PostgreSQL 8.0.0 ��ĵ��PostgreSQL �й� ��
Prev	Fast Backward		Fast Forward	Next

Chapter 19. �û��֤

Table of Contents

19.1. pg_hba.conf �ļ�

19.2.1. ��֤
19.2.2. ��֤
19.2.3. Kerberos ��֤
19.2.4. �� Ident ��֤
19.2.5. PAM ��֤

��һ��ͻ��Ӧ��ݿ��ʱ��ĸ� PostgreSQL �û��ƽ��ӣ� ��ǵ�¼һ̨ Unix ��һ�� SQL �� ��Ծ��ݿ��û��ݿ��ĸ��ַ��Ȩ�� — ��Chapter 17��ȡ��Ϣ��ˣ� ʵ��Ҫ��Ƶ��û��ӵ��ݿ⡣

��֤ ��ݿ��ͻ��˵ı�ʶ�� Ȼ��ͨ��һЩ�ֶ��ж��Ƿ��˿ͻ��Ӧ�ã��ͻ��Ӧ�õ��û��Ҫ��û��ӵĹ��̡�

PostgreSQL �ṩ��ֲ�ͬ�Ŀͻ��֤��ʽ��֤ĳ��ض��ͻ��ʹ�õķ��ͨ��ڣ��ͻ��ˣ��ַ��ݿ��û��ķ�ʽ��ѡ�� һЩ��֤��ͨ��û��ơ�

PostgreSQL �û��߼��Ǻͷ��еĲ��ϵͳ�û��໥��ġ� ��ĳ��û��̨��Ҳ��ʺţ� ��ô��ݿ��û��ϵͳ�û��ġ�� һ��Զ�̷��ʵķ��п��û�б��ز��ϵͳ�ʺŵ��û�� ݿ��û��Ͳ��ϵͳ�û��֮�䲻��κ��ϵ��

19.1. `pg_hba.conf` �ļ�

�ͻ��֤��һ��ļ��Ƶģ�ͨ��ļ�� pg_hba.conf�� ݿ⼯Ⱥ��Ŀ¼� ��HBA ��˼�� host-based authentication��֤�� initdb��ʼ��Ŀ¼��ʱ��ᰲװһ��ȱʡ��ļ�� Ҳ��԰��֤��ļ��ط�� hba_file ��ò��

�ļ� pg_hba.conf �ĳ��ø�ʽ��һ�׼�¼�� ÿ��һ��հ��б��ԣ��ţ� # ��ͷ��ע��Ҳ��ԡ� һ��¼��ÿո��/�� tab �ָ��ֶ��ɡ� ��ֶ��Ű�Χ��ô��԰��հס��¼��ܿ��д��ڡ�

ÿ��¼��һ��ͣ�һ��ͻ�� IP ��ַ��Χ��صĻ��һ��ݿ��һ��û��֣� �Լ��ƥ��Щ��ʹ�õ��֤�� һ��ƥ��ͣ��ͻ��˵�ַ��ͼ��ݿ��û��ļ�¼��ִ��֤�� û��"��Խ"��"��ͷ"��˵��ѡ��һ��¼��֤ʧ�ܣ� ��ô��Ǻ��ļ�¼��û��ƥ��ļ�¼��ô��ʽ��ܾ��

ÿ��¼��ָ�ʽ֮һ

local      database  user  authentication-method  [authentication-option]
host       database  user  CIDR-address  authentication-method  [authentication-option]
hostssl    database  user  CIDR-address  authentication-method  [authentication-option]
hostnossl  database  user  CIDR-address  authentication-method  [authentication-option]
host       database  user  IP-address  IP-mask  authentication-method  [authentication-option]
hostssl    database  user  IP-address  IP-mask  authentication-method  [authentication-option]
hostnossl  database  user  IP-address  IP-mask  authentication-method  [authentication-option]

