New – Trusted Language Extensions for PostgreSQL on Amazon Aurora and Amazon RDS

{"value":"PostgreSQL has become the [preferred open-source relational database](https://aws.amazon.com/blogs/aws/amazon-rds-for-postgresql-now-available/) for many enterprises and start-ups with its extensible design for developers. One of the reasons developers use PostgreSQL is it allows them to add database functionality by building extensions with their preferred programming languages.\n\nYou can already install and use PostgreSQL extensions in [Amazon Aurora PostgreSQL-Compatible Edition](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Appendix.PostgreSQL.CommonDBATasks.html) and [Amazon Relational Database Service for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.Extensions.html). We support more than [85 PostgreSQL extensions](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Extensions.html) in [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail), such as the ```pgAudit``` [extension](https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-pgaudit/) for logging your database activity. While many workloads use these extensions, we heard our customers asking for flexibility to build and run the extensions of their choosing for their PostgreSQL database instances.\n\n\nToday, we are announcing the general availability of **[Trusted Language Extensions for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_trusted_language_extension.html)** (```pg_tle```), a new open-source development kit for building PostgreSQL extensions. With Trusted Language Extensions for PostgreSQL, developers can build high-performance extensions that run safely on PostgreSQL.\n\nTrusted Language Extensions for PostgreSQL provides database administrators control over who can install extensions and a permissions model for running them, letting application developers deliver new functionality as soon as they determine an extension meets their needs.\n\nTo start building with Trusted Language Extensions, you can use trusted languages such as JavaScript, Perl, and PL/pgSQL. These trusted languages have safety attributes, including restricting direct access to the file system and preventing unwanted privilege escalations. You can easily install extensions written in a trusted language on [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) PostgreSQL-Compatible Edition 14.5 and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL 14.5 or a newer version.\n\nTrusted Language Extensions for PostgreSQL is an open-source project licensed under Apache License 2.0 on [GitHub](https://github.com/aws/pg_tle). You can comment or suggest items on the Trusted Language Extensions for PostgreSQL roadmap and help us support this project across multiple programming languages, and more. Doing this as a community will help us make it easier for developers to use the best parts of PostgreSQL to build extensions.\n\nLet’s explore how we can use Trusted Language Extensions for PostgreSQL to build a new PostgreSQL extension for [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail).\n\n### ++Setting up Trusted Language Extensions for PostgreSQL++\nTo use ```pg_tle``` with [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL, you need to set up a [parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) that loads ```pg_tle``` in the PostgreSQL ```shared_preload_libraries``` setting. Choose Parameter groups in the left navigation pane in the [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) console and Create parameter group to make a new parameter group.\n\nChoose **Create** after you select ```postgres14``` with [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL in the **Parameter group family** and pg_tle in the **Group Name**. You can select ```aurora-postgresql14``` for an [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) PostgreSQL-Compatible cluster.\n\n\n\nChoose a created ```pgtle``` parameter group and **Edit** in the **Parameter group** actions dropbox menu. You can search ```shared_preload_library``` in the search box and choose **Edit** parameter. You can add your preferred values, including ```pg_tle```, and choose **Save changes**.