PostgreSQL client authentication configuration

Others 2020-10-25 02:55:23 views: null

Article Directory


  PostgreSQL client authentication is controlled by a configuration file pg_hba.conf, which is stored in the data directory by default.
  The format of the pg_hba.conf file is as follows: 

TYPE       DATABASE  USER  ADDRESS    METHOD
local      database  user  auth-method  [auth-options]
host       database  user  address  auth-method  [auth-options]
hostssl    database  user  address  auth-method  [auth-options]
hostnossl  database  user  address  auth-method  [auth-options]
host       database  user  IP-address  IP-mask  auth-method  [auth-options]
hostssl    database  user  IP-address  IP-mask  auth-method  [auth-options]
hostnossl  database  user  IP-address  IP-mask  auth-method  [auth-options]

pg_hba.conf file parameters are mainly divided into the following five categories:

  • Connection Type
  • Client IP address (range)
  • Database name
  • username
  • verification method

1.1 Connection type

Specify how users connect

  • local
    uses local unix socket
  • Host
    uses TCP/IP connection (including SSL and non-SSL), host combines IPv4 address/combined IPv6 address
  • hostssl
    can only use SSL TCP/IP connection
  • hostnossl
    cannot use SSL TCP/IP connection

1.2 Database name DATABASE

Specify the database name that the user matches

  • all indicates that the record matches all databases
  • sameuser means that if the requested database and the requested user have the same name, it matches.
  • samerole indicates that the requested user must be a member of a role with the same name as the database.
  • Replication means that if a replication link is requested, it matches.
  • In other cases, this is a specific PostgreSQL database name. You can declare multiple databases by separating them with commas, or you can declare a file containing the database names by prefixing @.

1.3 Username USER

Specify database user

  • all indicates that it matches all users.
  • In other cases, the specific database user name

1.4 IP address and mask ADDRESS

Specify the client machine address, the connection mode corresponding to this part must be one of host, hostssl, hostnossl

  • All can match any ip address, write samehost to match any IP address of the server itself, or write samenet to match any address of any subnet to which the server is directly connected.
  • A host name is specified, which will be compared with the reverse name resolution result of the client's IP address.
  • An IP address range is specified by the standard numeric notation of the starting address of the range, followed by a slash (/) and a CIDR mask length.

1.5 Authentication mode METHOD

  METHOD is generally divided into authentication modes: ident, trust, md5, password, peer, reject. The ident and peer modes are only applicable to Linux, Unix and Max, not to Windows.

  • trust, this mode can directly connect to the database without a password, which is not secure
  • md5, this mode requires the initiator of the connection to carry the password encrypted with the md5 algorithm
  • password, this mode uses a plain text password for authentication, which is not secure and is not recommended
  • ident, in this mode, the system will map the operating system user of the request initiator to an internal user of the PostgesSQL database, and log in with the authority of the internal user without providing a login password at this time. The mapping relationship between operating system users and database internal users will be recorded in the pg_ident.conf file.
  • peer, this mode uses the operating system name of the connection initiator for authentication. Limited to Linux, BSD, Mac OS X and Solaris, and can only be used for connections initiated by local servers.
  • Reject, this mode means reject all requests.
  • gss, authenticate users with GSSAPI
  • sspi, use SSPI to authenticate users
  • ldap, use LDAP server authentication
  • radius, authenticate with RADIUS server
  • cert, use SSL client certificate authentication
  • pam, use the pluggable authentication module service (PAM) authentication provided by the operating system
# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                  md5
# IPv4 local connections:
host    all             all             0.0.0.0/0            md5
# IPv6 local connections:
host    all             all             ::1/128                 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust

Guess you like

Origin blog.csdn.net/qq_42979842/article/details/108457557
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com