About password policies
If your application's database users authenticate with AlloyDB Omni using the built-in, password-based method, then you can make authentication more secure by enforcing strong passwords. You can define and enable password enforcement by setting an AlloyDB Omni password policy .
Limitations of password policies
AlloyDB Omni password policies have the following limitations:
-
Password policies apply to passwords created only after you set the policies. Existing user passwords aren't affected by a change in password policy.
-
Password policies apply to passwords entered only as plain text. Password policies don't apply to passwords entered as encrypted strings.
Set an AlloyDB Omni password policy
You set a password policy by updating Grand Unified Configuration (GUC) password
parameters in your postgresql.conf
configuration file. To learn how to set a
GUC parameter, see Configure AlloyDB Omni database flags
.
A password policy for AlloyDB Omni can include the following options:
-
Disallow username: prevent the username from being used in the password.
-
Password complexity: check if the password contains the allowed number of lowercase, uppercase, numeric, and non-alphanumeric characters. Also check if the password length is valid.
-
Password expiry: make sure that passwords are rotated periodically.
For a list of the password policy flags that AlloyDB Omni supports, see Password policy flags .
Preload the password validation library
For password a policy to take effect in AlloyDB Omni, the alloydb_password_validation
library must be loaded. To load this library,
do the following:
-
Locate the
postgresql.confconfiguration file for your installation of AlloyDB Omni and open it in a text editor. -
Locate the
shared_preload_librariesline and check if it includesalloydb_password_validation. If it doesn't, then you need to add it. When finished, yourshared_preload_librariesline looks similar to the following:shared_preload_libraries = 'google_columnar_engine,google_job_scheduler,google_storage,alloydb_password_validation'
Enforce password complexity
To enforce a password-complexity policy, do the following:
-
Verify the your
postgresql.conffile preloads password validation library . -
Set the
password.enforce_complexityflag toON. -
Use password policy flags to define your password policy.
For example, to enforce a password policy that states a password must contain at
least one uppercase letter, one number, and be at least 10 characters long, you
set the following in your postgresql.conf
file:
-
password.enforce_complexity = ON -
password.min_uppercase_letters = 1 -
password.min_numerical_chars = 1 -
password.min_pass_length = 10
After these flags are set, an attempt to set a database user password that
doesn't comply with this password policy fails. For example, with this policy
set, the following psql
client command fails because the password foo
is
less than 10 characters and doesn't contain a number or an upper case character.
CREATE
USER
USERNAME
WITH
PASSWORD
foo
;
Enforce password expiration
To enforce the password expiration policy, do the following:
-
Verify the your
postgresql.conffile preloads password validation library . -
Set the
password.enforce_expirationflag toON. -
Set the
password.expiration_in_daysflag to the number of days after a password is set that it expires. -
Set the
password.notify_expiration_in_daysflag to the number of days before a password expires that a user starts receiving password expiration notifications.
For example, to enforce a password policy that states passwords expire after 30
days and that users are notified 15 days before their password expires, you must
set the following in your postgresql.conf
file:
-
password.enforce_expiration = ON -
password.expiration_in_days = 30 -
password.notify_expiration_in_days = 15
If the password of a user expires, that user can't connect to AlloyDB Omni. To reset the password of a user, do the following:
-
Connect to AlloyDB Omni using
psql. For example, if you installed AlloyDB Omni using Docker, run the following command:sh docker exec -it CONTAINER-NAME psql -h localhost -U postgres -
At the
postgres=#prompt, run the following command:ALTER USER USERNAME WITH ' NEW-PASSWORD ' ;
For more information about changing a user's password, see ALTER ROLE
in
PostgreSQL documentation.
Enforce password based authentication for internal administrator accounts
Password enforcement for administrator accounts automates and centralizes the secure rotation and update of critical system passwords, usually using an external tool like Vault . This feature enables the adherence of zero-trust policy by enforcing password-based authentication for critical administrator accounts that AlloyDB Omni uses to manage various internal processes.
Password enforcement is supported for the following database accounts:
-
alloydbadmin: the superuser account for the Kubernetes (K8s) controller. -
alloydbmonitor: a read-only account for gathering database metrics.
To enable enforcement, you configure the database cluster specification to reference Kubernetes secret objects that store the passwords for these accounts. This process enhances security and reduces the manual overhead required to manage the credentials for your database's internal administration accounts.
Enable password enforcement
To enable password enforcement when you're creating a cluster, follow these steps:
- Make sure you have a Kubernetes cluster running AlloyDB Omni Kubernetes operator 1.7.0 or later.
- Add the
systemUserPasswordRefsattribute to the DBCluster specification. This attribute must contain key-value pairs that link each internal system account name—for example,alloydbadminandalloydbmonitor—to its corresponding Kubernetes secret object name. -
Before you create the database, make sure that the referenced Kubernetes secret contains the seed password for the user and that the attribute format follows this structure:
systemUserPasswordRefs: USER_NAME : USER_NAME - PASSWORD - DATABASE_NAME
Manage password rotation securely
After you enable enforcement, use an external tool like Vault to manage ongoing password rotation securely.
- Update the database password. The external tool updates the password for the system account directly in AlloyDB Omni.
-
Update the Kubernetes secret. The external tool then updates the associated Kubernetes secret object with the new password.
- The secret object's content must be a key-value pair where the key is the database name, and the value is the base64 encoded new password.
-
We recommend using the following convention for the secret name:
USER_NAME -pw- DATABASE_NAME
The AlloyDB Omni operator detects the change to the Kubernetes secret and automatically updates the password cache used by the database agent running in the database pod. The agent then uses this new cached password for all future database operations.
Disable password enforcement for a specific user
To disable password enforcement for a specific system account, you must
remove that user from the systemUserPasswordRefs
list in the DBCluster
specification.
- Remove the user. In the DBCluster specification, delete the key-value
pair corresponding to the user that you want to exclude from password
enforcement. For example, if you're disabling it for
alloydbadmin, removealloydbadmin: alloydbadmin-pw-dbcluster-sample. -
Apply the modified DBCluster specification using
kubectl apply.After you apply the updated spec, password enforcement is disabled for that user.
Don't allow usernames in passwords
To enforce the policy that prevents a password from containing a username, do the following:
-
Verify the your
postgresql.conffile preloads password validation library . -
Set the
password.enforce_password_does_not_contain_usernametoON.
For example, to ensure that a password doesn't contain a username as a
substring, you set the following in your postgresql.conf
file:
-
password.enforce_password_does_not_contain_username = ON
If this flag is set, then the following operation fails because the password alex-secret
contains the username alex
:
CREATE
USER
alex
WITH
PASSWORD
'alex-secret'
;