\n\n\n\n\nYou can also do the same job in the AWS Command Line Interface (AWS CLI).\n\n\n```\\n\$ aws rds create-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --db-parameter-group-family aurora-postgresql14 \\\\\\n --description \\"pgtle group\\"\\n\\n\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters \\"ParameterName=shared_preload_libraries,ParameterValue=pg_tle,ApplyMethod=pending-reboot\\"\\n```\n\nNow, you can add the ```pgtle``` parameter group to your [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL database. If you have a database instance called ```testing-pgtle```, you can add the ```pgtle``` parameter group to the database instance using the command below. Please note that this will cause an active instance to reboot.\n\n```\\n\$ aws rds modify-db-instance \\\\\\n --region us-east-1 \\\\\\n --db-instance-identifier testing-pgtle \\\\\\n --db-parameter-group-name pgtle-pg \\\\\\n --apply-immediately\\n```\n\nVerify that the ```pg_tle``` library is available on your [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL instance. Run the following command on your PostgreSQL instance:\n\n```\\nSHOW shared_preload_libraries;\\n```\n\n```pg_tle``` should appear in the output.\n\nNow, we need to create the ```pg_tle``` extension in your current database to run the command:\n\n```\\nCREATE EXTENSION pg_tle;\\n```\n\nYou can now create and install Trusted Language Extensions for PostgreSQL in your current database. If you create a new extension, you should grant the ```pgtle_admin``` role to your primary user (e.g., ```postgres```) with the following command:\n\n```\\nGRANT pgtle_admin TO postgres;\\n```\n\nLet’s now see how to create our first ```pg_tle``` extension!\n\n\n### ++Building a Trusted Language Extension for PostgreSQL++\nFor this example, we are going to build a pg_tle extension to validate that a user is not setting a password that’s found in a common password dictionary. Many teams have rules around the complexity of passwords, particularly for database users. PostgreSQL allows developers to help enforce password complexity using the ```check_password_hook```.\n\n\n```\\nSELECT pgtle.install_extension (\\n 'my_password_check_rules',\\n '1.0',\\n 'Do not let users use the 10 most commonly used passwords',\\n\$_pgtle_\$\\n CREATE SCHEMA password_check;\\n REVOKE ALL ON SCHEMA password_check FROM PUBLIC;\\n GRANT USAGE ON SCHEMA password_check TO PUBLIC;\\n\\n CREATE TABLE password_check.bad_passwords (plaintext) AS\\n VALUES\\n ('123456'),\\n ('password'),\\n ('12345678'),\\n ('qwerty'),\\n ('123456789'),\\n ('12345'),\\n ('1234'),\\n ('111111'),\\n ('1234567'),\\n ('dragon');\\n CREATE UNIQUE INDEX ON password_check.bad_passwords (plaintext);\\n\\n CREATE FUNCTION password_check.passcheck_hook(username text, password text, password_type pgtle.password_types, valid_until timestamptz, valid_null boolean)\\n RETURNS void AS \$\$\\n DECLARE\\n invalid bool := false;\\n BEGIN\\n IF password_type = 'PASSWORD_TYPE_MD5' THEN\\n SELECT EXISTS(\\n SELECT 1\\n FROM password_check.bad_passwords bp\\n WHERE ('md5' || md5(bp.plaintext || username)) = password\\n ) INTO invalid;\\n IF invalid THEN\\n RAISE EXCEPTION 'password must not be found on a common password dictionary';\\n END IF;\\n ELSIF password_type = 'PASSWORD_TYPE_PLAINTEXT' THEN\\n SELECT EXISTS(\\n SELECT 1\\n FROM password_check.bad_passwords bp\\n WHERE bp.plaintext = password\\n ) INTO invalid;\\n IF invalid THEN\\n RAISE EXCEPTION 'password must not be found on a common password dictionary';\\n END IF;\\n END IF;\\n END\\n \$\$ LANGUAGE plpgsql SECURITY DEFINER;\\n\\n GRANT EXECUTE ON FUNCTION password_check.passcheck_hook TO PUBLIC;\\n\\n SELECT pgtle.register_feature('password_check.passcheck_hook', 'passcheck');\\n\$_pgtle_\$\\n);\\n```\n\nYou need to enable the hook through the ```pgtle.enable_password_check``` configuration parameter. On [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL, you can do so with the following command:\n\n\n```\\n\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters \\"ParameterName=pgtle.enable_password_check,ParameterValue=on,ApplyMethod=immediate\\"\\n```\n\nIt may take several