # 对生成的服务端证书请求文件进行签发,签发后将生成正式的服务端证书server.crt
- openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
- Using configuration from /etc/ssl/openssl.cnf
- Enter pass phrase for ./demoCA/private/cakey.pem:
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 2 (0x2)
- Validity
- Not Before: Feb 27 10:11:12 2017 GMT
- Not After : Feb 25 10:11:12 2027 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = shanxi
- organizationName = Abc
- organizationalUnitName = hello
- commonName = world
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
- X509v3 Authority Key Identifier:
- keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
-
- Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
- # 选择y对证书进行签发
- Sign the certificate? [y/n]:y
-
- # 选择y,证书签发结束
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
- ```
-
- 去掉私钥密码保护,方法如下:
-
- ```bash
- # 去掉服务端私钥的密码保护
- openssl rsa -in server.key -out server.key
- # 如果不去掉服务端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
- gs_guc encrypt -M server -D ./
- # 根据提示输入服务端私钥的密码,加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件
- ```
-
-8. 客户端证书,私钥的生成。
-
- 生成客户端证书和客户端私钥的方法和要求与服务端相同。
-
- ```bash
- # 生成客户端私钥
- openssl genrsa -aes256 -out client.key 2048
- # 生成客户端证书请求文件
- openssl req -config openssl.cnf -new -key client.key -out client.req
- # 对生成的客户端证书请求文件进行签发,签发后将生成正式的客户端证书client.crt
- openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256
- ```
-
- 去掉私钥密码保护,方法如下:
-
- ```bash
- # 去掉客户端私钥的密码保护
- openssl rsa -in client.key -out client.key
- # 如果不去掉客户端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
- gs_guc encrypt -M client -D ./
- 根据提示输入服务端私钥的密码,加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件。
- ```
-
- 将客户端密钥转化为DER格式,方法如下:
-
- ```bash
- openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
- ```
-
-9. 吊销证书列表的生成。
-
- 如果需要吊销列表,可按照如下方法生成:
-
- ```
- # 首先创建crlnumber文件
- echo '00'>./demoCA/crlnumber
- # 吊销服务端证书
- openssl ca -config openssl.cnf -revoke server.crt
- # 生成证书吊销列表sslcrl-file.crl
- openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl
- ```
-
-
-
-### 证书替换
-
-**操作场景**
-
-MogDB默认配置了SSL连接所需要的安全的证书、私钥,用户如果需要替换为自己的证书、私钥则可按照此方法进行替换。
-
-
-
-**前提条件**
-
-用户需要从CA认证中心申请到正式的服务器、客户端的证书和密钥。
-
-
-
-**注意事项**
-
-MogDB目前只支持X509v3的PEM格式证书。
-
-
-
-**操作步骤**
-
-1. 准备证书、私钥。
-
- 服务端各个配置文件名称约定:
-
- - 证书名称约定: server.crt。
-
- - 私钥名称约定: server.key。
- - 私钥密码加密文件约定: server.key.cipher、server.key.rand。
-
- 客户端各个配置文件名称约定:
-
- - 证书名称约定: client.crt。
- - 私钥名称约定: client.key。
- - 私钥密码加密文件约定: client.key.cipher、client.key.rand。
- - 根证书名称约定: cacert.pem。
- - 吊销证书列表文件名称约定: sslcrl-file.crl。
-
-2. 制作压缩包。
-
- 压缩包名称约定: db-cert-replacement.zip。
-
- 压缩包格式约定: ZIP。
-
- 压缩包文件列表约定: server.crt、server.key、server.key.cipher、server.key.rand、client.crt、client.key、client.key.cipher、client.key. rand、cacert.pem。如果需要配置吊销证书列表,则列表中包含sslcrl-file.crl。
-
-3. 调用接口,执行替换。
-
- a. 将制作好的压缩包db-cert-replacement.zip上传到MogDB用户下的任意路径。
-
- 例如: /home/xxxx/db-cert-replacement.zip。
-
- b. 调用如下命令进行替换。
-
- ```bash
- gs_om -t cert --cert-file=/home/xxxx/db-cert-replacement.zip
- ```
-
-4. 重启MogDB。
-
- ```bash
- gs_om -t stop
- gs_om -t start
- ```
-
- >  **说明:**
- > 证书具有rollback功能,可以把上一次执行证书替换之前的证书,进行回退。可以使用gs_om -t cert -rollback进行远程调用该接口;使用gs_om -t cert -rollback -L进行本地调用该接口。以上一次成功执行证书替换后,被替换的证书版本为基础进行回退。
+---
+title: 客户端接入认证
+summary: 客户端接入认证
+author: Guo Huan
+date: 2021-03-04
+---
+
+# 客户端接入认证
+
+
+
+## 配置客户端接入认证
+
+**背景信息**
+
+如果主机需要远程连接数据库,必须在数据库系统的配置文件中增加此主机的信息,并且进行客户端接入认证。配置文件(默认名称为pg_hba.conf)存放在数据库的数据目录里。hba(host-based authentication)表示是基于主机的认证。
+
+- 本产品支持如下三种认证方式,这三种方式都需要配置"pg_hba.conf"文件。
+ - 基于主机的认证: 服务端根据客户端的IP地址、用户名及要访问的数据库来查看配置文件从而判断用户是否通过认证。
+ - 口令认证: 包括远程连接的加密口令认证和本地连接的非加密口令认证。
+ - SSL加密: 使用OpenSSL(开源安全通信库)提供服务端和客户端安全连接的环境。
+- "pg_hba.conf"文件的格式是一行写一条信息,表示一个认证规则,空白和注释(以#开头)被忽略。
+- 每个认证规则是由若干空格和/,空格和制表符分隔的字段组成。如果字段用引号包围,则它可以包含空白。一条记录不能跨行存在。
+
+
+
+**操作步骤**
+
+1. 以操作系统用户omm登录数据库主节点。
+
+2. 配置客户端认证方式,允许客户端以"jack"用户连接到本机,此处远程连接禁止使用"omm"用户(即数据库初始化用户)。
+
+ 例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
+
+ ```bash
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ ```
+
+>  **说明:**
+>
+> - 使用"jack"用户前,需先本地连接数据库,并在数据库中使用如下语句建立"jack"用户:
+>
+> ```sql
+> MogDB=# CREATE USER jack PASSWORD 'Test@123';
+> ```
+>
+> - -N all表示MogDB的所有主机。
+> - -I all表示主机的所有实例。
+> - -h表示指定需要在"pg_hba.conf"增加的语句。
+> - all表示允许客户端连接到任意的数据库。
