YMatrix

Version Release History
Platform Requirements

YMatrix

Quick Start

Standard Cluster Deployment

Data Modeling

Connecting to The database

Data Writing

Data Migration

Data Query

Maintenance and Monitoring

Performance Tuning

Troubleshooting

Reference Guide

SQL Reference

FAQ

scenario

ConnectionS AND AUTHENTICATION Category Parameters

This document describes the relevant parameters for the connection and authentication categories in the system configuration parameters.

Notes!
To ensure the stability and security of the system, please be sure to manually modify the relevant parameters**.


Connection Settings

bonjour

Whether to enable Bonjour in the database.

| Data Type | Default | Set Category | | --- | --- | --- | --- | | boolean | off | segments; system; restart |

bonjour_name

Specify the Bonjour broadcast name.

  • By default, the computer name is used, specified as an empty string.
  • Ignore this option if the server does not support the Bonjour service.

| Data Type | Default | Set Category | | --- | --- | --- | --- | | string | | segments; system; restart |

gp_connection_send_timeout

Timeout (seconds) for sending data to the unresponsive YMatrix database user client during query processing.

  • A value of 0 will disable the timeout and the YMatrix database will wait for the client indefinitely.
  • The default value is 3600 seconds, i.e. 1 hour.
  • After the timeout is reached, the query will be cancelled using the following message: Could not send data to client: Connection timed out..

| Data Type | Default | Set Category | | --- | --- | --- | --- | | int | 3600 | segments; system; reload |

listen_addresses

Specifies the TCP/IP address that the server will listen for connections from the client application—a comma-separated list of hostnames and/or numeric IP addresses.

  • Special entry '*' corresponds to all available IP interfaces. If the list is empty, only UNIX domain sockets can be connected.

| Data Type | Default | Set Category | | --- | --- | --- | --- | | string | * | segments; system; restart |

max_connections

The maximum number of concurrent connections to the database server.

  • In the YMatrix database system, user client connections only go through the Master node instance.
  • This parameter must be set to the same or higher as Master when running Standby, otherwise the query statement will not be run in Standby.
  • The number of connections to the Segment node instance should be set to 5-10 times the Master instance.
  • When adding this parameter, you must also add max_prepared_transactions.
  • Increasesing max_connections may cause YMatrix to request more shared memory. For information about shared memory buffers for YMatrix server instances, see shared_buffers.
Data Type Default Value Value Range Set Classification
int 300 10 ~ 262143 segments; system; restart

port

The database listening port for node instances in YMatrix.

  • Master and each Segment have their own port.
  • Changes must be synchronized in gp_segment_configuration.
  • This parameter can only be set when the server starts, and you must turn off the YMatrix database system before changing the port number.
Data Type Default Set Category
int 5432 segments; system; restart

superuser_reserved_connections

The number of connections retained by superusers in the YMatrix database.

  • At any time, the maximum number of active concurrent connections is max_connections minus superuser_reserved_connections.
Data Type Default Value Value Range Set Classification
int 10 1 ~ 262143 segments; system; restart

unix_socket_directories

The UNIX domain socket directory used by the server to listen for connections from the client application.- Multiple sockets can be created by listing multiple directories separated by commas.

  • A null value specifies that no listening is performed on any UNIX domain socket, in which case only TCP/IP sockets can be used to connect to the server.
  • In addition to the socket file itself (named .s.PGSQL.nnnn, where nnnn is the server's port number), a normal file named .s.PGSQL.nnnn.lock is created in every unix_socket_directories directory. Do not remove the above files manually.
  • This parameter can only be set when the server starts. Windows system is not available.
Data Type Default Set Category
string /tmp segments; system; restart

unix_socket_group

Sets the group to which the UNIX domain socket belongs.

  • By default, this is an empty string that uses the default group of the current user.
  • This parameter can only be set when the server starts. Windows system is not available.
Data Type Default Value Value Range Set Classification
string UNIX group name segments; system; restart

unix_socket_permissions

Sets access permissions for UNIX domain sockets.

  • UNIX domain sockets use normal UNIX file system permission sets.
  • This parameter must start with 0 and be set using octal notation.
  • For UNIX domain sockets, only write permissions.
  • The default permission is 0777, which means that anyone can connect. Reasonable candidates are 0770 (only accessible to users and people of the group) and 0700 (only accessible to users themselves). These are digital UNIX file permission modes (i.e., the form accepted by the system call chmod or umask command).
Data Type Default Value Value Range Set Classification
int 0777 0000 ~ 0777 segments; system; restart

tcp_keepalives_count

Specifies the number of TCP Keepalive messages that can be lost before a server-to-client connection is considered interrupted.

