Client Authentication is performed by a configuration file (usually namedPg_mirror.confIt is stored in the data directory of the Database Cluster. HbA indicates "host-based authentication", that is, host-based authentication. InInitdbWhen initializing the data directory, it will install a defaultPg_mirror.confFile. However, you can also place the authentication configuration file elsewhere. For more information, see pai_file configuration parameters.
Pg_mirror.confThe common format of a file is a set of records, one per line. The blank row is ignored.#Annotations at the beginning are also ignored. A record is composed of several fields separated by spaces and/or tabs. If a field is enclosed by quotation marks, it can contain white space. The record cannot exist across rows.
Each record declares a connection type and a client IP address range (if related to the connection type), a database name, a username, and the authentication method used for connection matching these parameters. The first record that matches the connection type, client address, Database Name and User Name of the connection request will be used for authentication. This process does not "Cross" or "back": If a record is selected and authentication fails, the subsequent record will not be considered. If no matching record exists, access is denied.
Each record can be one of the following seven formats:
local database user auth-method [auth-option]host database user CIDR-address auth-method [auth-option]hostssl database user CIDR-address auth-method [auth-option]hostnossl database user CIDR-address auth-method [auth-option]host database user IP-address IP-mask auth-method [auth-option]hostssl database user IP-address IP-mask auth-method [auth-option]hostnossl database user IP-address IP-mask auth-method [auth-option]
The meaning of each field is as follows:
This record matches a connection attempted through a Unix domain socket. Without such a record, the connection to a Unix domain socket is not allowed.
This record matches the connection attempt through TCP/IP.HostRecord connection requests that match SSL and non-SSL.
[Note] remote TCP/IP connection is impossible unless the server is started with the appropriate listen_addresses configuration parameter value, because the default behavior is to only listen to the local self-loop addressLocalhost.
This record matches an attempt to use an SSL connection of TCP/IP. However, it must be an SSL-encrypted connection.
To use this option, you must enable SSL support when compiling the server. You must enable the SSL configuration option when starting the server (see section 16.7 ).
This record correspondsHostsslInstead, it only matches connection requests that do not use SSL on TCP/IP.
Specifies the name of the database to which the record matches. ValueAllIndicates that the record matches all databases, ValueSameuserIndicates that if the requested database and the requested user have the same name, the request matches. ValueSameroleIndicates that the requested user must be a member of the role with the same name as the database (SamegroupIt is an abandoned, but still acceptedSameroleSynonym ). In other cases, this is a specific PostgreSQL database name. You can declare multiple databases by using commas (,), or by prefix.@To declare a file containing the database name.
Declares the matched database user for this record. ValueAllIndicates that it matches all users. Otherwise, it is the name or prefix of a specific database user.+Group name. Note that there is no real difference between users and groups in PostgreSQL,+In fact, it only means "matching any member that directly or indirectly belongs to this role ".+Only the specified role is matched. Multiple user names can be declared using commas. A file containing the user name can be prefixed@.
Declare the IP address range of the client machine that the record matches. It contains a standard dot-decimal IP address (only numerical values are allowed but not a domain or host name) and a CIDR mask length. The Mask Length indicates the high binary digits that the client IP address must match. In the given IP address, the right binary of the length must be zero. In the IP address,/And CIDR Mask Length cannot be blank.
TypicalCIDR-addressExample:172.20.143.89/32Indicates a host,172.20.143.0/24Represents a small subnet,10.6.0.0/16Indicates a large subnet. To declare a single host, declare the CIDR mask 32 for the IPv4 address and 128 for the IPv6 address. Do not omit the ending 0 in the address.
The IP address in IPv4 format matches the IPv6 connection with the corresponding address, for example127.0.0.1IPv6 address match: FFFF: 127.0.0.1. A record given in IPv6 format will match only IPv6 connections, even if the corresponding address is within the IPv4-in-IPv6 range. Note that if the system's C library does not support IPv6 addresses, the IPv6 format will be rejected.
This field only appliesHost,Hostssl,HostnosslRecord.
These methods can be usedCIDR-addressRepresentation substitutes. Instead of declaring the mask length, it declares the actual mask in another field. For example,255.0.0.0The IPv4 CIDR mask length is 8, while255.255.255.255The length of the CIDR mask is 32.
These fields only applyHost,Hostssl,HostnosslRecord.
Declare the authentication method used for connection through this record. The possible options are described below. For details, see section 20.2.
Allow connections unconditionally. This method allows anyone who can connect to the PostgreSQL database server to connect as any PostgreSQL database user they want without a password. See section lifecycle 2.1 for details.
The connection is rejected unconditionally. It is often used to "filter" Some hosts from a group.