+> - jack表示连接数据库的用户。
+> - 10.10.0.30/32表示只允许IP地址为10.10.0.30的主机连接。此处的IP地址不能为MogDB内的IP,在使用过程中,请根据用户的网络进行配置修改。32表示子网掩码为1的位数,即255.255.255.255。
+> - sha256表示连接时jack用户的密码使用sha256算法加密。
+
+这条命令在数据库主节点实例对应的"pg_hba.conf"文件中添加了一条规则,用于对连接数据库主节点的客户端进行鉴定。
+
+"pg_hba.conf"文件中的每条记录可以是下面四种格式之一,四种格式的参数说明请参见[配置文件参考](#配置文件参考)。
+
+```text
+local DATABASE USER METHOD [OPTIONS]
+host DATABASE USER ADDRESS METHOD [OPTIONS]
+hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
+hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
+```
+
+因为认证时系统是为每个连接请求顺序检查"pg_hba.conf"里的记录的,所以这些记录的顺序是非常关键的。
+
+>  **说明:**
+> 在配置"pg_hba.conf"文件时,请依据通讯需求按照格式内容从上至下配置记录,优先级高的需求需要配置在前面。MogDB和扩容配置的IP优先级最高,用户手动配置的IP请放在这二者之后,如果已经进行的客户配置和扩容节点的IP在同一网段,请在扩容前删除,扩容成功后再进行配置。
+
+因此对于认证规则的配置建议如下:
+
+- 靠前的记录有比较严格的连接参数和比较弱的认证方法。
+- 靠后的记录有比较宽松的连接参数和比较强的认证方法。
+
+>  **说明:**
+>
+> - 一个用户要想成功连接到特定的数据库,不仅需要通过pg_hba.conf中的规则检查,还必须要有该数据库上的CONNECT权限。如果希望控制某些用户只能连接到指定数据库,赋予/撤销CONNECT权限通常比在pg_hba.conf中设置规则更为简单。
+> - 对应MogDB外部客户端连接,trust为不安全的认证方式,请将认证方式设置为sha256。
+
+
+
+**异常处理**
+
+用户认证失败有很多原因,通过服务端返回给客户端的提示信息,可以看到用户认证失败的原因。常见的错误提示请参见[表1](#表1.1.1)。
+
+**表 1** 错误提示
+
+| 问题现象 | 解决方法 |
+| :------------------------- | :------------------------------- |
+| 用户名或密码错误:
`FATAL: invalid username/password,login denied` | 这条信息说明用户名或者密码错误,请检查输入是否有误。 |
+| 连接的数据库不存在:
`FATAL: database "TESTDB" does not exist` | 这条信息说明尝试连接的数据库不存在,请检查连接的数据库名输入是否有误。 |
+| 未找到客户端匹配记录:
`FATAL: no pg_hba.conf entry for host "10.10.0.60", user "ANDYM", database "TESTDB"` | 这条信息说明已经连接了服务器,但服务器拒绝了连接请求,因为没有在它的pg_hba.conf配置文件里找到匹配的记录。请联系数据库管理员在pg_hba.conf配置文件加入用户的信息。 |
+| 未找到客户端匹配记录:
`failed to connect 10.10.0.1:12000.` | 这条信息说明无法连接到指定IP和端口的服务器,请联系数据库管理员检查pg_hba.conf配置文件里是否有配置对应IP白名单。 |
+| 连接时的用户名不可以包含@字符
`@ can't be allowed in username` | 这条报错说明客户端在连接数据库时使用了包含@的用户名,这是不允许的。 |
+
+
+
+**示例**
+
+```
+TYPE DATABASE USER ADDRESS METHOD
+
+"local" is for Unix domain socket connections only
+#表示只允许以安装时-U参数指定的用户从服务器本机进行连接。
+local all all trust
+IPv4 local connections:
+#表示允许jack用户从10.10.0.50主机上连接到任意数据库,使用sha256算法对密码进行加密。
+host all jack 10.10.0.50/32 sha256
+#表示允许任何用户从10.10.0.0/24网段的主机上连接到任意数据库,使用sha256算法对密码进行加密,并且经过SSL加密传输。
+hostssl all all 10.10.0.0/24 sha256
+#表示禁止任何用户从10.10.0.1/32网段的主机上连接到任意数据库。
+host all all 10.10.0.1/32 reject
+```
+
+
+
+## 配置文件参考
+
+**表 2** 参数说明
+
+| 参数名称 | 描述 | 取值范围 |
+| :---------- | :------------------- | :------------------|
+| local | 表示这条记录只接受通过Unix域套接字进行的连接。没有这种类型的记录,就不允许Unix域套接字的连接。
只有在从服务器本机使用gsql连接且在不指定-h参数的情况下,才是通过Unix域套接字连接。 | - |
+| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
+| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用ssl进行安全的tcpip连接)。 |
+| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
+| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
+| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |
+
+
+
+**表 3** 认证方式
+
+| 认证方式 | 说明 |
+| :------------ | :----------------------------------------------- |
+| trust | 采用这种认证模式时,本产品只完全信任从服务器本机使用gsql且不指定-U参数的连接,此时不需要口令。
trust认证对于单用户工作站的本地连接是非常合适和方便的,通常不适用于多用户环境。如果想使用这种认证方法,可利用文件系统权限限制对服务器的Unix域套接字文件的访问。要使用这种限制有两个方法:
- 设置参数unix_socket_permissions和unix_socket_group。
- 设置参数unix_socket_directory,将Unix域套接字文件放在一个经过恰当限制的目录里。
须知: 设置文件系统权限只能Unix域套接字连接,它不会限制本地TCP/IP连接。为保证本地TCP/IP安全,MogDB不允许远程连接使用trust认证方法。 |
+| reject | 无条件地拒绝连接。常用于过滤某些主机。 |
+| md5 | 要求客户端提供一个md5加密的口令进行认证。
须知:
- MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- MogDB保留md5认证和密码存储,是为了便于第三方工具的使用(比如TPCC评测工具)。 |
+| sha256 | 要求客户端提供一个sha256算法加密的口令进行认证,该口令在传送过程中结合salt(服务器发送给客户端的随机数)的单向sha256加密,增强了安全性。 |
+| sm3 | 要求客户端提供一个sm3算法加密口令进行认证,该口令在传送过程中结合salt(服务器发送给客户端的随机数)的单项sm3的加密,增加了安全性。 |
+| cert | 客户端证书认证模式,此模式需进行SSL连接配置且需要客户端提供有效的SSL证书,不需要提供用户密码。
须知:
该认证方式只支持hostssl类型的规则。 |
+| gss | 使用基于gssapi的kerberos认证。
须知:
- 该认证方式依赖kerberos server等组件,仅支持MogDB内部通信认证。当前版本暂不支持外部客户端通过kerberos认证连接。
- 开启MogDB内部kerberos认证会使增加内部节点建连时间,即影响首次涉及内部建连的SQL操作性能,内部连接建立好后, 后续操作不受影响。 |
+| peer | 获取客户端所在操作系统用户名,并检查与数据库初始用户名是否一致。此方式只支持local模式本地连接,并支持通过配置pg_ident.conf建立操作系统用户与数据库用户映射关系。
假设操作系统用户名为omm,数据库初始用户为dbAdmin,在pg_hba.conf中配置local模式为peer认证:
`local all all peer map=mymap`
其中map=mymap指定使用的用户名映射,并在pg_ident.conf中添加映射名称为mymap的用户名映射如下:
`# MAPNAME SYSTEM-USERNAME PG-USERNAME mymap omm dbAdmin`
说明:
通过gs_guc reload方式修改pg_hba.conf配置可以立即生效无需重启数据库。直接编辑修改pg_ident.conf配置后下次连接时自动生效无需重启数据库。 |
+
+
+
+## 用SSL进行安全的TCP/IP连接