minutes for these changes to propagate. You can check that the value is set using the SHOW command:\n\n```\\nSHOW pgtle.enable_password_check;\\n```\n\nIf the value is on, you will see the following output:\n\n\n```\\n pgtle.enable_password_check\\n-----------------------------\\n on\\n\\n```\n\nNow you can create this extension in your current database and try setting your password to one of the dictionary passwords and observe how the hook rejects it:\n\n\n```\\nCREATE EXTENSION my_password_check_rules;\\n\\nCREATE ROLE test_role PASSWORD '123456';\\nERROR: password must not be found on a common password dictionary\\n\\nCREATE ROLE test_role;\\nSET SESSION AUTHORIZATION test_role;\\nSET password_encryption TO 'md5';\\n\\\\password\\n-- set to \\"password\\"\\nERROR: password must not be found on a common password dictionary\\n```\n\nTo disable the hook, set the value of ```pgtle.enable_password_check``` to ```off```:\n\n\n```\\n\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters \\"ParameterName=pgtle.enable_password_check,ParameterValue=off,ApplyMethod=immediate\\"\\n```\n\nYou can uninstall this ```pg_tle``` extension from your database and prevent anyone else from running ```CREATE EXTENSION``` on ```my_password_check_rules``` with the following command:\n\n\n```\\nDROP EXTENSION my_password_check_rules;\\nSELECT pgtle.uninstall_extension('my_password_check_rules');\\n```\n\nYou can find more [sample extensions](https://github.com/aws/pg_tle/tree/main/docs) and give them a try. To build and test your Trusted Language Extensions in your local PostgreSQL database, you can build from our source code after cloning the repository.\n\n### ++Join Our Community!++\nThe Trusted Language Extensions for PostgreSQL community is open to everyone. Give it a try, and give us feedback on what you would like to see in future releases. We welcome any contributions, such as new features, example extensions, additional documentation, or any bug reports in [GitHub](https://github.com/aws/pg_tle).\n\nTo learn more about using Trusted Language Extensions for PostgreSQL in the AWS Cloud, see the [Amazon Aurora PostgreSQL-Compatible Edition](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/PostgreSQL_trusted_language_extension.html) and [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_trusted_language_extension.html) documentation.\n\nGive it a try, and please send feedback to [AWS re:Post for PostgreSQL](https://repost.aws/tags/TAv3jh3M-nSMKw002Ox1ODPQ/postgre-sql) or through your usual AWS support contacts.\n\n– [Channy](https://twitter.com/channyun)\n\n\n\n\n### **[Channy Yun](https://aws.amazon.com/blogs/aws/author/channy-yun/)**\nChanny Yun is a Principal Developer Advocate for AWS, and passionate about helping developers to build modern applications on latest AWS services. A pragmatic developer and blogger at heart, he loves community-driven learning and sharing of technology, which has funneled developers to global AWS Usergroups. His main topics are open-source, container, storage, network & security, and IoT. Follow him on Twitter at @channyun.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","render":"<p>PostgreSQL has become the <a href=\\"https://aws.amazon.com/blogs/aws/amazon-rds-for-postgresql-now-available/\\" target=\\"_blank\\">preferred open-source relational database</a> for many enterprises and start-ups with its extensible design for developers. One of the reasons developers use PostgreSQL is it allows them to add database functionality by building extensions with their preferred programming languages.</p>\\n<p>You can already install and use PostgreSQL extensions in <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Appendix.PostgreSQL.CommonDBATasks.html\\" target=\\"_blank\\">Amazon Aurora PostgreSQL-Compatible Edition</a> and <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.Extensions.html\\" target=\\"_blank\\">Amazon Relational Database Service for PostgreSQL</a>. We support more than <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Extensions.html\\" target=\\"_blank\\">85 PostgreSQL extensions</a> in [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail), such as the <code>pgAudit</code> <a href=\\"https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-pgaudit/\\" target=\\"_blank\\">extension</a> for logging your database activity. While many workloads use these extensions, we heard our customers asking for flexibility to build and run the extensions of their choosing for their PostgreSQL database instances.