CREATE PROFILE - PolarDB - Alibaba Cloud Documentation Center

To secure your database, you may need to manage the lifecycle and complexity of user passwords. This includes forcing users to change passwords regularly, limiting retry attempts to prevent brute-force attacks, and requiring passwords to contain numbers and special characters. PolarDB for PostgreSQL (Compatible with Oracle) provides the PROFILE feature to meet these needs. By creating and applying profiles, you can centrally define and implement a complete set of password security policies, thereby enhancing the overall security posture of your database system..

Overview

A PROFILE is a database object in PolarDB for PostgreSQL (Compatible with Oracle). It contains a set of parameters for managing user password policies. You can create one or more PROFILEs and assign them to different database users.

Each user must be associated with a PROFILE. If you do not specify a profile when you create a user, the system automatically assigns the default profile named DEFAULT. You can use the CREATE PROFILE command to customize password policies. Then, you can manage and assign them with the ALTER PROFILE or ALTER USER commands.

Prerequisites

Your PolarDB for PostgreSQL (Compatible with Oracle) cluster must run minor engine version 2.0.14.17.36.0 or later.

Note

You can view the minor engine version in the console or run the SHOW polardb_version; statement to check the version. If your cluster does not meet the minor engine version requirement, upgrade the minor engine version.

Benefits

Centralized management: Frees password policies from application-level or manual management by allowing the database to enforce them uniformly, ensuring consistency and reliability.
Enhanced security: Effectively defends against common security threats like brute-force attacks and weak passwords through mechanisms such as password expiration, retry lockout, and complexity validation.
High flexibility: Supports the creation of multiple different profiles, allowing you to apply distinct password policies to users with different security levels (e.g., administrators, regular users, application accounts).

Notes

The scope of a PROFILE object is limited to the database where it is created. All operations, such as creating, modifying, querying, and assigning a PROFILE, must be performed in the same database.

Syntax

CREATE PROFILE profile_name LIMIT
    { password_parameter { integer | UNLIMITED | DEFAULT } } [, ...]

Parameters
A PROFILE includes the following parameters for password policies:

Parameter	Default value	Valid values	Description
`FAILED_LOGIN_ATTEMPTS`	UNLIMITED	1 - Unlimited	The maximum number of consecutive failed logon attempts. The account is locked after this limit is reached.
`PASSWORD_LIFE_TIME`	UNLIMITED	1 - Unlimited	The password validity period in days. After this period, the user must change the password at the next logon.
`PASSWORD_REUSE_TIME`	UNLIMITED	1 - Unlimited	The interval in days before a password can be reused. Within this period, a user cannot reuse an old password.
`PASSWORD_REUSE_MAX`	UNLIMITED	1 - Unlimited	The number of password changes required before an old password can be reused.
`PASSWORD_VERIFY_FUNCTION`	NULL	Function name or NULL	The name of the custom PL/SQL function used to verify password complexity.
`PASSWORD_LOCK_TIME`	UNLIMITED	1 - Unlimited	The duration in days that an account is locked due to failed logon attempts.
`PASSWORD_GRACE_TIME`	UNLIMITED	1 - Unlimited	The grace period in days after a password expires. During this period, the user receives a warning but can still log on.

Each parameter can be set to a specific integer value, UNLIMITED, or DEFAULT (uses the default configuration file settings). The PASSWORD_VERIFY_FUNCTION parameter can also be set to NULL to disable password complexity verification.

Examples

The following examples guide you through the process of creating, assigning, and managing a PROFILE.

1. (Optional) Create a password complexity verification function

To enforce password complexity, you first need to create a password verification function. This function is called when a user sets or changes a password. If the password does not meet the specified rules, the function throws an exception to prevent the operation.

-- Create a function named pwd_verify
CREATE OR REPLACE FUNCTION public.pwd_verify(
  username     IN VARCHAR2,
  password     IN VARCHAR2,
  old_password IN VARCHAR2
) RETURN BOOLEAN
AS
BEGIN
  -- Rule 1: The password cannot be empty.
  IF password IS NULL THEN
    RAISE_APPLICATION_ERROR(-20000, 'Password cannot be empty');
  END IF;

  -- Rule 2: The password must be at least 8 characters long.
  IF LENGTH(password) < 8 THEN
    RAISE_APPLICATION_ERROR(-20001, 'Password must be at least 8 characters long');
  END IF;

  -- Rule 3: The password must contain at least one uppercase letter, one lowercase letter, and one special character.
  IF NOT REGEXP_LIKE(password, '[A-Z]') OR 
     NOT REGEXP_LIKE(password, '[a-z]') OR
     NOT REGEXP_LIKE(password, '[^A-Za-z0-9]') THEN
    RAISE_APPLICATION_ERROR(-20002, 'Password must contain an uppercase letter, a lowercase letter, and a special character');
  END IF;

  RETURN TRUE;
END;
/

You can also implement more complex verification logic in the function to meet your security requirements. For example, you can check whether the password contains the username or is too similar to previous passwords.