The client is required to provide an MD5 encrypted password for authentication. For more information, see Chapter 2.2.
[Note] This option is recommended only when it communicates with clients before 7.2.
CryptThe client is required to providecrypt()The encrypted password is used for authentication. We recommend that you useMD5. See section 2.2.
The client is required to provide an unencrypted password for authentication. Because the password is transmitted in plain text on the network, we should not use this method on insecure networks. And it cannot be used with a threaded client application. For more information, see Chapter 2.2.
Use Kerberos V5 to authenticate users. It can only be used for TCP/IP connection. For more information, see section 2.3.
Obtain the operating system name of the customer and check whether the user is allowed to connect to the database user as required by referringIdentThe ing declared after the keyword. For TCP/IP connections, the user's identity isIdentIf the server connection is determined, the local connection is obtained from the operating system. See section 2.4 for details.
Use LDAP for authentication. See section lifecycle 2.5 for details.
Use the plug-in authentication module Service (PAM) provided by the operating system for authentication. See section 2.6 for details.
The meaning of this optional field depends on the selected authentication method. The details are as follows.
Use@The constructed files are read as a column of names, which can be separated by spaces or commas. Annotation#Introduction, just like inPg_mirror.confAllows nesting.@Structure. Unless@The following file name is an absolute path; otherwise, it is treated as a path relative to the directory where the file is located.
Because the system checks the order of each connection request during authenticationPg_mirror.confSo the order of these records is very critical. Generally, the top record has strict connection matching parameters and weak authentication methods, while the back record has loose matching parameters and strict authentication methods. For example, we generally want to useTrustAuthentication, while the remote TCP/IP connection requires a password. In this case, we willTrustThe authentication method is used for connections from 127.0.0.1. This record will appear before the password authentication record that allows a wider range of Client IP addresses.
When the master server processes start and receive the sighup signal, the system will reloadPg_mirror.confFile. If you edit the file on an active system, you must notify the serverPg_ctl reloadOrKill-HUP) Reload the file.
Tip: to successfully connect a user to a specific databasePg_mirror.confMust also haveConnectPermission. Grant/revoke permissions if you want to restrict which users can connect to which databasesConnectPermissionPg_mirror.confIt is easy to set rules.
In Example 20-1Pg_mirror.confRecord examples. Read the following to understand the details of different authentication methods.
Example 20-1.Pg_mirror.confRecord example
# Allow any user on the local system to connect to any database under # allow any user on the local machine to use Unix domain socket (default for local connection) connecting to any database as any database user # type Database User CIDR-ADDRESS methodlocal all trust # is the same as above, but loopback is used) TCP/IP connection # type Database User CIDR-ADDRESS methodhost all 127.0.0.1/32 trust # Same as the above line, but the use of independent mask field # type Database User IP-ADDRESS IP-MASK methodhost all 127.0.0.1 255.255.255.255 trust # Allow any host with the IP address 192.168.93.x to be connected to the "s" database. # Use the username of the same ident as the host to identify itself (usually its UNIX username) # type Database User CIDR-ADDRESS methodhost Postgres all 192.168.93.0/24 ident sameuser # Allow users from host 192.168.12.10 to provide the correct password and then connect to the "s" database. # Type Database User CIDR-ADDRESS methodhost Postgres all 192.168.12.10/32 MD5 # if there is no other "host" line above, then the following two rows reject all connection requests from 192.168.54.1 (because the previous records match first ). # However, valid Kerberos 5 authentication connections from anywhere else on the Internet are allowed. # Zero mask indicates that no bit of the Host IP address is taken into account. Therefore, it matches any host. # Type Database User CIDR-ADDRESS methodhost all 192.168.54.1/32 rejecthost all 0.0.0.0/0 krb5 # allow any user from 192.168.x.x to connect to any database as long as they pass the ident check. # If the ident says that the user is "bryanh" and he wants to connect to the PostgreSQL user "guest1, # Only when the pging "Omicron" in pg_ident.conf says "bryanh" allows the connection to "guest1" Can the connection be established. # Type Database User CIDR-ADDRESS methodhost all 192.168.0.0/16 ident Omicron # If the following are only three rows for local connection, they will allow local users to connect only to databases with the same name. # Only Members in the administrator and support roles can connect to any database. The # $ pgdata/admins file lists the usernames that are allowed to connect to all databases. # Password is required in all cases. # Type Database User CIDR-ADDRESS methodlocal sameuser all md5local all @ admins md5local all + support MD5 # the last two lines can be combined into a line of local all @ admins, + support MD5 # The list and file name of database fields can also be used: Local db1, DB2, @ demodbs all MD5
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