</p>\\n<p>Today, we are announcing the general availability of <strong><a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_trusted_language_extension.html\\" target=\\"_blank\\">Trusted Language Extensions for PostgreSQL</a></strong> (<code>pg_tle</code>), a new open-source development kit for building PostgreSQL extensions. With Trusted Language Extensions for PostgreSQL, developers can build high-performance extensions that run safely on PostgreSQL.</p>\\n<p>Trusted Language Extensions for PostgreSQL provides database administrators control over who can install extensions and a permissions model for running them, letting application developers deliver new functionality as soon as they determine an extension meets their needs.</p>\n<p>To start building with Trusted Language Extensions, you can use trusted languages such as JavaScript, Perl, and PL/pgSQL. These trusted languages have safety attributes, including restricting direct access to the file system and preventing unwanted privilege escalations. You can easily install extensions written in a trusted language on Amazon Aurora PostgreSQL-Compatible Edition 14.5 and Amazon RDS for PostgreSQL 14.5 or a newer version.</p>\n<p>Trusted Language Extensions for PostgreSQL is an open-source project licensed under Apache License 2.0 on <a href=\\"https://github.com/aws/pg_tle\\" target=\\"_blank\\">GitHub</a>. You can comment or suggest items on the Trusted Language Extensions for PostgreSQL roadmap and help us support this project across multiple programming languages, and more. Doing this as a community will help us make it easier for developers to use the best parts of PostgreSQL to build extensions.</p>\\n<p>Let’s explore how we can use Trusted Language Extensions for PostgreSQL to build a new PostgreSQL extension for Amazon Aurora and Amazon RDS.</p>\n<h3><a id=\\"Setting_up_Trusted_Language_Extensions_for_PostgreSQL_15\\"></a><ins>Setting up Trusted Language Extensions for PostgreSQL</ins></h3>\\n<p>To use <code>pg_tle</code> with [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL, you need to set up a <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html\\" target=\\"_blank\\">parameter group</a> that loads <code>pg_tle</code> in the PostgreSQL <code>shared_preload_libraries</code> setting. Choose Parameter groups in the left navigation pane in the [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) console and Create parameter group to make a new parameter group.</p>\\n<p>Choose <strong>Create</strong> after you select <code>postgres14</code> with [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL in the <strong>Parameter group family</strong> and pg_tle in the <strong>Group Name</strong>. You can select <code>aurora-postgresql14</code> for an [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) PostgreSQL-Compatible cluster.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/145a77bfca5d46aca0430d75775e74ec_image.png\\" alt=\\"image.png\\" /></p>\n<p>Choose a created <code>pgtle</code> parameter group and <strong>Edit</strong> in the <strong>Parameter group</strong> actions dropbox menu. You can search <code>shared_preload_library</code> in the search box and choose <strong>Edit</strong> parameter. You can add your preferred values, including <code>pg_tle</code>, and choose <strong>Save changes</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/57f12b6fc1ed40c794d1f8d5ba40c010_image.png\\" alt=\\"image.png\\" /></p>\n<p>You can also do the same job in the AWS Command Line Interface (AWS CLI).