Example of a custom password verification function

-- Example of creating a custom password verification function
CREATE OR REPLACE FUNCTION custom_password_verify
(username VARCHAR2, password VARCHAR2, old_password VARCHAR2)
RETURN BOOLEAN IS
BEGIN
    -- Check password length
    IF LENGTH(password) < 8 THEN
        RAISE_APPLICATION_ERROR(-20001, 'Password must be at least 8 characters long');
    END IF;

    -- Check if the password contains a number
    IF NOT REGEXP_LIKE(password, '[0-9]') THEN
        RAISE_APPLICATION_ERROR(-20002, 'Password must contain a number');
    END IF;

    -- Check if the password contains an uppercase letter
    IF NOT REGEXP_LIKE(password, '[A-Z]') THEN
        RAISE_APPLICATION_ERROR(-20003, 'Password must contain an uppercase letter');
    END IF;

    -- Check if the password contains a lowercase letter
    IF NOT REGEXP_LIKE(password, '[a-z]') THEN
        RAISE_APPLICATION_ERROR(-20004, 'Password must contain a lowercase letter');
    END IF;

    -- Check if the password contains a special character
    IF NOT REGEXP_LIKE(password, '[^A-Za-z0-9]') THEN
        RAISE_APPLICATION_ERROR(-20005, 'Password must contain a special character');
    END IF;

    RETURN TRUE;
END;

2. Create a PROFILE

Use the CREATE PROFILE command to create a new profile and specify its security policies.

-- Create a profile named secure_profile
CREATE PROFILE secure_profile LIMIT
    FAILED_LOGIN_ATTEMPTS 3         -- Allow a maximum of 3 failed logon attempts
    PASSWORD_LIFE_TIME 60           -- Password is valid for 60 days
    PASSWORD_REUSE_TIME 30          -- Old passwords cannot be reused within 30 days
    PASSWORD_REUSE_MAX 5            -- Password must be changed 5 times before reuse
    PASSWORD_VERIFY_FUNCTION pwd_verify -- Use the function created in the previous step to verify complexity
    PASSWORD_LOCK_TIME 1            -- Lock the account for 1 day
    PASSWORD_GRACE_TIME 7;          -- 7-day grace period after password expiration

3. View PROFILE information

You can query the dba_profiles view to check the configuration information of the PROFILE.

-- View PROFILE information
SELECT *
FROM dba_profiles
WHERE profile = 'SECURE_PROFILE'
ORDER BY profile, resource_name;

4. Assign the PROFILE to a user

After you create a PROFILE, you must assign it to a user for the policies to take effect.

Assign a profile when you create a new user:

CREATE USER john_doe IDENTIFIED BY "SecurePass123!" PROFILE secure_profile;

Assign a profile to an existing user:

ALTER USER jane_doe PROFILE secure_profile;

5. Manage user account status

If a user account is locked because it triggered a PROFILE policy, such as exceeding the number of failed logon attempts, manually unlock the account.

Unlock a user account:
```
ALTER USER john_doe ACCOUNT UNLOCK;
```
Reset the password and unlock the account:
When you reset a user's password, the account is automatically unlocked.
```
ALTER USER john_doe IDENTIFIED BY "NewSecurePass456!" ACCOUNT UNLOCK;
```

FAQ

What should I do if a user receives an error that their password does not meet complexity requirements?

This error usually occurs because the new password does not meet the requirements of the PASSWORD_VERIFY_FUNCTION function specified in the PROFILE. Check the function's logic to ensure the new password meets all rules, such as length and character types.

Why does a user account get locked frequently?

This can happen for the following reasons:

The FAILED_LOGIN_ATTEMPTS value is too low: A user might be locked out due to normal typos. You can consider increasing this value using the ALTER PROFILE command.
Malicious attacks or application errors: You can check the database logs for brute-force attack attempts from unknown IP addresses. You can also check whether an automated script is continuously trying to connect with incorrect credentials.
The lockout duration is too long: If the PASSWORD_LOCK_TIME value is too high, users must wait for a long time before they can log on again. You can adjust this value as needed or manually unlock the account after you confirm that it is safe.