  • This parameter is only available on systems that support TCP_KEEPCNT or equivalent socket options. On other systems (such as Windows), it must be zero. In a session connected through a UNIX domain socket, this parameter is ignored and always read as zero.
  • This parameter is used for all connections not between Primary and Mirror.
  • The default value is 0, which means the system default value is used.
Data Type Default Value Value Range Set Classification
int 0 0 ~ INT_MAX segments; system; restart

tcp_keepalives_idle

Specifies how long (seconds) inactive to send a Keepalive message to the client via TCP.

  • This parameter is only available on systems or Windows that supports TCP_KEEPIDLE or equivalent socket options. On other systems, it must be zero. In a session connected through a UNIX domain socket, this parameter is ignored and always read as zero.
  • On Windows, setting the value of 0 will set this parameter to 2 hours, because Windows does not support reading the system default value.
  • This parameter is used for all connections not between Primary and Mirror.
  • The default value is 0, which means the system default value is used.
Data Type Default Value Value Range Set Classification
int 0 0 ~ INT_MAX segments; system; restart

tcp_keepalives_interval

Specifies the interval in seconds for which TCP Keepalive messages that have not been acknowledged by the client should be retransmitted.- This parameter is only available on systems or Windows that support the TCP_KEEPINTVL or equivalent socket options. On other systems, it must be zero. In a session connected through a UNIX domain socket, this parameter is ignored and always read as zero.

  • On Windows, setting the value of 0 will set this parameter to 1 second because Windows does not support reading the system default value.
  • This parameter is used for all connections not between Primary and Mirror.
  • The default value is 0, which means the system default value is used.
Data Type Default Value Value Range Set Classification
int 0 0 ~ INT_MAX segments; system; restart

tcp_user_timeout

Specifies the amount of time (in milliseconds) that the transmitted data can remain unacknowledged until the TCP connection is forced to close.- This parameter is only supported on systems that support TCP_USER_TIMEOUT; on other systems, it must be zero. In a session connected through a Unix-domain socket, this parameter is ignored and always read to zero.

  • This parameter is not supported on Windows and must be zero.
  • The default value is 0, which means the system default value is used.
Data Type Default Value Value Range Set Classification
int 0 0 ~ INT_MAX segments; system; restart


Security and Authentication

authentication_timeout

The maximum time (seconds) to allow client authentication to be completed.

  • If a client does not complete the authentication protocol during this time, the server will close the connection. This prevents the problematic client from occupying a connection without limit.
Data Type Default Value Value Range Set Classification
int 60 1 ~ 600 segments; system; restart

db_user_namespace

This parameter enables the username for each database.

  • This parameter is turned off by default and can only be set in the postgresql.conf file or on the server command line.
  • If this parameter is on, the user should be created in the form of username@dbname. When a connection client sends username, @ and dbname are appended to the username and the server looks for the username related to the database. Note that when creating a user with a name containing @ in a SQL environment, you need to put the user name in quotes.
  • When this parameter is enabled, a normal global user can still be created. When specifying such a user in the client, you only need to simply append @, such as joe@. @ will be stripped before the server looks for the username.
  • db_user_namespace causes the username expression of the client and server to be different. Authentication checks are always performed in the server's username expression, so the authentication method must be configured for the server username rather than the client username. Since the md5 method uses the username as salt on both the client and the server, md5 cannot be used simultaneously with db_user_namespace.
  • The purpose of this feature is to provide a temporary measure before finding a complete solution. This option will be removed when the complete solution is found.
Data Type Default Set Category
boolean off master; system; restart

krb_caseins_users

Set whether the Kerberos username is case sensitive.

  • Default value is case sensitive.
Data Type Default Set Category
boolean off segments; system; restart

krb_server_keyfile

Sets the location of the Kerberos server key file.

Data Type Default Set Category
string segments; system; restart

password_encryption

When a password is specified in CREATE ROLE or ALTER ROLE, this parameter determines the algorithm used to encrypt the password.

Data Type Default Value Value Range Set Classification
enum md5(on) md5(on) / scram-sha-256 segments; session; reload


SSL

ssl

Whether to enable SSL connection.