</p>\n<pre><code class=\\"lang-\\">\$ aws rds create-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --db-parameter-group-family aurora-postgresql14 \\\\\\n --description &quot;pgtle group&quot;\\n\\n\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters &quot;ParameterName=shared_preload_libraries,ParameterValue=pg_tle,ApplyMethod=pending-reboot&quot;\\n</code></pre>\\n<p>Now, you can add the <code>pgtle</code> parameter group to your [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL database. If you have a database instance called <code>testing-pgtle</code>, you can add the <code>pgtle</code> parameter group to the database instance using the command below. Please note that this will cause an active instance to reboot.</p>\\n<pre><code class=\\"lang-\\">\$ aws rds modify-db-instance \\\\\\n --region us-east-1 \\\\\\n --db-instance-identifier testing-pgtle \\\\\\n --db-parameter-group-name pgtle-pg \\\\\\n --apply-immediately\\n</code></pre>\\n<p>Verify that the <code>pg_tle</code> library is available on your [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) or [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL instance. Run the following command on your PostgreSQL instance:</p>\\n<pre><code class=\\"lang-\\">SHOW shared_preload_libraries;\\n</code></pre>\\n<p><code>pg_tle</code> should appear in the output.</p>\\n<p>Now, we need to create the <code>pg_tle</code> extension in your current database to run the command:</p>\\n<pre><code class=\\"lang-\\">CREATE EXTENSION pg_tle;\\n</code></pre>\\n<p>You can now create and install Trusted Language Extensions for PostgreSQL in your current database. If you create a new extension, you should grant the <code>pgtle_admin</code> role to your primary user (e.g., <code>postgres</code>) with the following command:</p>\\n<pre><code class=\\"lang-\\">GRANT pgtle_admin TO postgres;\\n</code></pre>\\n<p>Let’s now see how to create our first <code>pg_tle</code> extension!</p>\\n<h3><a id=\\"Building_a_Trusted_Language_Extension_for_PostgreSQL_76\\"></a><ins>Building a Trusted Language Extension for PostgreSQL</ins></h3>\\n<p>For this example, we are going to build a pg_tle extension to validate that a user is not setting a password that’s found in a common password dictionary. Many teams have rules around the complexity of passwords, particularly for database users. PostgreSQL allows developers to help enforce password complexity using the <code>check_password_hook</code>.</p>\\n<pre><code class=\\"lang-\\">SELECT pgtle.install_extension (\\n 'my_password_check_rules',\\n '1.0',\\n 'Do not let users use the 10 most commonly used passwords',\\n\$_pgtle_\$\\n CREATE SCHEMA password_check;\\n REVOKE ALL ON SCHEMA password_check FROM PUBLIC;\\n GRANT USAGE ON SCHEMA password_check TO PUBLIC;\\n\\n CREATE TABLE password_check.bad_passwords (plaintext) AS\\n VALUES\\n ('123456'),\\n ('password'),\\n ('12345678'),\\n ('qwerty'),\\n ('123456789'),\\n ('12345'),\\n ('1234'),\\n ('111111'),\\n ('1234567'),\\n ('dragon');\\n CREATE UNIQUE INDEX ON password_check.bad_passwords (plaintext);\\n\\n CREATE FUNCTION password_check.passcheck_hook(username text, password text, password_type pgtle.password_types, valid_until timestamptz, valid_null boolean)\\n RETURNS void AS \$\$\\n DECLARE\\n invalid bool := false;\\n BEGIN\\n IF password_type = 'PASSWORD_TYPE_MD5' THEN\\n SELECT EXISTS(\\n SELECT 1\\n FROM password_check.bad_passwords bp\\n WHERE ('md5' || md5(bp.plaintext || username)) = password\\n ) INTO invalid;\\n IF invalid THEN\\n RAISE EXCEPTION 'password must not be found on a common password dictionary';\\n END IF;\\n ELSIF password_type = 'PASSWORD_TYPE_PLAINTEXT' THEN\\n SELECT EXISTS(\\n SELECT 1\\n FROM password_check.bad_passwords bp\\n WHERE bp.plaintext = password\\n ) INTO invalid;\\n IF invalid THEN\\n RAISE EXCEPTION 'password must not be found on a common password dictionary';\\n END IF;\\n END IF;\\n END\\n \$\$ LANGUAGE plpgsql SECURITY DEFINER;\\n\\n GRANT EXECUTE ON FUNCTION password_check.passcheck_hook TO PUBLIC;\\n\\n SELECT pgtle.register_feature('password_check.passcheck_hook', 'passcheck');\\n\$_pgtle_\$\\n);\\n</code></pre>\\n<p>You need to enable the hook through the <code>pgtle.enable_password_check</code> configuration parameter. On [Amazon Aurora](https://aws.amazon.com/cn/rds/aurora/?trk=cndc-detail) and [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) for PostgreSQL, you can do so with the following command:</p>\\n<pre><code