PostgreSQL pg_hba.conf

As in postgresql.conf, the pg_hba.conf file is composed of a set of records, lines can be commented using the hash sign, and spaces are ignored. The structure of the pg_hba.conf file record is as follows:

host_type database user [IP-address| address] [IP-mask] auth-method [auth-options]

The host_type part of this query can be the following:

  • Local: This is used in Linux systems to allow users to access PostgreSQL using socket connections
  • Host: This is to allow connections from other hosts, either based on the address or IP address, using TCP/IP with and without SSL encryption
  • Hostssl: This is similar to host, but the connection should be encrypted using SSL in this case
  • Hostnossl: This is also similar to host, but the connection should not be encrypted in this case

The database part of the query is the name of the database that the user would like to connect to. For flexibility, one could also use a comma-separated list to specify several databases, or one could use all to indicate that the user can access all the databases in the database cluster. Also, the sameuser and samerole values can be used to indicate that the database name is the same as the username or the user is a member of a role with the same name as the database.

The user part of the query specifies the database user's name; again, the all value matches all users. The IP address, address, and IP subnet mask are used to identify the host where the user tries to connect from. The IP address can be specified using a CIDR (Classless Inter-Domain Routing) or dot decimal notation. Finally, the password authentication methods can be trust, MD5, reject, and so on.

The following are some typical examples of configuring a PostgreSQL authentication:

  • Example 1: Any USER on the PostgreSQL cluster can access any database using the Unix domain socket, as shown in the following database table:
#TYPE    DATABASE        USER        ADDRESS     METHOD
Local    all             all                     trust
  • Example 2: Any USER on the PostgreSQL cluster can access any database using the local loop back IP address:
#TYPE        DATABASE        USER        ADDRESS        METHOD
Host        all        all        127.0.0.1/32        trust
host        all        all        ::1/128        trust
  • Example 3: All connections that come from 92.168.0.53 are rejected, and the connections that come from the range 192.168.0.1/24 are accepted:
#TYPE        DATABASE        USER        ADDRESS        METHOD
Host        all        all        92.168.0.53/32        reject
Host        all        all        92.168.0.1/24        trust

PostgreSQL provides a very convenient way to view the rules defined in the pg_hba.conf file by providing a view called pg_hba_file_rules as follows:

postgres=# SELECT * FROM pg_hba_file_rules limit 1;
 line_number | type | database | user_name | address | netmask | auth_method | options | error 
-------------+-------+----------+------------+---------+---------+-------------+---------+-------
          85 | local | {all} | {postgres} | | | peer | | 
(1 row)
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset