Manage built-in authentication using password policies

This page describes how you can set and manage password policies for AlloyDB Omni.

About password policies

If your application's database users authenticate with AlloyDB Omni using the built-in, password-based method, then you can make authentication more secure by enforcing strong passwords. You can define and enable password enforcement by setting an AlloyDB Omni password policy.

Limitations of password policies

AlloyDB Omni password policies have the following limitations:

• Password policies apply to passwords created only after you set the policies. Existing user passwords aren't affected by a change in password policy.

• Password policies apply to passwords entered only as plain text. Password policies don't apply to passwords entered as encrypted strings.

Set an AlloyDB Omni password policy

You set a password policy by updating Grand Unified Configuration (GUC) password parameters in your postgresql.conf configuration file. To learn how to set a GUC parameter, see Configure AlloyDB Omni database flags.

A password policy for AlloyDB Omni can include the following options:

• Disallow username: prevent the username from being used in the password.

• Password complexity: check if the password contains the allowed number of lowercase, uppercase, numeric, and non-alphanumeric characters. Also check if the password length is valid.

• Password expiry: make sure that passwords are rotated periodically.

For a list of the password policy flags that AlloyDB Omni supports, see Password policy flags.

Preload the password validation library

For password a policy to take effect in AlloyDB Omni, the alloydb_password_validation library must be loaded. To load this library, do the following:

1. Locate the postgresql.conf configuration file for your installation of AlloyDB Omni and open it in a text editor.

2. Locate the shared_preload_libraries line and check if it includes alloydb_password_validation. If it doesn't, then you need to add it. When finished, your shared_preload_libraries line looks similar to the following:

   shared_preload_libraries='google_columnar_engine,google_job_scheduler,google_storage,alloydb_password_validation'
   

Enforce password complexity

To enforce a password-complexity policy, do the following:

1. Verify the your postgresql.conf file preloads password validation library.

2. Set the password.enforce_complexity flag to ON.

3. Use password policy flags to define your password policy.

For example, to enforce a password policy that states a password must contain at least one uppercase letter, one number, and be at least 10 characters long, you set the following in your postgresql.conf file:

• password.enforce_complexity = ON
• password.min_uppercase_letters = 1
• password.min_numerical_chars = 1
• password.min_pass_length = 10

After these flags are set, an attempt to set a database user password that doesn't comply with this password policy fails. For example, with this policy set, the following psql client command fails because the password foo is less than 10 characters and doesn't contain a number or an upper case character.

CREATE USER USERNAME WITH PASSWORD foo;

Enforce password expiration

To enforce the password expiration policy, do the following:

1. Verify the your postgresql.conf file preloads password validation library.

2. Set the password.enforce_expiration flag to ON.

3. Set the password.expiration_in_days flag to the number of days after a password is set that it expires.

4. Set the password.notify_expiration_in_days flag to the number of days before a password expires that a user starts receiving password expiration notifications.

For example, to enforce a password policy that states passwords expire after 30 days and that users are notified 15 days before their password expires, you must set the following in your postgresql.conf file:

• password.enforce_expiration = ON
• password.expiration_in_days = 30
• password.notify_expiration_in_days = 15

If the password of a user expires, that user can't connect to AlloyDB Omni. To reset the password of a user, do the following:

1. Connect to AlloyDB Omni using psql. For example, if you installed AlloyDB Omni using Docker, run the following command:

   docker exec -it CONTAINER-NAME psql -h localhost -U postgres
   

2. At the postgres=# prompt, run the following command:

   ALTER USER USERNAME WITH 'NEW-PASSWORD';
   

For more information about changing a user's password, see ALTER ROLE in PostgreSQL documentation.

Don't allow usernames in passwords

To enforce the policy that prevents a password from containing a username, do the following:

1. Verify the your postgresql.conf file preloads password validation library.

2. Set the password.enforce_password_does_not_contain_username to ON.

For example, to ensure that a password doesn't contain a username as a substring, you set the following in your postgresql.conf file:

• password.enforce_password_does_not_contain_username = ON

If this flag is set, then the following operation fails because the password alex-secret contains the username alex:

CREATE USER alex WITH PASSWORD 'alex-secret';

What's next

• Learn how to backup and restore AlloyDB AlloyDB Omni
• Create a read-only replica