Postgresql 13.7 pg_hba.conf配置文件详解

pg_hba.conf是PostgreSQL数据库的主要访问控制配置文件之一,用于控制哪些用户可以访问数据库以及如何进行身份验证。在pg_hba.conf中,每个条目都包含一系列规则,用于定义主机地址、数据库名称、用户角色以及使用哪种身份验证方法等信息。

下面是一个pg_hba.conf配置文件的例子,解释了每个字段的含义:

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer

# IPv4 local connections:
host    all             all             127.0.0.1/32            md5

# IPv6 local connections:
host    all             all             ::1/128                 md5

# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5

其中,每行表示一个访问控制规则,包含以下字段:

  • TYPE: 定义访问的类型,包括local、host和hostssl等,分别表示本地Unix domain socket连接、IPv4连接和IPv6连接。

  • DATABASE: 定义访问的数据库名称,可以是all表示所有数据库。

  • USER: 定义访问的用户角色,可以是all表示所有用户。

  • ADDRESS: 定义访问的IP地址或主机名,可以使用CIDR表示法,如127.0.0.1/32表示只允许来自本地主机的IPv4连接。

  • METHOD: 定义访问的身份验证方法,可以是trust表示不需要身份验证,也可以是md5表示使用密码进行MD5加密后的身份验证。

除了以上字段,还有一些其他字段也可以用来控制访问,例如OPTIONS字段可以用来指定一些可选参数,LDAPURL字段可以用来指定LDAP服务器的地址等。


下面是Postgresql 13.7 pg_hba.conf配置文件详解:

# PostgreSQL Client Authentication Configuration File
# PostgreSQL客户端认证配置文件
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file.  A short
# synopsis follows.
# 请参考PostgreSQL文档中的“客户端身份验证”部分,以获得该文件的完整描述。下面是一个简短的简介。
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access.  Records take one of these forms:
# 这个文件控制:允许连接哪些主机,如何验证客户端,可以使用哪些PostgreSQL用户名,可以访问哪些数据库。记录有以下几种形式:

# local         DATABASE  USER  METHOD  [OPTIONS]
# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
#
# (The uppercase items must be replaced by actual values.) 大写字母必须替换为实际值。
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# non-SSL TCP/IP socket.  Similarly, "hostgssenc" uses a
# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
# non-GSSAPI socket.
# 第一个字段是连接类型:“local”是unix域套接字,“host”是普通或ssl加密的TCP/IP套接字,“hostssl”是ssl加密的TCP/IP套接字,“hostnossl”是非ssl的TCP/IP套接字。类似地,"hostgssenc"使用gssapi加密的TCP/IP套接字,而"hostnogssenc"使用非gssapi套接字。
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
# DATABASE可以是"all", "sameuser", " sameole ", "replication",数据库名,或以逗号分隔的列表。关键字all与replication不匹配。必须在单独的记录中启用对复制的访问(参见下面的示例)。

# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof.  In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
# USER可以是“all”、用户名、带“+”前缀的组名或以逗号分隔的组名列表。在DATABASE和USER字段中,您还可以写一个带“@”前缀的文件名,以包括来自单独文件的名称。
#
# ADDRESS specifies the set of hosts the record matches.  It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask.  A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts.  Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
# ADDRESS指定记录匹配的主机集。它可以是一个主机名,也可以由一个IP地址和一个CIDR掩码组成,CIDR掩码是一个整数(0到32 (IPv4)或128 (IPv6)包含),指定掩码中的有效位数。以“。”开头的主机名匹配实际主机名的后缀。或者,您也可以将IP地址和子网掩码分别写在不同的列中,以指定主机集。你可以写“samehost”来匹配服务器自己的任何IP地址,或者写“samenet”来匹配服务器直接连接到的任何子网中的任何地址,而不是cidr地址。
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
# METHOD可以是trust, reject, md5, password, scrm -sha-256, gss, sspi, ident, peer, pam, ldap, radius或cert。注意,“password”以明文形式发送密码;“md5”或“scramble -sha-256”是首选,因为它们发送加密密码。
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE.  The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
# OPTIONS是一组用于身份验证的选项,格式为NAME=VALUE。可用的选项取决于不同的身份验证方法——请参考文档中的“客户端身份验证”部分,了解哪些选项可用于哪些身份验证方法。
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted.  Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
# 包含空格、逗号、引号和其他特殊字符的数据库和用户名必须加引号。引用关键字“all”、“sameuser”、“samerole”或“replication”会使名称失去其特殊字符,而只是将数据库或用户名与该名称匹配。
#
# This file is read on server startup and when the server receives a
# SIGHUP signal.  If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
# 该文件在服务器启动和服务器接收到SIGHUP信号时读取。如果你在一个正在运行的系统上编辑这个文件,你必须SIGHUP服务器以便修改生效,运行"pg_ctl reload",或者执行"SELECT pg_reload_conf()"。

# Put your actual configuration here
# 把实际的构型写在这里
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records.  In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# 如果要允许非本地连接,则需要添加更多的“主机”记录。在这种情况下,你还需要通过listen_addresses配置参数,或者通过-i或-h命令行开关,让PostgreSQL监听非本地接口。


# TYPE:类型  DATABASE:数据库     USER:用户     ADDRESS:IP地址    METHOD:方法

# "local" is for Unix domain socket connections only
# "local"仅用于Unix域套接字连接
local   all             all                                     peer
# IPv4 local connections: IPv4本地连接:
host    all             all             127.0.0.1/32            scram-sha-256
host    all             all             0.0.0.0/0                 md5
# IPv6 local connections: IPv6本地连接:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
# 允许具有复制权限的用户从本地主机进行复制连接。
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            scram-sha-256
host    replication     all             ::1/128                 scram-sha-256
host    all             all             0.0.0.0/0                 md5

你可能感兴趣的:(Postgresql,postgresql,数据库)