PostgreSQL10.0preview功能增強-客戶端ACL(pg_hba.conf動態檢視)
標籤
PostgreSQL , ACL , pg_hba.conf
背景
pg_hba.conf檔案是用於控制客戶端訪問PostgreSQL資料庫的防火牆配置(ACL),以往我們要了解資料庫配置的ACL,必須開啟這個檔案進行檢視。
例如
cat $PGDATA/pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server`s own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser. If you do not trust all your local users,
# use another authentication method.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication postgres trust
host replication postgres 127.0.0.1/32 trust
host replication postgres ::1/128 trust
host all all 0.0.0.0/0 trust
PostgreSQL 10.0增加了一個檢視pg_hba.conf的檢視,允許超級使用者查詢。
方便DBA的排錯工作。
Table 51.70. pg_hba_file_rules Columns
| Name | Type | Description |
|---|---|---|
| line_number | integer | Line number of this rule in pg_hba.conf |
| type | text | Type of connection |
| database | text[] | List of database name(s) to which this rule applies |
| user_name | text[] | List of user and group name(s) to which this rule applies |
| address | text | Host name or IP address, or one of all, samehost, or samenet, or null for local connections |
| netmask | text | IP address mask, or null if not applicable |
| auth_method | text | Authentication method |
| options | text[] | Options specified for authentication method, if any |
| error | text | If not null, an error message indicating why this line could not be processed |
詳見
Hi All,
While working on pg_hba_lookup function that can be used to lookup for an client
authentication that can be matched for given input parameters, Tom raised some
concrete use case issues in the following mail [1]. In this same
thread, he raised
some advantages of having a view similar like pg_file_settings view
for pg_hba.conf
also.
Here I attached a patch that implements the pg_hba_file_settings view
that displays
all the rows in pg_hba.conf. In case if any error exists in the
authentication rule, the
corresponding error is displayed similar like pg_file_settings.
This view can be used to verify whether there exists any problems or
not in the pg_hba.conf
before it reloads into the system. This view cannot be used to check
similar like
pg_hba_lookup function to find out which rule maps to the
corresponding input connection.
comments?
[1] - https://www.postgresql.org/message-id/28434.1468246200%40sss.pgh.pa.us
Regards,
Hari Babu
Fujitsu Australia
參考
https://www.postgresql.org/docs/devel/static/view-pg-hba-file-rules.html
相關文章
- PostgreSQL10.0preview功能增強-動態檢視pg_stat_activity新增資料庫管理程式資訊SQLView資料庫
- PostgreSQL10.0preview功能增強-JSON內容全文檢索SQLViewJSON
- PostgreSQL10.0preview功能增強-國際化功能增強,支援ICU(InternationalComponentsforUnicode)SQLViewUnicode
- PostgreSQL10.0preview功能增強-增加ProcArrayGroupUpdate等待事件SQLView事件
- PostgreSQL10.0preview功能增強-邏輯訂閱端控制引數解說SQLView
- 客戶端動態化系列之——URLRoute客戶端
- 高顏值、多平臺、功能強大的redis客戶端Redis客戶端
- PostgreSQL10.0preview功能增強-OLAP增強向量聚集索引(列儲存擴充套件)SQLView索引套件
- PostgreSQL10.0preview功能增強-CLOGoldestXID跟蹤SQLViewGo
- Dynamics 365(online) V9.0 new features for developers(一:客戶端 API 增強功能)Developer客戶端API
- 使用傳統前端技術增強客戶端快取能力前端客戶端快取
- CloudNotes之桌面客戶端篇:增強的筆記列表Cloud客戶端筆記
- Redis客戶端基本操作以及檢視慢查詢Redis客戶端
- PostgreSQL10.0preview功能增強-後臺執行(pg_background)SQLView
- PostgreSQL10.0preview效能增強-hashindexmetapagecache、高併發增強SQLViewIndex
- PostgreSQL10.0preview功能增強-自由定義統計資訊維度SQLView
- jQuery實現客戶端CheckAll功能jQuery客戶端
- iOS開發之多表檢視滑動切換示例(仿”頭條”客戶端)iOS客戶端
- PostgreSQL10.0preview功能增強-觸發器函式內建中間表SQLView觸發器函式
- PostgreSQL10.0preview功能增強-更強可靠性,過去式事務狀態可查(杜絕unknown事務)SQLView
- 檢測iOS客戶端是否越獄iOS客戶端
- Tower for Mac強大的Git客戶端MacGit客戶端
- Tower for Mac(強大的Git客戶端)MacGit客戶端
- Tower for Mac 強大的Git客戶端MacGit客戶端
- Tower Mac(強大的Git客戶端)MacGit客戶端
- PostgreSQL10.0preview功能增強-兩段式索引(約束欄位+附加欄位)SQLView索引
- PostgreSQL10.0preview效能增強-分割槽表效能增強(plan階段加速)SQLView
- 天貓客戶端元件動態化方案——VirtualView 工具大更新客戶端元件View
- FTP客戶端c程式碼功能實現FTP客戶端C程式
- 看視訊必備:YouTube客戶端客戶端
- 客戶端連線故障檢查流程手段客戶端
- Oracle檢視:常用動態效能檢視Oracle
- PostgreSQL10.0preview功能增強-序列隔離級別預加鎖閾值可控SQLView
- 動態效能檢視
- php與ethereum客戶端互動PHP客戶端
- RMAN之客戶端互動(一)客戶端
- RMAN之客戶端互動(二)客戶端
- iOS開發之多表檢視滑動切換示例(仿”頭條”客戶端)—優化篇iOS客戶端優化