Article Directory
PostgreSQL client authentication is controlled by a configuration file pg_hba.conf, which is stored in the data directory by default.
The format of the pg_hba.conf file is as follows:
TYPE DATABASE USER ADDRESS METHOD
local database user auth-method [auth-options]
host database user address auth-method [auth-options]
hostssl database user address auth-method [auth-options]
hostnossl database user address auth-method [auth-options]
host database user IP-address IP-mask auth-method [auth-options]
hostssl database user IP-address IP-mask auth-method [auth-options]
hostnossl database user IP-address IP-mask auth-method [auth-options]
pg_hba.conf file parameters are mainly divided into the following five categories:
- Connection Type
- Client IP address (range)
- Database name
- username
- verification method
1.1 Connection type
Specify how users connect
- local
uses local unix socket - Host
uses TCP/IP connection (including SSL and non-SSL), host combines IPv4 address/combined IPv6 address - hostssl
can only use SSL TCP/IP connection - hostnossl
cannot use SSL TCP/IP connection
1.2 Database name DATABASE
Specify the database name that the user matches
- all indicates that the record matches all databases
- sameuser means that if the requested database and the requested user have the same name, it matches.
- samerole indicates that the requested user must be a member of a role with the same name as the database.
- Replication means that if a replication link is requested, it matches.
- In other cases, this is a specific PostgreSQL database name. You can declare multiple databases by separating them with commas, or you can declare a file containing the database names by prefixing @.
1.3 Username USER
Specify database user
- all indicates that it matches all users.
- In other cases, the specific database user name
1.4 IP address and mask ADDRESS
Specify the client machine address, the connection mode corresponding to this part must be one of host, hostssl, hostnossl
- All can match any ip address, write samehost to match any IP address of the server itself, or write samenet to match any address of any subnet to which the server is directly connected.
- A host name is specified, which will be compared with the reverse name resolution result of the client's IP address.
- An IP address range is specified by the standard numeric notation of the starting address of the range, followed by a slash (/) and a CIDR mask length.
1.5 Authentication mode METHOD
METHOD is generally divided into authentication modes: ident, trust, md5, password, peer, reject. The ident and peer modes are only applicable to Linux, Unix and Max, not to Windows.
- trust, this mode can directly connect to the database without a password, which is not secure
- md5, this mode requires the initiator of the connection to carry the password encrypted with the md5 algorithm
- password, this mode uses a plain text password for authentication, which is not secure and is not recommended
- ident, in this mode, the system will map the operating system user of the request initiator to an internal user of the PostgesSQL database, and log in with the authority of the internal user without providing a login password at this time. The mapping relationship between operating system users and database internal users will be recorded in the pg_ident.conf file.
- peer, this mode uses the operating system name of the connection initiator for authentication. Limited to Linux, BSD, Mac OS X and Solaris, and can only be used for connections initiated by local servers.
- Reject, this mode means reject all requests.
- gss, authenticate users with GSSAPI
- sspi, use SSPI to authenticate users
- ldap, use LDAP server authentication
- radius, authenticate with RADIUS server
- cert, use SSL client certificate authentication
- pam, use the pluggable authentication module service (PAM) authentication provided by the operating system
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust