@@ -1483,3 +1483,212 @@ The ``replication`` section defines configuration parameters related to :ref:`re
14831483| Default: 1
14841484| Environment variable: TT_REPLICATION_TIMEOUT
14851485
1486+
1487+
1488+ .. _configuration_reference_security :
1489+
1490+ security
1491+ --------
1492+
1493+ .. admonition :: Enterprise Edition
1494+ :class: fact
1495+
1496+ Configuring security parameters is available in the `Enterprise Edition <https://www.tarantool.io/compare/ >`_ only.
1497+
1498+ The ``security `` section defines configuration parameters related to various security settings.
1499+
1500+ - :ref: `security.auth_delay <configuration_reference_security_auth_delay >`
1501+ - :ref: `security.auth_retries <configuration_reference_security_auth_retries >`
1502+ - :ref: `security.auth_type <configuration_reference_security_auth_type >`
1503+ - :ref: `security.disable_guest <configuration_reference_security_disable_guest >`
1504+ - :ref: `security.password_enforce_digits <configuration_reference_security_password_enforce_digits >`
1505+ - :ref: `security.password_enforce_lowercase <configuration_reference_security_password_enforce_lowercase >`
1506+ - :ref: `security.password_enforce_specialchars <configuration_reference_security_password_enforce_specialchars >`
1507+ - :ref: `security.password_enforce_uppercase <configuration_reference_security_password_enforce_uppercase >`
1508+ - :ref: `security.password_history_length <configuration_reference_security_password_history_length >`
1509+ - :ref: `security.password_lifetime_days <configuration_reference_security_password_lifetime_days >`
1510+ - :ref: `security.password_min_length <configuration_reference_security_password_min_length >`
1511+ - :ref: `security.secure_erasing <configuration_reference_security_secure_erasing >`
1512+
1513+
1514+ .. _configuration_reference_security_auth_delay :
1515+
1516+ .. confval :: security.auth_delay
1517+
1518+ Specify a period of time (in seconds) that a specific user should wait for the next attempt after failed authentication.
1519+
1520+ |
1521+ | Type: number
1522+ | Default: 0
1523+ | Environment variable: TT_SECURITY_AUTH_DELAY
1524+
1525+
1526+ .. _configuration_reference_security_auth_retries :
1527+
1528+ .. confval :: security.auth_retries
1529+
1530+ Specify the maximum number of authentication retries allowed before throttling is enabled.
1531+ The default value is 0, which means throttling is enabled after the first failed authentication attempt.
1532+
1533+ With the configuration below, Tarantool lets a client try to authenticate with the same username three times.
1534+ At the fourth attempt, the authentication delay configured with ``security.auth_delay `` is enforced.
1535+
1536+ .. literalinclude :: /code_snippets/snippets/config/instances.enabled/security_auth_restrictions/config.yaml
1537+ :language: yaml
1538+ :start-at: security:
1539+ :end-at: auth_retries: 2
1540+ :dedent:
1541+
1542+ The retry counter is reset after ``security.auth_delay `` seconds since the first failed attempt.
1543+ For example, if a client tries to authenticate fewer than ``security.auth_retries `` times within ``security.auth_delay `` seconds, no authentication delay is enforced.
1544+ The retry counter is also reset after any successful authentication attempt.
1545+
1546+ |
1547+ | Type: integer
1548+ | Default: 0
1549+ | Environment variable: TT_SECURITY_AUTH_RETRIES
1550+
1551+
1552+ .. _configuration_reference_security_auth_type :
1553+
1554+ .. confval :: security.auth_type
1555+
1556+ Specify a protocol used to authenticate users.
1557+ The possible values are:
1558+
1559+ - ``chap-sha1 ``: use the `CHAP <https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol >`_ protocol with ``SHA-1 `` hashing applied to :ref: `passwords <authentication-passwords >`.
1560+ - ``pap-sha256 ``: use `PAP <https://en.wikipedia.org/wiki/Password_Authentication_Protocol >`_ authentication with the ``SHA256 `` hashing algorithm.
1561+
1562+ Note that CHAP stores password hashes in the ``_user `` space unsalted.
1563+ If an attacker gains access to the database, they may crack a password, for example, using a `rainbow table <https://en.wikipedia.org/wiki/Rainbow_table >`_.
1564+ For PAP, a password is salted with a user-unique salt before saving it in the database,
1565+ which keeps the database protected from cracking using a rainbow table.
1566+
1567+ To enable PAP, specify the ``security.auth_type `` option as follows:
1568+
1569+ .. literalinclude :: /code_snippets/snippets/config/instances.enabled/security_auth_protocol/config.yaml
1570+ :language: yaml
1571+ :start-at: security:
1572+ :end-at: 'pap-sha256'
1573+ :dedent:
1574+
1575+ |
1576+ | Type: string
1577+ | Default: 'chap-sha1'
1578+ | Environment variable: TT_SECURITY_AUTH_TYPE
1579+
1580+
1581+ .. _configuration_reference_security_disable_guest :
1582+
1583+ .. confval :: security.disable_guest
1584+
1585+ If **true **, turn off access over remote connections from unauthenticated or :ref: `guest access <authentication-passwords >` users.
1586+ This option affects connections between cluster members and :doc: `net.box </reference/reference_lua/net_box >` connections.
1587+
1588+ |
1589+ | Type: boolean
1590+ | Default: false
1591+ | Environment variable: TT_SECURITY_DISABLE_GUEST
1592+
1593+
1594+ .. _configuration_reference_security_password_enforce_digits :
1595+
1596+ .. confval :: security.password_enforce_digits
1597+
1598+ If **true **, a password should contain digits (0-9).
1599+
1600+ |
1601+ | Type: boolean
1602+ | Default: false
1603+ | Environment variable: TT_SECURITY_PASSWORD_ENFORCE_DIGITS
1604+
1605+
1606+ .. _configuration_reference_security_password_enforce_lowercase :
1607+
1608+ .. confval :: security.password_enforce_lowercase
1609+
1610+ If **true **, a password should contain lowercase letters (a-z).
1611+
1612+ |
1613+ | Type: boolean
1614+ | Default: false
1615+ | Environment variable: TT_SECURITY_PASSWORD_ENFORCE_LOWERCASE
1616+
1617+
1618+ .. _configuration_reference_security_password_enforce_specialchars :
1619+
1620+ .. confval :: security.password_enforce_specialchars
1621+
1622+ If **true **, a password should contain at least one special character (such as ``&|?!@$ ``).
1623+
1624+ |
1625+ | Type: boolean
1626+ | Default: false
1627+ | Environment variable: TT_SECURITY_PASSWORD_ENFORCE_SPECIALCHARS
1628+
1629+
1630+ .. _configuration_reference_security_password_enforce_uppercase :
1631+
1632+ .. confval :: security.password_enforce_uppercase
1633+
1634+ If **true **, a password should contain uppercase letters (A-Z).
1635+
1636+ |
1637+ | Type: boolean
1638+ | Default: false
1639+ | Environment variable: TT_SECURITY_PASSWORD_ENFORCE_UPPERCASE
1640+
1641+
1642+ .. _configuration_reference_security_password_history_length :
1643+
1644+ .. confval :: security.password_history_length
1645+
1646+ Specify the number of unique new user passwords before an old password can be reused.
1647+
1648+ |
1649+ | Type: integer
1650+ | Default: 0
1651+ | Environment variable: TT_SECURITY_PASSWORD_HISTORY_LENGTH
1652+
1653+
1654+ .. _configuration_reference_security_password_lifetime_days :
1655+
1656+ .. confval :: security.password_lifetime_days
1657+
1658+ Specify the maximum period of time (in days) a user can use the same password.
1659+ When this period ends, a user gets the "Password expired" error on a login attempt.
1660+ To restore access for such users, use :doc: `box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd >`.
1661+
1662+ .. note ::
1663+
1664+ The default 0 value means that a password never expires.
1665+
1666+ |
1667+ | Type: integer
1668+ | Default: 0
1669+ | Environment variable: TT_SECURITY_PASSWORD_LIFETIME_DAYS
1670+
1671+
1672+ .. _configuration_reference_security_password_min_length :
1673+
1674+ .. confval :: security.password_min_length
1675+
1676+ Specify the minimum number of characters for a password.
1677+
1678+ |
1679+ | Type: integer
1680+ | Default: 0
1681+ | Environment variable: TT_SECURITY_PASSWORD_MIN_LENGTH
1682+
1683+
1684+ .. _configuration_reference_security_secure_erasing :
1685+
1686+ .. confval :: security.secure_erasing
1687+
1688+ If **true **, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible.
1689+ The option applies to both ``.xlog `` and ``.snap `` files as well as Vinyl data files.
1690+
1691+ |
1692+ | Type: boolean
1693+ | Default: false
1694+ | Environment variable: TT_SECURITY_SECURE_ERASING
0 commit comments