PostgreSQL 10.0 preview 功能增强 - 客户端ACL(pg_hba.conf动态视图)

本文涉及的产品
云原生数据库 PolarDB MySQL 版,通用型 2核4GB 50GB
云原生数据库 PolarDB PostgreSQL 版,标准版 2核4GB 50GB
简介:

标签

PostgreSQL , ACL , pg_hba.conf


背景

pg_hba.conf文件是用于控制客户端访问PostgreSQL数据库的防火墙配置(ACL),以往我们要了解数据库配置的ACL,必须打开这个文件进行查看。

例如

cat $PGDATA/pg_hba.conf  
  
# PostgreSQL Client Authentication Configuration File  
# ===================================================  
#  
# Refer to the "Client Authentication" section in the PostgreSQL  
# documentation for a complete description of this file.  A short  
# synopsis follows.  
#  
# This file controls: which hosts are allowed to connect, how clients  
# are authenticated, which PostgreSQL user names they can use, which  
# databases they can access.  Records take one of these forms:  
#  
# local      DATABASE  USER  METHOD  [OPTIONS]  
# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
#  
# (The uppercase items must be replaced by actual values.)  
#  
# The first field is the connection type: "local" is a Unix-domain  
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,  
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a  
# plain TCP/IP socket.  
#  
# DATABASE can be "all", "sameuser", "samerole", "replication", a  
# database name, or a comma-separated list thereof. The "all"  
# keyword does not match "replication". Access to replication  
# must be enabled in a separate record (see example below).  
#  
# USER can be "all", a user name, a group name prefixed with "+", or a  
# comma-separated list thereof.  In both the DATABASE and USER fields  
# you can also write a file name prefixed with "@" to include names  
# from a separate file.  
#  
# ADDRESS specifies the set of hosts the record matches.  It can be a  
# host name, or it is made up of an IP address and a CIDR mask that is  
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that  
# specifies the number of significant bits in the mask.  A host name  
# that starts with a dot (.) matches a suffix of the actual host name.  
# Alternatively, you can write an IP address and netmask in separate  
# columns to specify the set of hosts.  Instead of a CIDR-address, you  
# can write "samehost" to match any of the server's own IP addresses,  
# or "samenet" to match any address in any subnet that the server is  
# directly connected to.  
#  
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",  
# "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that  
# "password" sends passwords in clear text; "md5" is preferred since  
# it sends encrypted passwords.  
#  
# OPTIONS are a set of options for the authentication in the format  
# NAME=VALUE.  The available options depend on the different  
# authentication methods -- refer to the "Client Authentication"  
# section in the documentation for a list of which options are  
# available for which authentication methods.  
#  
# Database and user names containing spaces, commas, quotes and other  
# special characters must be quoted.  Quoting one of the keywords  
# "all", "sameuser", "samerole" or "replication" makes the name lose  
# its special character, and just match a database or username with  
# that name.  
#  
# This file is read on server startup and when the postmaster receives  
# a SIGHUP signal.  If you edit the file on a running system, you have  
# to SIGHUP the postmaster for the changes to take effect.  You can  
# use "pg_ctl reload" to do that.  
  
# Put your actual configuration here  
# ----------------------------------  
#  
# If you want to allow non-local connections, you need to add more  
# "host" records.  In that case you will also need to make PostgreSQL  
# listen on a non-local interface via the listen_addresses  
# configuration parameter, or via the -i or -h command line switches.  
  
# CAUTION: Configuring the system for local "trust" authentication  
# allows any local user to connect as any PostgreSQL user, including  
# the database superuser.  If you do not trust all your local users,  
# use another authentication method.  
  
# TYPE  DATABASE        USER            ADDRESS                 METHOD  
  
# "local" is for Unix domain socket connections only  
local   all             all                                     trust  
# IPv4 local connections:  
host    all             all             127.0.0.1/32            trust  
# IPv6 local connections:  
host    all             all             ::1/128                 trust  
# Allow replication connections from localhost, by a user with the  
# replication privilege.  
local   replication     postgres                                trust  
host    replication     postgres        127.0.0.1/32            trust  
host    replication     postgres        ::1/128                 trust  
host all all 0.0.0.0/0 trust  

PostgreSQL 10.0增加了一个查看pg_hba.conf的视图,允许超级用户查询。

方便DBA的排错工作。

Table 51.70. pg_hba_file_rules Columns

Name Type Description
line_number integer Line number of this rule in pg_hba.conf
type text Type of connection
database text[] List of database name(s) to which this rule applies
user_name text[] List of user and group name(s) to which this rule applies
address text Host name or IP address, or one of all, samehost, or samenet, or null for local connections
netmask text IP address mask, or null if not applicable
auth_method text Authentication method
options text[] Options specified for authentication method, if any
error text If not null, an error message indicating why this line could not be processed

详见

Hi All,  
  
While working on pg_hba_lookup function that can be used to lookup for an client  
authentication that can be matched for given input parameters, Tom raised some  
concrete use case issues in the following mail [1]. In this same  
thread, he raised  
some advantages of having a view similar like pg_file_settings view  
for pg_hba.conf  
also.  
  
