相匹配。这只对本地连接有效。请参阅Section 19.3.7获取详细信息。
ldap
用LDAP服务器进行认证,请参阅Section 19.3.8获取详细信息。
radius
用RADIUS服务器进行认证。
cert
用SSL客户端证书进行认证,请参阅Section 19.3.10获取详细信息。
pam
使用操作系统提供的可插入的认证模块服务(Authenticate using the Pluggable Authentication Modules)(PAM)。请参阅Section 19.3.11 获取详细信息。
auth-options
在auth-method这一栏之后,能够以name=value的形式为这些认证方法指定一些选项。关于这些选项的详细信息请看下面描述。
在文件中用@构造一个名字的列表,也可以用空格或者来隔开。用#号进行注释,像pg_hba.conf文件那样。也允许用@进行嵌套构造。除非文件名后面的@是一个绝对路径,否则,被当作与包含该文件的目录的相对路径
由于每个连接是顺序的检查pg_hba.conf的记录,所以记录的顺序是非常重要的。通常,靠前的记录有比较严的连接匹配参数和比较弱的认证方法,而靠后的记录有比较宽松的匹配参数和比较严的认证方法。例如,我们一般都希望对本地TCP/IP连接使用trust认证,而对远端的TCP/IP连接要求口令。在这种情况下我们将trust 认证方法用于来自127.0.0.1 的连接,这条记录将出现在允许更为广泛的使用密码认证的客户端IP地址的记录的前面。
当主服务器进程(postmaster)收到SIGHUP信号启动时将会读取pg_hba.conf。如果你在正在运行的系统上编辑了这个文件,你需要发送一个信号给postmast进程(用pg_ctl reload命令或者kill -HUP)来重新读取这个文件。
提示:要连接到一个特定的数据库,用户不仅仅需要通过pg_hba.conf文件的检查,还需要有这个数据库的CONNECT权限。如果你希望拒绝这个用户连接这个数据库,它将是非常容易控制的,用granting/revoking CONNECT来控制连接和回收连接权限,这比修改pg_hba.conf这整个文件要更容易。
在Example 19-1里是pg_hba.conf记录的一些例子。请查看下一节获取不同认证方法的细节。
Example 19-1. Example pg_hba.conf Entries
# Allow any user on the local system to connect to any database with # any database user name using Unix-domain sockets (the default for local # connections). # # TYPE DATABASE USER ADDRESS METHOD local all all trust # The same using local loopback TCP/IP connections. # # TYPE DATABASE USER ADDRESS METHOD host all all 127.0.0.1/32 trust # The same as the previous line, but using a separate netmask column # # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD host all all 127.0.0.1 255.255.255.255 trust # The same over IPv6. # # TYPE DATABASE USER ADDRESS METHOD host all all ::1/128 trust # The same using a host name (would typically cover both IPv4 and IPv6). # # TYPE DATABASE USER ADDRESS METHOD host all all localhost trust # Allow any user from any host with IP address 192.168.93.x to connect # to database "postgres" as the same user name that ident reports for # the connection (typically the operating system user name). # # TYPE DATABASE USER ADDRESS METHOD host postgres all 192.168.93.0/24 ident # Allow any user from host 192.168.12.10 to connect to database # "postgres" if the user's password is correctly supplied. # # TYPE DATABASE USER ADDRESS METHOD host postgres all 192.168.12.10/32 md5 # Allow any user from hosts in the example.com domain to connect to # any database if the user's password is correctly supplied. # # TYPE DATABASE USER ADDRESS METHOD host all all .example.com md5 # In the absence of preceding "host" lines, these two lines will # reject all connections from 192.168.54.1 (since that entry will be # matched first), but allow Kerberos 5 connections from anywhere else # on the Internet. The zero mask causes no bits of the host IP # address to be considered, so it matches any host. # # TYPE DATABASE USER ADDRESS METHOD host all all 192.168.54.1/32 reject host all all 0.0.0.0/0 krb5 # Allow users from 192.168.x.x hosts to connect to any database, if # they pass the ident check. If, for example, ident says the user is # "bryanh" and he requests to connect as PostgreSQL user "guest1", the # connection is allowed if there is an entry in pg_ident.conf for map # "omicron" that says "bryanh" is allowed to connect as "guest1". # # TYPE DATABASE USER ADDRESS METHOD host all all 192.168.0.0/16 ident map=omicron # If these are the only three lines for local connections, they will # allow local users to connect only to their own databases (database