Authentication

|

pg_hba.conf : The file is used for client validation. It is located in the database
cluster directory (if it is installed from pre-build packages with apt on Debian and
derivative Linux, it is located in /etc/postgresql/$version/main).

When initdb is executed to create the cluster, the default pg_hba.conf file is
created in the cluster directory.
show hba_file; location can be determined.

Which user?
Which IP address or addresses?
Which database?
What verification?
It is the configuration file, in which connection information and method is checked.
For the changes to take effect, SELECT pg_reload_conf(); must be executed.
Each line has a rule. Blank lines and #comment lines are ignored.

When a connection request comes in, the rules are checked one by one from the first
line.

  • The first allowed rule is accessed and the other rules are not read.
  • If it encounters a reject rule, access is denied, and does not read other rules.
  • In summary, the rules are read from top to bottom. It applies the rule that comes
    first.
  • If there are no rules that meet the connection criteria, access is denied again.
  • Writes error logs to the postgresql log file.
# Even local users can’t connect because rejection comes first.
# Hots_TYPE DATABASE USER ADDRESS METHOD
host   all   all   0.0.0.0/0      reject
host   all   all   127.1.0.1/32   trust

Database: Database name can be given. With “all”, all databases can be allowed
or only the database written here can be accessed.

User: All users can be allowed with “all” or only the mentioned user can be
allowed.

Address: The IP address or IP address range of the client that will establish the
connection can be given.
192.168.10.10/32, Only client with 192.168.10.10 IP can connect.

Clients (254 hosts) in 192.168.10.0/24, 192.168.10.0 network can connect (See
subnetting CIDR topics for detailed information).
“all” or “0.0.0.0/0” is used to mention allowed from all IPs.

Method: Specifies the authentication method.

In addition to these, it also supports ldap, radius, cert, pam and bsd authentication
methods.

Examples:

# TYPE DATABASE USER ADDRESS METHOD
# Inbound connection from 10.71.6.0/24 network for all
databases accepts all users with password authentication of
scram-sha-256.
host   all    all    10.71.6.0/24    scram-sha-256
# Accepts inbound connection from IP 10.71.6.22 only for all
users without the need for password verification.
host   all    all    10.71.6.22/32   trust
# It only accepts connection requests of MMAM user from
10.71.5.71 IP to HAdb database without the need for password
verification.
host   HAdb   MMAM    10.71.5.71/32  trust