+
+**背景信息**
+
+MogDB支持SSL标准协议(TLS 1.2),SSL协议是安全性更高的协议标准,它们加入了数字签名和数字证书来实现客户端和服务器的双向身份验证,保证了通信双方更加安全的数据传输。
+
+
+
+**前提条件**
+
+从CA认证中心申请到正式的服务器、客户端的证书和密钥。(假设服务器的私钥为server.key,证书为server.crt,客户端的私钥为client.key,证书为client.crt,CA根证书名称为cacert.pem。)
+
+
+
+**注意事项**
+
+- 当用户远程连接到数据库主节点时,需要使用sha256的认证方式。
+- 当内部服务器之间连接时,需要使用trust的认证方式,支持IP白名单认证。
+
+
+
+**操作步骤**
+
+MogDB在服务器部署完成后,默认已开启SSL认证模式。服务器端证书,私钥以及根证书已经默认配置完成。用户需要配置客户端的相关参数。
+
+配置SSL认证相关的数字证书参数,具体要求请参见[表4](#表1.3.1)。
+
+- 配置客户端参数。
+
+ 已从CA认证中心申请到客户端默认证书,私钥,根证书以及私钥密码加密文件。假设证书、私钥和根证书都放在"/home/omm"目录。
+
+ 双向认证需配置如下参数:
+
+ ```bash
+ export PGSSLCERT="/home/omm/client.crt"
+ export PGSSLKEY="/home/omm/client.key"
+ export PGSSLMODE="verify-ca"
+ export PGSSLROOTCERT="/home/omm/cacert.pem"
+ ```
+
+ 单向认证需要配置如下参数:
+
+ ```bash
+ export PGSSLMODE="verify-ca"
+ export PGSSLROOTCERT="/home/omm/cacert.pem"
+ ```
+
+- 修改客户端密钥的权限。
+
+ 客户端根证书,密钥,证书以及密钥密码加密文件的权限,需保证权限为600。如果权限不满足要求,则客户端无法以SSL连接到MogDB。
+
+ ```bash
+ chmod 600 client.key
+ chmod 600 client.crt
+ chmod 600 client.key.cipher
+ chmod 600 client.key.rand
+ chmod 600 cacert.pem
+ ```
+
+>  **须知:**
+> 从安全性考虑,建议使用双向认证方式。
+> 配置客户端环境变量,必须包含文件的绝对路径。
+
+**表 4** 认证方式
+
+| 认证方式 | 含义 | 配置客户端环境变量 | 维护建议 |
+| :---------------------- | :----------------------------| :------------------------------- |:------------------------------- |
+| 双向认证(推荐) | 客户端验证服务器证书的有效性,同时服务器端也要验证客户端证书的有效性,只有认证成功,连接才能建立。 | 设置如下环境变量:
- PGSSLCERT
- PGSSLKEY
- PGSSLROOTCERT
- PGSSLMODE | 该方式应用于安全性要求较高的场景。使用此方式时,建议设置客户端的PGSSLMODE变量为verify-ca。确保了网络数据的安全性。 |
+| 单向认证 | 客户端只验证服务器证书的有效性,而服务器端不验证客户端证书的有效性。服务器加载证书信息并发送给客户端,客户端使用根证书来验证服务器端证书的有效性。 | 设置如下环境变量:
- PGSSLROOTCERT
- PGSSLMODE | 为防止基于TCP链接的欺骗,建议使用SSL证书认证功能。除配置客户端根证书外,建议客户端使用PGSSLMODE变量为verify-ca方式连接。 |
+
+
+
+**相关参考**
+
+在服务器端的postgresql.conf文件中配置相关参数,详细信息请参见[表5](#表1.3.2)。
+
+**表 5** 服务器参数
+
+| 参数 | 描述 | 取值范围 |
+| :------------ | :-------------------- | :-------------------|
+| ssl | 表示是否启动SSL功能。 | - on: 开启SSL功能。
- off: 关闭SSL功能。
**默认值** : on |
+| require_ssl | 设置服务器端是否强制要求SSL连接。该参数只有当参数ssl为on时才有效。 | - on: 服务器端强制要求SSL连接。
- off: 服务器端对是否通过SSL连接不作强制要求。
**默认值** : off |
+| ssl_cert_file | 指定服务器证书文件,包含服务器端的公钥。服务器证书用以表明服务器身份的合法性,公钥将发送给对端用来对数据进行加密。 | 请以实际的证书名为准,其相对路径是相对于数据目录的。
**默认值** : server.crt |
+| ssl_key_file | 指定服务器私钥文件,用以对公钥加密的数据进行解密。 | 请以实际的服务器私钥名称为准,其相对路径是相对于数据目录的。
**默认值** : server.key |
+| ssl_ca_file | CA服务器的根证书。此参数可选择配置,需要验证客户端证书的合法性时才需要配置。 | 请以实际的CA服务器根证书名称为准。
**默认值** : cacert.pem |
+| ssl_crl_file | 证书吊销列表,如果客户端证书在该列表中,则当前客户端证书被视为无效证书。 | 请以实际的证书吊销列表名称为准。
**默认值** : 空,表示没有吊销列表。 |
+| ssl_ciphers | SSL通讯使用的加密算法。 | 本产品支持的加密算法的详细信息请参见[表7](#表1.3.4)。
**默认值**: ALL,表示允许对端使用产品支持的所有加密算法,但不包含ADH、LOW、EXP、MD5算法。 |
+| ssl_cert_notify_time | SSL服务器证书到期前提醒的天数。 | 请按照需求配置证书过期前提醒天数。
**默认值**: 90 |
+
+在客户端配置SSL认证相关的环境变量,详细信息请参见[表6](#表1.3.3)。
+
+>  **说明:**
+> 客户端环境变量的路径以“\_/home/omm\_”为例,在实际操作中请使用实际路径进行替换。
+
+**表 6** 客户端参数
+
+| 环境变量 | 描述 | 取值范围 |
+| :------------ | :--------------------------- | :-------------------------- |
+| PGSSLCERT | 指定客户端证书文件,包含客户端的公钥。客户端证书用以表明客户端身份的合法性,公钥将发送给对端用来对数据进行加密。 | 必须包含文件的绝对路径,如:
`export PGSSLCERT='/home/omm/client.crt'`
**默认值**: 空 |
+| PGSSLKEY | 指定客户端私钥文件,用以对公钥加密的数据进行解密。 | 必须包含文件的绝对路径,如:
`export PGSSLKEY='/home/omm/client.key'`
**默认值**: 空 |
+| PGSSLMODE | 设置是否和服务器进行SSL连接协商,以及指定SSL连接的优先级。 | **取值及含义**:
- disable:只尝试非SSL连接。
- allow:首先尝试非SSL连接,如果连接失败,再尝试SSL连接。
- prefer:首先尝试SSL连接,如果连接失败,将尝试非SSL连接。
- require:只尝试SSL连接。如果存在CA文件,则按设置成verify-ca的方式验证。
- verify-ca:只尝试SSL连接,并且验证服务器是否具有由可信任的证书机构签发的证书。
- verify-full:只尝试SSL连接,并且验证服务器是否具有由可信任的证书机构签发的证书,以及验证服务器主机名是否与证书中的一致。
**默认值**:prefer |
+| PGSSLROOTCERT | 指定为客户端颁发证书的根证书文件,根证书用于验证服务器证书的有效性。 | 必须包含文件的绝对路径,如:
`export PGSSLROOTCERT='/home/omm/certca.pem'`
**默认值**:空 |
+| PGSSLCRL | 指定证书吊销列表文件,用于验证服务器证书是否在废弃证书列表中,如果在,则服务器证书将会被视为无效证书。 | 必须包含文件的绝对路径,如:
`export PGSSLCRL='/home/omm/sslcrl-file.crl'`
**默认值**:空 |
+
+服务器端参数ssl、require_ssl与客户端参数sslmode配置组合结果如下:
+
+- 服务器 ssl = on
+
+ | sslmode(客户端) | require_ssl(服务器) | 结果 |
+ | :------- | :------- | :------- |
+ | disable | on | 由于服务器端要求使用SSL,但客户端连接禁用了SSL,无法建立连接。 |
+ | disable | off | 连接未加密。 |
+ | allow | on | 连接经过加密。 |
+ | allow | off | 连接未加密。 |
+ | prefer | on | 连接经过加密。 |
+ | prefer | off | 连接经过加密。 |
+ | require | on | 连接经过加密。 |
+ | require | off | 连接经过加密。 |
+ | verify-ca | on | 连接经过加密,且验证了服务器证书。 |
+ | verify-ca | off | 连接经过加密,且验证了服务器证书。 |
