企业版V6.0.2身份鉴别功能(passwordcheck插件控制方式）

文档用途

企业版V6.0.2新增功能之一是将身份鉴别功能做成插件(passwordcheck)控制的方式，本文档用于介绍V6.0.2启用或禁用passwordcheck插件时身份鉴别相关功能的变化

详细信息

初始化后默认passwordcheck插件启用

highgo=# \dx

                                  List of installed extensions

     Name      | Version |    Schema    |                        Description                                         

 

---------------+---------+--------------------+----------------------------------------------------------------------------------------------

 alter_pg_func | 1.0     | information_schema | Compatible with oracle function

 orafce        | 3.13    | pg_catalog         | Functions and operators that emulate a subset of functions and packages from the Oracle RDBMS

 passwordcheck | 1.0     | information_schema | passwordcheck

 plpgsql       | 1.0     | pg_catalog         | PL/pgSQL procedural language

(4 rows)

passwordcheck插件启用时，新用户设置口令需满足口令复杂度要求，口令有限期为7天，口令错误次数检验为5次

口令复杂度规则及配置可参考support文章《企业版V6口令复杂度配置》

highgo=# create user test01 with password 'highgo@123';

ERROR: Password must contain upper and lower case letters, numbers, and special characters:highgo@123.

highgo=# create user test01 with password 'Highgo@123';

ERROR: The password cannot contain highgo keyword.

highgo=# create user test01 with password 'Hello@123';

CREATE ROLE

highgo=# \du

                                   List of roles

 Role name |                         Attributes                         | Member of 

-----------+------------------------------------------------------------+-----------

 highgo    | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

 test01    | Password valid until 2021-07-02 14:06:51.29176+08          | {}

highgo=# \q


[highgo602@host ~]$ psql -U test01 -d highgo

Password for user test01: 

psql: error: could not connect to server: FATAL: You still have 4 chances to enter your password before your account get locked.

passwordcheck插件drop后，身份鉴别相关参数hgidcheck.pwdlock,hgidcheck.pwdlocktime,hgidcheck.pwdvaliduntil会失效，创建新用户无口令复杂度要求和口令错误次数检验，口令有效期永久

highgo=# drop extension passwordcheck ;

DROP EXTENSION

highgo=# create user test02 with password 'highgo@123';

CREATE ROLE

highgo=# \du

                                   List of roles

 Role name |                         Attributes                         | Member of 

-----------+------------------------------------------------------------+-----------

 highgo    | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

 test01    | Password valid until 2022-07-02 00:00:00+08                | {}

 test02    |                                                            | {}

highgo=# \q

[highgo602@host ~]$ psql -U test02 -d highgo

Password for user test02: 

psql: error: could not connect to server: FATAL: Password does not match