Configuration File Reference

Table 1 Parameter description

Parameter

Description

Value Range

local

Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed.

When gsql is used to initiate a connection from a local server and the -U parameter is not specified, a Unix-domain-socket connection is established.

N/A

host

Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL.

N/A

hostssl

Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL.

For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode.

hostnossl

Indicates that this record accepts only a common TCP/IP socket connection.

N/A

DATABASE

Database that a record matches and can access

  • all: indicates that this record matches all databases.
  • sameuser: indicates that the database must have the same name as the user who requests database access.
  • samerole: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
  • samegroup: is the same as that of samerole and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
  • A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases
  • A specific database name or a list of databases separated by commas (,)
    NOTE:

    replication indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named replication, specify it in the database column.

USER

Users who match the record and are allowed to access databases

  • all: indicates that this record matches all users.
  • +User role: indicates that this record matches all members that directly or indirectly belong to the role.
    NOTE:

    + is a prefix character.

  • A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
  • A specific database username or a list of users separated by commas (,)

ADDRESS

Range of IP addresses that match the record and can be visited

IPv4 addresses and IPv6 addresses are supported. The IP address range can be expressed in the following two formats:

  • IP address/mask length Example: 10.10.0.0/24
  • IP address Subnet mask Example: 10.10.0.0 255.255.255.0
NOTE:

An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1.

METHOD

Authentication method used for connection

The following authentication modes are supported. For details, see Table 2.

  • trust
  • reject
  • md5 (not recommended and not supported by default. This authentication mode can be configured using the password_encryption_type parameter.)
    NOTE:

    The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.

  • sha256
  • sm3
  • cert
  • gss (only for authentication within openGauss)
  • peer (only for the local mode)

Table 2 Authentication modes

Authentication Mode

Description

trust

In trust mode, only the connection initiated from the local server using gsql with the -U parameter not specified is trusted. In this case, no password is required.

The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use this authentication mode, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access:

NOTICE:

Setting the file system permission imposes restrictions on only Unix-domain socket connections, and does not affect local TCP/IP connections. To ensure local TCP/IP security, openGauss does not allow the trust authentication mode for remote connection.

reject

Rejects connections unconditionally. This authentication mode is usually used for filtering certain hosts.

md5

Requires that the client must provide an MD5-encrypted password for authentication.

NOTICE:
  • The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
  • openGauss retains MD5 authentication and password storage to facilitate use of third-party tools (such as the TPCC test tool).

sha256

Requires that the client must provide a SHA256-encrypted password for authentication. The password is encrypted based on the unidirectional SHA-256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security.

sm3

The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security.

cert

A client certificate is used for authentication. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required.

NOTICE:

This authentication mode supports only hostssl rules.

gss

Uses the GSSAPI-based Kerberos authentication.

NOTICE:
  • This authentication mode depends on components such as the Kerberos server. It supports only authentication for communication within openGauss. In the current version, Kerberos authentication cannot be used to connect to external clients.
  • Enabling Kerberos authentication within openGauss slows down the connection setup among nodes. The performance of SQL operations during the setup is affected, but later operations are not.

peer

Obtains the username of the OS where the client is located and checks whether the username is the same as the initial username of the database. In this mode, only the initial database user can connect to the database in local mode. You can configure pg_ident.conf to establish the mapping between the OS user and the initial database user.

Assume that the OS username is omm, the initial database user is dbAdmin, and the local mode is set to peer authentication in pg_hba.conf.

local   all    all        peer    map=mymap

In the preceding information, map=mymap specifies the username mapping, and the mapping name mymap is added to pg_ident.conf. The following shows the mapping.

# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
mymap                omm                                  dbAdmin
NOTE:

You can run the gs_guc reload command to modify pg_hba.conf for the modification to take effect immediately without restarting the database. After pg_ident.conf is modified, the modification automatically takes effect upon the next connection. You do not need to restart the database.

Feedback
编组 3备份
    openGauss 2024-10-13 00:54:14
    cancel