+ | verify-full | on | 连接经过加密,且验证了服务器证书和主机名。 |
+ | verify-full | off | 连接经过加密,且验证了服务器证书和主机名。 |
+
+- 服务器 ssl = off
+
+ | sslmode(客户端) | require_ssl(服务器) | 结果 |
+ | :------- | :------- | :------- |
+ | disable | on | 连接未加密。 |
+ | disable | off | 连接未加密。 |
+ | allow | on | 连接未加密。 |
+ | allow | off | 连接未加密。 |
+ | prefer | on | 连接未加密。 |
+ | prefer | off | 连接未加密。 |
+ | require | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+ | require | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+ | verify-ca | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+ | verify-ca | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+ | verify-full | on | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+ | verify-full | off | 由于客户端要求使用SSL,但服务器端禁用了SSL,因此无法建立连接。 |
+
+SSL传输支持一系列不同强度的加密和认证算法。用户可以通过修改postgresql.conf中的ssl_ciphers参数指定数据库服务器使用的加密算法。目前本产品SSL支持的加密算法如[表7](#表1.3.4)所示。
+
+**表 7** 加密算法套件
+
+| OpenSSL套件名 | **IANA套件名** | 安全程度 |
+| :---------------------------- | :-------------------------------------- | :------- |
+| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
+| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | HIGH |
+| DHE-RSA-AES128-GCM-SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
+| DHE-RSA-AES256-GCM-SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
+
+>  **说明:**
+>
+> - 目前只支持上表中的6种加密算法套件。
+>
+> - 配置参数ssl_ciphers的默认值为ALL,表示支持上表中的所有加密算法。为保持前向兼容保留了DHE算法套件,即DHE-RSA-AES128-GCM-SHA256和DHE-RSA-AES256-GCM-SHA384,根据CVE-2002-20001漏洞披露DHE算法存在一定安全风险,非兼容场景不建议使用,可将ssl_ciphers参数配置为仅支持ECDHE类型算法套件。
+>
+> - 如需指定以上加密算法套件,可以设置ssl_ciphers为上表中OpenSSL套件名称,加密算法套件之间需要使用分号分割,如在postgresql.conf设置: ssl_ciphers='ECDHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256'。
+>
+> - SSL连接认证不仅增加了登录(创建SSL环境)及退出过程(清理SSL环境)的时间消耗,同时需要消耗额外的时间用于加解密所需传输的内容,因此对性能有一定影响。特别的,对于频繁的登录登出,短时查询等场景有较大的影响。
+>
+> - 在证书有效期小于7天的时候,连接登录会在日志中产生告警提醒。
+>
+
+
+
+## 用SSH隧道进行安全的TCP/IP连接
+
+**背景信息**
+
+为了保证服务器和客户端之间的安全通讯,可以在服务器和客户端之间构建安全的SSH隧道。SSH是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。
+
+从SSH客户端来看,SSH提供了两种级别的安全验证:
+
+- 基于口令的安全验证:使用帐号和口令登录到远程主机。所有传输的数据都会被加密,但是不能保证正在连接的服务器就是需要连接的服务器。可能会有其他服务器冒充真正的服务器,也就是受到"中间人"方式的攻击。
+- 基于密钥的安全验证: 用户必须为自己创建一对密钥,并把公用密钥放在需要访问的服务器上。这种级别的认证不仅加密所有传送的数据,而且避免"中间人"攻击方式。但是整个登录的过程可能需要10秒。
+
+
+
+**前提条件**
+
+SSH服务和数据库运行在同一台服务器上。
+
+
+
+**操作步骤**
+
+以OpenSSH为例介绍配置SSH隧道,对于如何配置基于密钥的安全验证不作赘述,OpenSSH提供了多种配置适应网络的各种限制,更多详细信息请参考OpenSSH的相关文档。
+
+从本地主机建立到服务器的SSH隧道。
+
+```bash
+ssh -L 63333:localhost:8000 username@hostIP
+```
+
+>  **说明:**
+>
+> - -L参数的第一串数字(63333)是通道本端的端口号,可以自由选择。
+> - 第二串数字(8000)是通道远端的端口号,也就是服务器使用的端口号。
+> - localhost是本机IP地址,username是要连接的服务器上的用户名,hostIP是要连接的主机IP地址。
+
+
+
+## 查看数据库连接数
+
+**背景信息**
+
+当用户连接数达到上限后,无法建立新的连接。因此,当数据库管理员发现某用户无法连接到数据库时,需要查看是否连接数达到了上限。控制数据库连接的主要以下几种选项。
+
+- 全局的最大连接数:由运行参数max_connections指定,默认值为5000。
+- 某用户的连接数:在创建用户时由CREATE ROLE命令的CONNECTION LIMIT connlimit子句直接设定,也可以在设定以后用ALTER ROLE的CONNECTION LIMIT connlimit子句修改。
+- 某数据库的连接数:在创建数据库时,由CREATE DATABASE的CONNECTION LIMIT connlimit参数指定。
+
+
+
+**操作步骤**
+
+1. 以操作系统用户omm登录数据库主节点。
+
+2. 使用如下命令连接数据库。
+
+ ```bash
+ gsql -d mogdb -p 8000
+ ```
+
+ mogdb为需要连接的数据库名称,8000为数据库主节点的端口号。
+
+3. 查看全局会话连接数限制。
+
+ ```sql
+ MogDB=# SHOW max_connections;
+ max_connections
+ -----------------
+ 800
+ (1 row)
+ ```
+
+ 其中800是最大会话连接数。
+
+4. 查看已使用的会话连接数。
+
+ >  **须知:**
+ > 除了创建的时候用双引号引起的数据库和用户名称外,以下命令中用到的数据库名称和用户名称,其中包含的英文字母必须使用小写。
+
+ + 查看指定用户的会话连接数上限
+
+ 执行如下命令查看连接到指定用户omm的会话连接数上限。其中-1表示没有对用户omm设置连接数的限制。
+
+ ```sql
+ MogDB=# SELECT ROLNAME,ROLCONNLIMIT FROM PG_ROLES WHERE ROLNAME='omm';
+ rolname | rolconnlimit
+ ---------+--------------
+ omm | -1
+ (1 row)
+ ```
+
+ + 查看指定用户已使用的会话连接数
+
+ 执行如下命令查看指定用户omm已使用的会话连接数。其中,1表示omm已使用的会话连接数。
+
+ ```sql
+ MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
+ SELECT
+ sa.sessionid AS SID,
+ 0::integer AS SERIAL#,
+ sa.usesysid AS USER#,
+ ad.rolname AS USERNAME
+ FROM pg_stat_get_activity(NULL) AS sa
+ LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
+ WHERE sa.application_name <> 'JobScheduler';
+ MogDB=# SELECT COUNT(*) FROM DV_SESSIONS WHERE USERNAME='omm';
+ count
+ -------
+ 1
+ (1 row)
+ ```
+
+ + 查看指定数据库的会话连接数上限
+
+ 执行如下命令查看连接到指定数据库mogdb的会话连接数上限。其中-1表示没有对数据库mogdb设置连接数的限制。
+
+ ```sql
+ MogDB=# SELECT DATNAME,DATCONNLIMIT FROM PG_DATABASE WHERE DATNAME='mogdb';
+ datname | datconnlimit