Data Type Default Set Category
boolean off segments; system; restart

ssl_ca_file

Specifies the file name that contains the SSL Server Certificate Authority (CA).

  • The relative paths are relative to the data directory.
  • The default value is empty, indicating that no CA file is loaded and client certificate verification is not executed.
Data Type Default Set Category
string segments; system; restart

ssl_cert_file

Specifies the file name that contains the SSL server certificate.

  • The relative paths are relative to the data directory.
Data Type Default Set Category
string server.crt segments; system; restart

ssl_ciphers

Specifies a list of SSL passwords for secure connections.

Data Type Default Set Category
string HIGH:MEDIUM:+3DES:!aNULL segments; system; restart

ssl_crl_file

Specifies the file name that contains the SSL server certificate revocation list (CRL).

  • The relative paths are relative to the data directory.
  • The default value is empty, indicating that no CRL file is loaded.
Data Type Default Set Category
string segments; system; restart

ssl_dh_params_file

Specifies the file name that contains the Diffie-Hellman parameter for the so-called temporary DH family for the SSL password.

  • The default value is empty, in which case the built-in default DH parameter will be used. Using custom DH parameters reduces the risk of attackers cracking well-known built-in DH parameters. You can use the command openssl dhparam -out dhparams.pem 2048 to create your own DH parameter file.
Data Type Default Set Category
string segments; system; restart

ssl_ecdh_curve

Specifies the curve name used in the ECDH key exchange.

  • It needs to be supported by all connected clients.
  • It does not need to be the same curve as the server elliptic curve key.
  • This parameter can only be set in the postgresql.conf file or on the server command line.
  • OpenSSL named the most common curves: prime256v1 (NIST P-256), secp384r1 (NIST P-384), secp521r1 (NIST P-521). The openssl ecparam -list_curves command can display a complete list of available curves. But not all are available in TLS.
Data Type Default Set Category
string prime256v1 segments; system; restart

ssl_key_file

Specifies the file name that contains the SSL server private key.

  • The relative paths are relative to the data directory.
Data Type Default Set Category
string server.key segments; system; restart

Sets the maximum SSL/TLS protocol version to use.

  • Valid versions are the same as ssl_min_protocol_version.
  • Set the maximum protocol version to test whether a component will have problems when working with newer protocols.
  • The default value is an empty string, that is, any version is allowed.
Data Type Default Set Category
enum segments; system; restart; superuser

ssl_min_protocol_version

Sets the minimum SSL/TLS protocol version to use.

  • Current available versions include: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Older versions of OpenSSL libraries do not support all values, and an error will be raised if an unsupported setting is selected. Protocol versions before TLS 1.0, that is, SSL versions 2 and 3, are disabled.
  • The default value is TLSv1, which is mainly used to support the old version of the OpenSSL library. If all software components can support newer protocol versions, you can set it to a higher value.
Data Type Default Set Category
enum TLSv1 segments; system; restart

ssl_passphrase_command

Sets an external command that is called when a password (such as a private key) is required to decrypt an SSL file.

  • By default, this parameter is empty, indicating that the built-in prompt mechanism is used.
  • This command must print the password to standard output and exit with code 0. In this parameter value, % is replaced with a prompt string (to get the literal %, it should be written as %%). Note that the prompt string will likely contain spaces, so be sure to put appropriate quotes. If there is a single new line at the end of the output, it will be stripped.
  • This command does not actually have to prompt the user for a password. It can read passwords from files, get passwords from key chains, and more. It is the user's responsibility to ensure that the selected mechanism is safe enough.
Data Type Default Set Category
string segments; system; restart

ssl_passphrase_command_supports_reload

This parameter determines whether the password command set by ssl_passphrase_command is also called when a key file requires a password during configuration overloading.

  • If this parameter is off (default), ssl_passphrase_command will be ignored during overloading, and if a password is required during this period, the SSL configuration will not be overloaded.
  • This setting is appropriate for commands that require a TTY (which may not be available when the server is running) to prompt. For example, if the password is obtained from a file, setting this parameter to on may be appropriate.
Data Type Default Set Category
boolean off segments; system; restart

ssl_prefer_server_ciphers

Specifies whether to use the server's SSL password preferences, not the client's.

  • This setting is mainly used for backward compatibility of the version. Preferences to using servers are usually better, as servers are more likely to be properly configured.
Data Type Default Set Category
boolean on segments; system; restart