客户端身份验证

当客户端应用程序连接到数据库服务器时,它会指定要以哪个PostgreSQL数据库用户名进行连接,这与以特定用户身份登录 Unix 计算机的方式非常相似。在 SQL 环境中,活动数据库用户名决定了对数据库对象的访问权限

身份验证是数据库服务器建立客户端身份的过程,并通过扩展确定客户端应用程序(或运行客户端应用程序的用户)是否被允许使用请求的数据库用户名进行连接。

 

PostgreSQL提供多种不同的客户端身份验证方法。可以根据(客户端)主机地址、数据库和用户选择用于验证特定客户端连接的方法。

PostgreSQL数据库用户名在逻辑上与服务器运行的操作系统的用户名是分开的。如果特定服务器的所有用户也在该服务器的计算机上拥有帐户,则分配与其操作系统用户名匹配的数据库用户名是有意义的。但是,接受远程连接的服务器可能有许多没有本地操作系统帐户的数据库用户,在这种情况下,数据库用户名和操作系统用户名之间不需要有任何联系。

pg_hba.conf文件

客户端身份验证由配置文件控制,该文件通常名为pg_hba.conf,存储在数据库集群的数据目录中。(HBA代表基于主机的身份验证。)当initdb初始化数据目录时,会安装默认的pg_hba.conf文件。但是,可以将身份验证配置文件放在其他地方;

 

pg_hba.conf文件的一般格式是一组记录,每行一个。空行会被忽略,#注释字符后的任何文本也会被忽略。记录不能跨行。一条记录由多个字段组成,这些字段由空格和/或制表符分隔。如果字段值用双引号引起来,则字段可以包含空格。引用数据库、用户或地址字段中的一个关键字(例如allreplication)会使该词失去其特殊含义,而只匹配具有该名称的数据库、用户或主机。

每条记录指定一种连接类型、一个客户端 IP 地址范围(如果与该连接类型相关)、一个数据库名称、一个用户名以及用于与这些参数匹配的连接身份验证方法。具有匹配的连接类型、客户端地址、请求的数据库和用户名的第一条记录用于执行身份验证。没有“失败”“备份”:如果选择了一条记录并且身份验证失败,则不会考虑后续记录。如果没有匹配的记录,则拒绝访问。

 

记录可以采用以下七种格式之一

local      database  user  auth-method  [auth-options]
host       database  user  address  auth-method  [auth-options]
hostssl    database  user  address  auth-method  [auth-options]
hostnossl  database  user  address  auth-method  [auth-options]
host       database  user  IP-address  IP-mask  auth-method  [auth-options]
hostssl    database  user  IP-address  IP-mask  auth-method  [auth-options]
hostnossl  database  user  IP-address  IP-mask  auth-method  [auth-options]

提示:要连接到特定数据库,用户不仅必须通过pg_hba.conf检查,还必须拥有该数据库的CONNECT权限。如果您希望限制哪些用户可以连接到哪些数据库,通常通过 granting/revoking CONNECT权限来控制这一点比将规则放入pg_hba.conf条目中更容易

auth-method

trust    无条件允许连接。

reject  无条件拒绝连接。

md5   要求客户端提供双重 MD5 哈希密码进行身份验证。

password   要求客户端提供未加密的密码进行身份验证。

ident    通过联系客户端上的 ident 服务器来获取客户端的操作系统用户名,并检查它是否与请求的数据库用户名匹配。Ident 认证只能在 TCP/IP 连接上使用。当为本地连接指定时,将改用对等认证。

Example pg_hba.conf Entries

# Allow any user on the local system to connect to any database with
# any database user name using Unix-domain sockets (the default for local
# connections).
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   all             all                                     trust

# The same using local loopback TCP/IP connections.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             127.0.0.1/32            trust

# The same as the previous line, but using a separate netmask column
#
# TYPE  DATABASE        USER            IP-ADDRESS      IP-MASK             METHOD
host    all             all             127.0.0.1       255.255.255.255     trust

# The same over IPv6.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             ::1/128                 trust

# The same using a host name (would typically cover both IPv4 and IPv6).
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             localhost               trust

# Allow any user from any host with IP address 192.168.93.x to connect
# to database "postgres" as the same user name that ident reports for
# the connection (typically the operating system user name).
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    postgres        all             192.168.93.0/24         ident

# Allow any user from host 192.168.12.10 to connect to database
# "postgres" if the user's password is correctly supplied.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    postgres        all             192.168.12.10/32        md5

# Allow any user from hosts in the example.com domain to connect to
# any database if the user's password is correctly supplied.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             .example.com            md5

# In the absence of preceding "host" lines, these two lines will
# reject all connections from 192.168.54.1 (since that entry will be
# matched first), but allow GSSAPI connections from anywhere else
# on the Internet.  The zero mask causes no bits of the host IP
# address to be considered, so it matches any host.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             192.168.54.1/32         reject
host    all             all             0.0.0.0/0               gss

# Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check.  If, for example, ident says the user is
# "bryanh" and he requests to connect as PostgreSQL user "guest1", the
# connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1".
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             192.168.0.0/16          ident map=omicron

# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
# with the same name as their database user name) except for administrators
# and members of role "support", who can connect to all databases.  The file
# $PGDATA/admins contains a list of names of administrators.  Passwords
# are required in all cases.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   sameuser        all                                     md5
local   all             @admins                                 md5
local   all             +support                                md5

# The last two lines above can be combined into a single line:
local   all             @admins,+support                        md5

# The database column can also use lists and file names:
local   db1,db2,@demodbs  all                                   md5

 

posted @ 2024-05-27 12:35  wongchaofan  阅读(9)  评论(0编辑  收藏  举报