+ ---------+--------------
+ mogdb | -1
+ (1 row)
+ ```
+
+ + 查看指定数据库已使用的会话连接数
+
+ 执行如下命令查看指定数据库mogdb上已使用的会话连接数。其中,1表示数据库mogdb上已使用的会话连接数。
+
+ ```sql
+ MogDB=# SELECT COUNT() FROM PG_STAT_ACTIVITY WHERE DATNAME='mogdb';
+ count
+ -------
+ 1
+ (1 row)
+ ```
+
+ + 查看所有用户已使用会话连接数
+
+ 执行如下命令查看所有用户已使用的会话连接数。
+
+ ```sql
+ MogDB=# CREATE OR REPLACE VIEW DV_SESSIONS AS
+ SELECT
+ sa.sessionid AS SID,
+ 0::integer AS SERIAL#,
+ sa.usesysid AS USER#,
+ ad.rolname AS USERNAME
+ FROM pg_stat_get_activity(NULL) AS sa
+ LEFT JOIN pg_authid ad ON(sa.usesysid = ad.oid)
+ WHERE sa.application_name <> 'JobScheduler';
+ MogDB=# SELECT COUNT(*) FROM DV_SESSIONS;
+ count
+ -------
+ 23
+ (1 row)
+ ```
+
+## SSL证书管理
+
+MogDB默认配置了通过openssl生成的安全证书、私钥。并且提供证书替换的接口,方便用户进行证书的替换。
+
+
+
+### 证书生成
+
+**操作场景**
+
+在测试环境下,用户可以用通过以下方式进行数字证书测试。在客户的运行环境中,请使用从CA认证中心申请的数字证书。
+
+
+
+**前提条件**
+
+Linux环境安装了openssl组件。
+
+
+
+**自认证证书生成过程**
+
+1. 搭建CA环境。
+
+ ```bash
+ # 假设用户为omm已存在,搭建CA的路径为test
+ # 以root用户身份登录Linux环境,切换到用户omm
+ mkdir test
+ cd /etc/pki/tls
+ # copy 配置文件openssl.cnf到test下
+ cp openssl.cnf ~/test
+ cd ~/test
+ # 到test文件夹下,开始搭建CA环境
+ # 创建文件夹demoCA./demoCA/newcerts./demoCA/private
+ mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
+ chmod 700 ./demoCA/private
+ # 创建serial文件,写入01
+ echo '01'>./demoCA/serial
+ # 创建文件index.txt
+ touch ./demoCA/index.txt
+ # 修改openssl.cnf配置文件中的参数
+ dir = ./demoCA
+ default_md = sha256
+ # 至此CA环境搭建完成
+ ```
+
+2. 生成根私钥。
+
+ ```bash
+ # 生成CA私钥
+ openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
+ Generating RSA private key, 2048 bit long modulus
+ .................+++
+ ..................+++
+ e is 65537 (0x10001)
+ # 设置根私钥的保护密码,假设为Test@123
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # 再次输入私钥密码 Test@123
+ Verifying - Enter pass phrase for demoCA/private/cakey.pem:
+ ```
+
+3. 生成根证书请求文件。
+
+ ```bash
+ # 生成CA根证书申请文件careq.pem
+ openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # 输入根私钥密码 Test@123
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+
+ # 以下名称请牢记,生成服务端证书和客户端证书时填写的信息需要与此处的一致
+ Country Name (2 letter code) [AU]:CN
+ State or Province Name (full name) [Some-State]:shanxi
+ Locality Name (eg, city) []:xian
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
+ Organizational Unit Name (eg, section) []:hello
+ # Common Name可以随意命名
+ Common Name (eg, YOUR name) []:world
+ # Email可以选择性填写
+ Email Address []:
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []:
+ An optional company name []:
+ ```
+
+4. 生成自签发根证书。
+
+ ```bash
+ # 生成根证书时,需要修改openssl.cnf文件,设置basicConstraints=CA:TRUE
+ vi openssl.cnf
+ # 生成CA自签发根证书
+ openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
+ Using configuration from openssl.cnf
+ Enter pass phrase for demoCA/private/cakey.pem:
+ # 输入根私钥密码 Test@123
+ Check that the request matches the signature
+ Signature ok
+ Certificate Details:
+ Serial Number: 1 (0x1)
+ Validity
+ Not Before: Feb 28 02:17:11 2017 GMT
+ Not After : Feb 28 02:17:11 2018 GMT
+ Subject:
+ countryName = CN
+ stateOrProvinceName = shanxi
+ organizationName = Abc
+ organizationalUnitName = hello
+ commonName = world
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
+ X509v3 Authority Key Identifier:
+ keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
+
+ Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
+ Sign the certificate? [y/n]:y
+
+ 1 out of 1 certificate requests certified, commit? [y/n]y
+ Write out database with 1 new entries
+ Data Base Updated
+ # 至此CA根证书自签发完成,根证书demoCA/cacert.pem。
+ ```
+
+5. 生成服务端证书私钥。
+
+ ```bash
+ # 生成服务端私钥文件server.key
+ openssl genrsa -aes256 -out server.key 2048
+ Generating a 2048 bit RSA private key
+ .......++++++
+ ..++++++
+ e is 65537 (0x10001)
+ Enter pass phrase for server.key:
+ # 服务端私钥的保护密码,假设为Test@123
+ Verifying - Enter pass phrase for server.key:
+ # 再次确认服务端私钥的保护密码,即为Test@123
+ ```
+
+6. 生成服务端证书请求文件。
+
+ ```bash
+ # 生成服务端证书请求文件server.req
+ openssl req -config openssl.cnf -new -key server.key -out server.req
+ Enter pass phrase for server.key:
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+
+ # 以下填写的信息与创建CA时的信息一致
+ Country Name (2 letter code) [AU]:CN
+ State or Province Name (full name) [Some-State]:shanxi
+ Locality Name (eg, city) []:xian
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
+ Organizational Unit Name (eg, section) []:hello
