Configuration File Reference
Table 1 Parameter description
Parameter | Description | Value Range |
---|
local | Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed. When gsql is used to initiate a connection from a local server and the -U parameter is not specified, a Unix-domain-socket connection is established. | N/A |
host | Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | N/A |
hostssl | Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode. |
hostnossl | Indicates that this record accepts only a common TCP/IP socket connection. | N/A |
DATABASE | Database that a record matches and can access | - all: indicates that this record matches all databases.
- sameuser: indicates that the database must have the same name as the user who requests database access.
- samerole: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- samegroup: is the same as that of samerole and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.
- A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases
- A specific database name or a list of databases separated by commas (,)
NOTE:replication indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named replication, specify it in the database column.
|
USER | Users who match the record and are allowed to access databases | - all: indicates that this record matches all users.
- +User role: indicates that this record matches all members that directly or indirectly belong to the role.
- A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.
- A specific database username or a list of users separated by commas (,)
|
ADDRESS | Range of IP addresses that match the record and can be visited | IPv4 addresses and IPv6 addresses are supported. The IP address range can be expressed in the following two formats: - IP address/mask length Example: 10.10.0.0/24
- IP address Subnet mask Example: 10.10.0.0 255.255.255.0
NOTE:An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1. |
METHOD | Authentication method used for connection | The following authentication modes are supported. For details, see Table 2. - trust
- reject
- md5 (not recommended and not supported by default. This authentication mode can be configured using the password_encryption_type parameter.)
NOTE:The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm. - sha256
- sm3
- cert
- gss (only for authentication within openGauss)
- peer (only for the local mode)
|
Table 2 Authentication modes
Authentication Mode | Description |
---|
trust | In trust mode, only the connection initiated from the local server using gsql with the -U parameter not specified is trusted. In this case, no password is required. The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use this authentication mode, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access: NOTICE:Setting the file system permission imposes restrictions on only Unix-domain socket connections, and does not affect local TCP/IP connections. To ensure local TCP/IP security, openGauss does not allow the trust authentication mode for remote connection. |
reject | Rejects connections unconditionally. This authentication mode is usually used for filtering certain hosts. |
md5 | Requires that the client must provide an MD5-encrypted password for authentication. NOTICE:- The MD5 encryption algorithm has lower security and poses security risks. Therefore, you are advised to use a more secure encryption algorithm.
- openGauss retains MD5 authentication and password storage to facilitate use of third-party tools (such as the TPCC test tool).
|
sha256 | Requires that the client must provide a SHA256-encrypted password for authentication. The password is encrypted based on the unidirectional SHA-256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security. |
sm3 | The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security. |
cert | A client certificate is used for authentication. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required. NOTICE:This authentication mode supports only hostssl rules. |
gss | Uses the GSSAPI-based Kerberos authentication. NOTICE:- This authentication mode depends on components such as the Kerberos server. It supports only authentication for communication within openGauss. In the current version, Kerberos authentication cannot be used to connect to external clients.
- Enabling Kerberos authentication within openGauss slows down the connection setup among nodes. The performance of SQL operations during the setup is affected, but later operations are not.
|
peer | Obtains the username of the OS where the client is located and checks whether the username is the same as the initial username of the database. In this mode, only the initial database user can connect to the database in local mode. You can configure pg_ident.conf to establish the mapping between the OS user and the initial database user. Assume that the OS username is omm, the initial database user is dbAdmin, and the local mode is set to peer authentication in pg_hba.conf. local all all peer map=mymap In the preceding information, map=mymap specifies the username mapping, and the mapping name mymap is added to pg_ident.conf. The following shows the mapping. # MAPNAME SYSTEM-USERNAME PG-USERNAME
mymap omm dbAdmin NOTE:You can run the gs_guc reload command to modify pg_hba.conf for the modification to take effect immediately without restarting the database. After pg_ident.conf is modified, the modification automatically takes effect upon the next connection. You do not need to restart the database. |
openGauss 2024-10-13 00:54:14