class=\\"lang-\\">\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters &quot;ParameterName=pgtle.enable_password_check,ParameterValue=on,ApplyMethod=immediate&quot;\\n</code></pre>\\n<p>It may take several minutes for these changes to propagate. You can check that the value is set using the SHOW command:</p>\n<pre><code class=\\"lang-\\">SHOW pgtle.enable_password_check;\\n</code></pre>\\n<p>If the value is on, you will see the following output:</p>\n<pre><code class=\\"lang-\\"> pgtle.enable_password_check\\n-----------------------------\\n on\\n\\n</code></pre>\\n<p>Now you can create this extension in your current database and try setting your password to one of the dictionary passwords and observe how the hook rejects it:</p>\n<pre><code class=\\"lang-\\">CREATE EXTENSION my_password_check_rules;\\n\\nCREATE ROLE test_role PASSWORD '123456';\\nERROR: password must not be found on a common password dictionary\\n\\nCREATE ROLE test_role;\\nSET SESSION AUTHORIZATION test_role;\\nSET password_encryption TO 'md5';\\n\\\\password\\n-- set to &quot;password&quot;\\nERROR: password must not be found on a common password dictionary\\n</code></pre>\\n<p>To disable the hook, set the value of <code>pgtle.enable_password_check</code> to <code>off</code>:</p>\\n<pre><code class=\\"lang-\\">\$ aws rds modify-db-parameter-group \\\\\\n --region us-east-1 \\\\\\n --db-parameter-group-name pgtle \\\\\\n --parameters &quot;ParameterName=pgtle.enable_password_check,ParameterValue=off,ApplyMethod=immediate&quot;\\n</code></pre>\\n<p>You can uninstall this <code>pg_tle</code> extension from your database and prevent anyone else from running <code>CREATE EXTENSION</code> on <code>my_password_check_rules</code> with the following command:</p>\\n<pre><code class=\\"lang-\\">DROP EXTENSION my_password_check_rules;\\nSELECT pgtle.uninstall_extension('my_password_check_rules');\\n</code></pre>\\n<p>You can find more <a href=\\"https://github.com/aws/pg_tle/tree/main/docs\\" target=\\"_blank\\">sample extensions</a> and give them a try. To build and test your Trusted Language Extensions in your local PostgreSQL database, you can build from our source code after cloning the repository.</p>\\n<h3><a id=\\"Join_Our_Community_201\\"></a><ins>Join Our Community!</ins></h3>\\n<p>The Trusted Language Extensions for PostgreSQL community is open to everyone. Give it a try, and give us feedback on what you would like to see in future releases. We welcome any contributions, such as new features, example extensions, additional documentation, or any bug reports in <a href=\\"https://github.com/aws/pg_tle\\" target=\\"_blank\\">GitHub</a>.</p>\\n<p>To learn more about using Trusted Language Extensions for PostgreSQL in the AWS Cloud, see the <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/PostgreSQL_trusted_language_extension.html\\" target=\\"_blank\\">Amazon Aurora PostgreSQL-Compatible Edition</a> and <a href=\\"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_trusted_language_extension.html\\" target=\\"_blank\\">Amazon RDS for PostgreSQL</a> documentation.</p>\\n<p>Give it a try, and please send feedback to <a href=\\"https://repost.aws/tags/TAv3jh3M-nSMKw002Ox1ODPQ/postgre-sql\\" target=\\"_blank\\">AWS re:Post for PostgreSQL</a> or through your usual AWS support contacts.</p>\\n<p>– <a href=\\"https://twitter.com/channyun\\" target=\\"_blank\\">Channy</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/5c5e5f27731548f58785c787e74fb6b7_4cb1206ddc6551fff41080fcf865b37.png\\" alt=\\"4cb1206ddc6551fff41080fcf865b37.png\\" /></p>\n<h3><a id=\\"Channy_Yunhttpsawsamazoncomblogsawsauthorchannyyun_213\\"></a><strong><a href=\\"https://aws.amazon.com/blogs/aws/author/channy-yun/\\" target=\\"_blank\\">Channy Yun</a></strong></h3>\n<p>Channy Yun is a Principal Developer Advocate for AWS, and passionate about helping developers to build modern applications on latest AWS services. A pragmatic developer and blogger at heart, he loves community-driven learning and sharing of technology, which has funneled developers to global AWS Usergroups. His main topics are open-source, container, storage, network &amp; security, and IoT. Follow him on Twitter at @channyun.</p>\n"}