+ # Common Name可以随意命名
+ Common Name (eg, YOUR name) []:world
+ Email Address []:
+ # 以下信息可以选择性填写
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []:
+ An optional company name []:
+ ```
+
+7. 生成服务端证书。
+
+ ```bash
+ # 生成服务端/客户端证书时,修改openssl.cnf文件,设置basicConstraints=CA:FALSE
+ vi openssl.cnf
+ # 修改demoCA/index.txt.attr中属性为no。
+ vi demoCA/index.txt.attr
+
+ # 对生成的服务端证书请求文件进行签发,签发后将生成正式的服务端证书server.crt
+ openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
+ Using configuration from /etc/ssl/openssl.cnf
+ Enter pass phrase for ./demoCA/private/cakey.pem:
+ Check that the request matches the signature
+ Signature ok
+ Certificate Details:
+ Serial Number: 2 (0x2)
+ Validity
+ Not Before: Feb 27 10:11:12 2017 GMT
+ Not After : Feb 25 10:11:12 2027 GMT
+ Subject:
+ countryName = CN
+ stateOrProvinceName = shanxi
+ organizationName = Abc
+ organizationalUnitName = hello
+ commonName = world
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
+ X509v3 Authority Key Identifier:
+ keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
+
+ Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
+ # 选择y对证书进行签发
+ Sign the certificate? [y/n]:y
+
+ # 选择y,证书签发结束
+ 1 out of 1 certificate requests certified, commit? [y/n]y
+ Write out database with 1 new entries
+ Data Base Updated
+ ```
+
+ 去掉私钥密码保护,方法如下:
+
+ ```bash
+ # 去掉服务端私钥的密码保护
+ openssl rsa -in server.key -out server.key
+ # 如果不去掉服务端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
+ gs_guc encrypt -M server -D ./
+ # 根据提示输入服务端私钥的密码,加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件
+ ```
+
+8. 客户端证书,私钥的生成。
+
+ 生成客户端证书和客户端私钥的方法和要求与服务端相同。
+
+ ```bash
+ # 生成客户端私钥
+ openssl genrsa -aes256 -out client.key 2048
+ # 生成客户端证书请求文件
+ openssl req -config openssl.cnf -new -key client.key -out client.req
+ # 对生成的客户端证书请求文件进行签发,签发后将生成正式的客户端证书client.crt
+ openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256
+ ```
+
+ 去掉私钥密码保护,方法如下:
+
+ ```bash
+ # 去掉客户端私钥的密码保护
+ openssl rsa -in client.key -out client.key
+ # 如果不去掉客户端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
+ gs_guc encrypt -M client -D ./
+ 根据提示输入服务端私钥的密码,加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件。
+ ```
+
+ 将客户端密钥转化为DER格式,方法如下:
+
+ ```bash
+ openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
+ ```
+
+9. 吊销证书列表的生成。
+
+ 如果需要吊销列表,可按照如下方法生成:
+
+ ```
+ # 首先创建crlnumber文件
+ echo '00'>./demoCA/crlnumber
+ # 吊销服务端证书
+ openssl ca -config openssl.cnf -revoke server.crt
+ # 生成证书吊销列表sslcrl-file.crl
+ openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl
+ ```
+
+
+
+### 证书替换
+
+**操作场景**
+
+MogDB默认配置了SSL连接所需要的安全的证书、私钥,用户如果需要替换为自己的证书、私钥则可按照此方法进行替换。
+
+
+
+**前提条件**
+
+用户需要从CA认证中心申请到正式的服务器、客户端的证书和密钥。
+
+
+
+**注意事项**
+
+MogDB目前只支持X509v3的PEM格式证书。
+
+
+
+**操作步骤**
+
+1. 准备证书、私钥。
+
+ 服务端各个配置文件名称约定:
+
+ - 证书名称约定: server.crt。
+
+ - 私钥名称约定: server.key。
+ - 私钥密码加密文件约定: server.key.cipher、server.key.rand。
+
+ 客户端各个配置文件名称约定:
+
+ - 证书名称约定: client.crt。
+ - 私钥名称约定: client.key。
+ - 私钥密码加密文件约定: client.key.cipher、client.key.rand。
+ - 根证书名称约定: cacert.pem。
+ - 吊销证书列表文件名称约定: sslcrl-file.crl。
+
+2. 制作压缩包。
+
+ 压缩包名称约定: db-cert-replacement.zip。
+
+ 压缩包格式约定: ZIP。
+
+ 压缩包文件列表约定: server.crt、server.key、server.key.cipher、server.key.rand、client.crt、client.key、client.key.cipher、client.key. rand、cacert.pem。如果需要配置吊销证书列表,则列表中包含sslcrl-file.crl。
+
+3. 调用接口,执行替换。
+
+ a. 将制作好的压缩包db-cert-replacement.zip上传到MogDB用户下的任意路径。
+
+ 例如: /home/xxxx/db-cert-replacement.zip。
+
+ b. 调用如下命令进行替换。
+
+ ```bash
+ gs_om -t cert --cert-file=/home/xxxx/db-cert-replacement.zip
+ ```
+
+4. 重启MogDB。
+
+ ```bash
+ gs_om -t stop
+ gs_om -t start
+ ```
+
+ >  **说明:**
+ > 证书具有rollback功能,可以把上一次执行证书替换之前的证书,进行回退。可以使用gs_om -t cert -rollback进行远程调用该接口;使用gs_om -t cert -rollback -L进行本地调用该接口。以上一次成功执行证书替换后,被替换的证书版本为基础进行回退。
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/mathematical-functions-and-operators.md b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
index 1ce69187cb81bce150e67402b6c1c6c9f1da4006..e75630ab21e4f9394f9cbf97d123621f1304362a 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/mathematical-functions-and-operators.md
@@ -815,22 +815,6 @@ date: 2021-04-20
(1 row)
```
-- remainder(n2 numeric,n1 numeric)
-
- 描述:返回n2 除以 n1 的余数。
-
- 返回值类型:numeric
-
- 示例:
-
- ```sql
- MogDB=# select REMAINDER(11,3);
- remainder
- -----------
- -1