Here I attached a patch that implements the pg_hba_file_settings view  
that displays  
all the rows in pg_hba.conf. In case if any error exists in the  
authentication rule, the  
corresponding error is displayed similar like pg_file_settings.  
  
This view can be used to verify whether there exists any problems or  
not in the pg_hba.conf  
before it reloads into the system. This view cannot be used to check  
similar like  
pg_hba_lookup function to find out which rule maps to the  
corresponding input connection.  
  
comments?  
  
[1] - https://www.postgresql.org/message-id/28434.1468246200%40sss.pgh.pa.us  
  
Regards,  
Hari Babu  
Fujitsu Australia  

参考

https://www.postgresql.org/docs/devel/static/view-pg-hba-file-rules.html

相关实践学习
使用PolarDB和ECS搭建门户网站
本场景主要介绍基于PolarDB和ECS实现搭建门户网站。
阿里云数据库产品家族及特性
阿里云智能数据库产品团队一直致力于不断健全产品体系,提升产品性能,打磨产品功能,从而帮助客户实现更加极致的弹性能力、具备更强的扩展能力、并利用云设施进一步降低企业成本。以云原生+分布式为核心技术抓手,打造以自研的在线事务型(OLTP)数据库Polar DB和在线分析型(OLAP)数据库Analytic DB为代表的新一代企业级云原生数据库产品体系, 结合NoSQL数据库、数据库生态工具、云原生智能化数据库管控平台,为阿里巴巴经济体以及各个行业的企业客户和开发者提供从公共云到混合云再到私有云的完整解决方案,提供基于云基础设施进行数据从处理、到存储、再到计算与分析的一体化解决方案。本节课带你了解阿里云数据库产品家族及特性。
目录
相关文章
|
8月前
|
关系型数据库 分布式数据库 PolarDB
PolarDB for PostgreSQL下载问题之客户端 X-Paxos下载失败如何解决
PolarDB for PostgreSQL是基于PostgreSQL开发的一款云原生关系型数据库服务,它提供了高性能、高可用性和弹性扩展的特性;本合集将围绕PolarDB(pg)的部署、管理和优化提供指导,以及常见问题的排查和解决办法。
|
SQL 关系型数据库 Java
PostgreSQL统计信息的几个重要视图
PostgreSQL统计信息的几个重要视图
302 1
|
存储 网络协议 安全
|
缓存 监控 关系型数据库
[译]PostgreSQL16-新特性-新增IO统计视图:pg_stat_io
[译]PostgreSQL16-新特性-新增IO统计视图:pg_stat_io
250 0
|
SQL 存储 关系型数据库
PostgreSQL 动态表复制(CREATE TABLE AS & CREATE TABLE LIKE)
PostgreSQL 动态表复制(CREATE TABLE AS & CREATE TABLE LIKE)
892 0
|
SQL 存储 弹性计算
2022云栖精选—云数据库RDS重磅功能发布与最佳实践
彭祥 阿里云数据库事业部资深技术专家 RDS产品部负责人 许鸿斌 阿里云数据库事业部高级产品专家
2022云栖精选—云数据库RDS重磅功能发布与最佳实践
|
SQL 关系型数据库 测试技术
PostgreSQL 12 文档: PostgreSQL 客户端工具
PostgreSQL 客户端应用 这部份包含PostgreSQL客户端应用和工具的参考信息。不是所有这些命令都是通用工具,某些需要特殊权限。这些应用的共同特征是它们可以被运行在任何主机上,而不管数据库服务器在哪里。 当在命令行上指定用户和数据库名时,它们的大小写会被保留 — 空格或特殊字符的出现可能需要使用引号。表名和其他标识符的大小写不会被保留并且可能需要使用引号。
220 0
|
SQL 关系型数据库 数据库连接
PostgreSQL 12 文档: 部分 IV. 客户端接口
部分 IV. 客户端接口 这一部分描述和PostgreSQL一起发布的客户端编程接口。这些章中的每一个都能被独立阅读。注意,还有很多用于客户端程序的其他编程接口是被独立发布的并且包含它们自己的文档(附录 H列出了一些很流行的)。这部份的读者应该熟悉使用SQL命令来操纵和查询数据库(见第 II 部分),以及熟悉接口所使用的编程语言。
98 0
|
存储 监控 Kubernetes
【实操系列】 AnalyticDB PostgreSQL发布实例暂停功能,助力成本优化
本文将对AnalyticDB PostgreSQL产品的暂停功能以及其背后的实现机制和最佳实践做详细介绍。
1110 3
【实操系列】 AnalyticDB PostgreSQL发布实例暂停功能,助力成本优化
|
SQL 存储 缓存
23 PostgreSQL 监控4 动态内核跟踪 stap 篇|学习笔记
快速学习23 PostgreSQL 监控4 动态内核跟踪 stap 篇
23 PostgreSQL 监控4 动态内核跟踪 stap 篇|学习笔记