- (1 row)
- ```
-
- round(x)
描述:离输入参数最近的整数。
@@ -967,7 +951,7 @@ date: 2021-04-20
- trunc(v numeric, s int)
- 描述:截断为s位小数。
+ 描述:截断为s位小数(trunc只支持截断不超过int4类型最大值的位数)。。
返回值类型:numeric
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
index fb9158750cf0a430aed59766dedd135f780eb3c1..d68952565faf944421627757b680d144585e09b7 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/system-information-functions/session-information-functions.md
@@ -306,22 +306,6 @@ date: 2021-04-20
(1 row)
```
-- pg_backend_pid()
-
- 描述:当前会话连接的服务进程的进程ID。
-
- 返回值类型:bigint
-
- 示例:
-
- ```sql
- MogDB=# SELECT pg_backend_pid();
- pg_backend_pid
- -----------------
- 140229352617744
- (1 row)
- ```
-
- pg_conf_load_time()
描述:配置加载时间。pg_conf_load_time返回最后加载服务器配置文件的时间戳。
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/guc-parameter-list.md b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/guc-parameter-list.md
index 82da35a5f9857f8de1a074906cf3be03749269ca..90567932c86a483a6040abe9938489b692a1c65b 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/guc-parameter-list.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/guc-parameter-list.md
@@ -213,6 +213,7 @@ date: 2023-04-07
| [enable_asp](system-performance-snapshot.md#enable_asp) |
| [enable_auto_clean_unique_sql](query.md#enable_auto_clean_unique_sql) |
| [enable_auto_explain](./query-planning/other-optimizer-options.md#enable_auto_explain) |
+| [enable_availablezone](./ha-replication/sending-server.md#enable_availablezone) |
| [enable_batch_dispatch](./write-ahead-log/log-replay.md#enable_batch_dispatch) |
| [enable_bbox_dump](load-management.md#enable_bbox_dump) |
| [enable_beta_features](./version-and-platform-compatibility/compatibility-with-earlier-versions.md#enable_beta_features) |
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/ha-replication/sending-server.md b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/ha-replication/sending-server.md
index eef32b0ba69933811ebfff44d36d41c8a6c013f9..ca23f2243f2bc3cf5710a47e175cfb9268432224 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/ha-replication/sending-server.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/ha-replication/sending-server.md
@@ -166,6 +166,20 @@ date: 2021-04-20
**默认值**: 空字符串
+## enable_availablezone
+
+**参数说明**: 设置本端级联备节点能否连接跨available_zone的备机。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+
+**取值范围**:布尔型
+
+- on表示级联备只能连接相同available_zone中的备机。
+
+- off表示级联备可以连接不同available_zone中的备机。
+
+**默认值**:off
+
## max_keep_log_seg
**参数说明**:流控参数,逻辑复制在DN本地会解析物理日志转换成逻辑日志,当未被解析的物理日志文件数量大于该参数时会触发限流。此参数为0表示关闭限流功能。
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
index b20254a870b356b69a3e3cc2671dc672cbf23fa2..67d2862841771c7fa42381f863819e7659111501 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/query-planning/optimizer-cost-constants.md
@@ -98,7 +98,7 @@ date: 2021-04-20
**参数说明**:表示算子在并行执行的时候和单一线程以及其余线程之间通信同步的代价。将该值调低可以促使优化器优先选择并行。
-该参数属于session级别参数,请参考[GUC参数设置方式](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+该参数属于USERSET类型参数,请参考[GUC参数设置方式](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**:整型,0~1000
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/write-ahead-log/log-replay.md b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/write-ahead-log/log-replay.md
index 05466615070f104757bc4dfe72003d24857a1a2c..ebdf410fedf4846679031b3c671ec6c0ab493663 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/write-ahead-log/log-replay.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/guc-parameters/write-ahead-log/log-replay.md
@@ -111,7 +111,9 @@ date: 2021-04-20
## enable_time_report
-**参数说明**:用于控制回放时是否记录回放统计信息。该参数属于PGC_POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+**参数说明**:用于控制回放时是否记录回放统计信息。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**:布尔型
@@ -119,7 +121,9 @@ date: 2021-04-20
## enable_batch_dispatch
-**参数说明**:表级并行回放时,由startup线程读取wal日志并决定每一个wal记录的实际redo线程,然后再将读取到的wal记录分发给具体的redo线程。此参数用于控制表级并行回放时,是否启用批量分发的功能,即允许积攒一定数量的wal记录,再分发给各个redo线程。该参数属于PGC_POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+**参数说明**:表级并行回放时,由startup线程读取wal日志并决定每一个wal记录的实际redo线程,然后再将读取到的wal记录分发给具体的redo线程。此参数用于控制表级并行回放时,是否启用批量分发的功能,即允许积攒一定数量的wal记录,再分发给各个redo线程。
+
+该参数属于POSTMASTER类型参数,请参考[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
**取值范围**:布尔型
@@ -129,6 +133,8 @@ date: 2021-04-20
**参数说明**:参照enable_batch_dispatch参数对批量分发功能的描述,此参数控制表级并行回放时startup线程暂存wal记录的数量。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+
**取值范围**:整型,1~100000,意义为wal记录的个数
**默认值**: 1000
@@ -137,6 +143,8 @@ date: 2021-04-20
**参数说明**:在表级别并行回放时,如果当在一段时间内没有积攒够parallel_recovery_batch数量,则应该立即分发当前已经暂存的wal记录。此参数用于控制wal分发的timeout时间。
+该参数属于POSTMASTER类型参数,请参考表[GUC参数分类](../../../reference-guide/guc-parameters/appendix.md)中对应设置方法进行设置。
+
**取值范围**:整型,1~1000,单位为毫秒
**默认值**: 300
@@ -153,7 +161,7 @@ date: 2021-04-20
**表 1** 不同CPU、内存和部署模式下的参数设置参考
-| 编号 | CPU个数 | 内存(GB) | 是否混合部署 | recovery_parse_workers | recovery_redo_workers | 回放线程总数 | 备注 |
+| 编号 | CPU个数 | 内存(GB) | 是否混合部署 | recovery_parse_workers | recovery_redo_workers | 回放线程总数 | 备注 |
| :--- | :------ | :-------- | :----------- | :--------------------- | :-------------------- | :----------- | :----------------------- |
| 1 | 4 | - | - | 1 | 1 | - | 不推荐开 |
| 2 | 8 | - | 是 | 1 | 1 | - | 不推荐开 |
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
index 2ec7a4ddda0445099c2534270ef0fbcfe4989dec..85587e518bd42f46922c3704a0ce6fcb327f0934 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/cluster-management/manual-configuration-of-vip.md
@@ -9,7 +9,11 @@ date: 2023-07-03
## 目标
-因PTK安装部署时暂未支持VIP相关配置(预计5.1版本会支持),故本文重点讲解如何基于已经安装部署成功的带有CM集群管理软件的数据库集群手动配置/启用VIP功能。
+本文讲解如何基于已经安装部署成功的带有CM集群管理软件的数据库集群手动配置/启用VIP功能。
+
+>  说明:
+>
+> MogDB 5.0.4及以上版本支持通过PTK(V1.2.0+)自动挂载VIP,具体操作参见[PTK文档](https://docs.mogdb.io/zh/ptk/v1.1/ptk-cluster-load-cm-vip#--action-string)。
此外,本文示例集群为单AZ一主两备集群。
diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
index eb0b0b3241711c96003904b9a2247a827ad7368c..72a2ae4407ec0ee0c838032fb9819343cfc46cb7 100644
--- a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
+++ b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_expansion.md
@@ -14,7 +14,7 @@ MogDB提供了gs_expansion工具对数据库的备机进行扩容。支持从单
## 注意事项
- 扩容后不会自动更新synchronous_standby_names参数。如果需要为该参数增加扩容的机器,请在扩容完成后手动更新。
-- 扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
+- 当待扩容的级联备GUC参数enable_availablezone开启时,扩容级联备之前要确保原集群中有处于同一AZ(Available Zone)且状态正常的备机,或扩容级联备的同时也扩容了处于同AZ的备机。
- 对数据库集群进行扩容前,需要关注主机及新扩容节点CPU、IO、网络等情况,不建议在硬件压力较大时执行扩容,否则可能导致扩容耗时较长甚至扩容失败。
- 当原集群数据量较大时,在进行扩容操作前应当在主机上先执行checkpoint,否则可能导致扩容耗时较长甚至扩容失败。
- 在单节点扩容时,如果节点hot_standby被关闭过,则需要在每个备节点上也按照如下流程修改:
diff --git a/product/zh/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md b/product/zh/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
index 1eaab57040f96b0577e422a5fb0a72e112f35d55..659cdc3d75bce5ccac0da3bda6d587fece39b75a 100644
--- a/product/zh/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
+++ b/product/zh/docs-mogdb/v5.1/security-guide/security/1-client-access-authentication.md
@@ -33,7 +33,7 @@ date: 2021-03-04
例如,下面示例中配置允许IP地址为10.10.0.30的客户端访问本机。
```bash
- gs_guc set -N all -I all -h "host all jack 10.10.0.30/32 sha256"
+ gs_guc reload -N all -I all -h "host all jack 10.10.0.30/32 sha256"
```
>  **说明:**
@@ -125,7 +125,7 @@ host all all 10.10.0.1/32 reject
| host | 表示这条记录既接受一个普通的TCP/IP套接字连接,也接受一个经过SSL加密的TCP/IP套接字连接。 | - |
| hostssl | 表示这条记录只接受一个经过SSL加密的TCP/IP套接字连接。 | 用SSL进行安全的连接,需要配置申请数字证书并配置相关参数,详细信息请参见[用SSL进行安全的TCP/IP连接](#用ssl进行安全的tcpip连接)。 |
| hostnossl | 表示这条记录只接受一个普通的TCP/IP套接字连接。 | - |
-| DATABASEGUC | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
+| DATABASE | 声明记录所匹配且允许访问的数据库。 | - all: 表示该记录匹配所有数据库。
- sameuser: 表示如果请求访问的数据库和请求的用户同名,则匹配。
- samerole: 表示请求的用户必须是与数据库同名角色中的成员。
- samegroup: 与samerole作用完全一致,表示请求的用户必须是与数据库同名角色中的成员。
- 一个包含数据库名的文件或者文件中的数据库列表: 文件可以通过在文件名前面加前缀@来声明。文件中的数据库列表以逗号或者换行符分隔。
- 特定的数据库名称或者用逗号分隔的数据库列表。
说明:
值replication表示如果请求一个复制链接,则匹配,但复制链接不表示任何特定的数据库。如需使用名为replication的数据库,需在database列使用记录"replication"作为数据库名。 |
| USER | 声明记录所匹配且允许访问的数据库用户。 | - all: 表明该记录匹配所有用户。
- +用户角色: 表示匹配任何直接或者间接属于这个角色的成员。
说明:
+表示前缀符号。
- 一个包含用户名的文件或者文件中的用户列表: 文件可以通过在文件名前面加前缀@来声明。文件中的用户列表以逗号或者换行符分隔。
- 特定的数据库用户名或者用逗号分隔的用户列表。 |
| ADDRESS | 指定与记录匹配且允许访问的IP地址范围。 | 支持IPv4和IPv6,可以使用如下两种形式来表示:
- IP地址/掩码长度。例如,10.10.0.0/24
- IP地址子网掩码。例如,10.10.0.0 255.255.255.0
说明:
以IPv4格式给出的IP地址会匹配那些拥有对应地址的IPv6连接,比如127.0.0.1将匹配IPv6地址 ::ffff:127.0.0.1 |
| METHOD | 声明连接时使用的认证方法。 | 本产品支持如下几种认证方式,详细解释请参见[表3](#表1.2.2):
- trust
- reject
- md5(不推荐使用,默认不支持,可通过password_encryption_type参数配置)
说明:
MD5加密算法安全性低,存在安全风险,建议使用更安全的加密算法。
- sha256
- sm3
- cert
- gss(仅用于MogDB内部节点间认证)
- peer (仅用于local模式) |