��ֶεĺ��£�

local

��¼ƥ��ͨ�� Unix ��׽��ֽ��е��ͼ�� û��͵ļ�¼��Ͳ�� Unix ��׽��ֵ��ӡ�

host

��¼ƥ��ͨ�� TCP/IP ��е��ӳ��ԡ� host ��¼ƥ�� SSL �ͷ� SSL ��

ע��: ��Ƿ��ź��ʵ� listen_addresses ��ò��ֵ��򽫲��ܽ��Զ�̵� TCP/IP ��ӣ� ��Ϊȱʡ��Ϊ��ֻ��Ի��ַ localhost ��ӡ�

hostssl

��¼ƥ��ʹ�� TCP/IP �� SSL ��ͼ�� ʹ�� SSL ��ܵ��ӡ�

Ҫʹ��ѡ���ʱ�� SSL ֧�֡��ڷ��ʱ�� SSLѡ��ͨ��ѡ��ssl�򿪡� �� Section 16.7 ��ȡ��Ϣ��

hostnossl

��¼�� hostssl ��෴��߼�� ֻƥ��Щ�� TCP/IP �ϲ�ʹ�� SSL ��

database

��¼��ƥ��ݿ⡣ֵ all ��ü�¼ƥ��ݿ⣬ ֵ sameuser��ʾ��ݿ��û�ͬ��ƥ�䡣 samegroup ��ʾ��û��һ��ݿ�ͬ��еĳ�Ա�� ��һ��ض�� PostgreSQL ��֡� ��ǿ��ͨ��ö��ŷָ��ķ��ݿ⡣ һ��ݿ��ļ��ͨ��Ը��ļ�ǰ׺ @ ��

user

Ϊ��¼��ƥ��PostgreSQL�û��ֵ all ��ƥ��û�� ض� PostgreSQL �û��֡��û��ͨ��ö��ŷָ��ķ��ֿ��ͨ�� + ��ǰ׺�� һ��û��ļ��ͨ��ļ��ǰ��ǰ׺ @ ��ļ�� pg_hba.conf ��ͬһ��Ŀ¼��

CIDR-address

��¼ƥ��Ŀͻ��˻�� IP ��ַ��Χ��һ��׼�ĵ��ʮ��Ƶ� IP ��ַ��һ�� CIDR ��볤�ȡ� ��IP ��ַֻ��ֵ�� 볤�ȱ�ʾ�ͻ�� IP ��ַ��ƥ��ĸ�λ��λ�� ڸ�� IP ��ַ���ȵ��ұߵĶ��λ��Ϊ�㡣 �� IP ��ַ��/�� CIDR ��볤��֮�䲻��пհס�

��͵� CIDR ��ַ�� 172.20.143.89/32��һ�� 172.20.143.0/24 ��ʾһ��硣 Ҫ�� IPv4 ��ַ�� CIDR �� 32�� IPv6 ��ַ�� 128��

�� IPv4 ��ʽ�� IP ��ַ��ƥ��Щӵ�ж�Ӧ��ַ�� IPv6 ��ӣ�� 127.0.0.1 ��ƥ�� IPv6 ��ַ ::ffff:127.0.0.1�� һ�� IPv6 ��ʽ��ļ�¼��ֻƥ�� IPv6 ��ӣ��ʹ��Ӧ�ĵ�ַ�� IPv4-in-IPv6 ��Χ�ڡ��ע��ϵͳ�� C �ⲻ֧�� IPv6 ��ַ��ô IPv6 �ĸ�ʽ��ܾ��

��ֻ�� host��hostssl �� hostnossl ��¼��

IP-address IP-mask

��Щ��Ϊ CIDR-address ��ʾ��油�� ĳ��ȣ��һ��ֶ��ʵ�ʵ��롣 ��磬255.0.0.0 ��ʾ IPv4 CIDR ��볤�� 8�� 255.255.255.255 ��ʾ CIDR ��볤�� 32�� ͬ��ƥ��߼��һ��ֵ� IP-mask��

��Щ�ֶ�ֻ�� host�� hostssl�� hostnossl ��¼��

authentication-method��֤��

��ͨ��¼��ӵ�ʱ��ʹ�õ��֤�� ܵ�ѡ��飬��ϸ�� Section 19.2��

trust: ��ӡ��κο��PostgreSQL ��ݿ��ӵ��û�� PostgreSQL ��ݿ��û��ݽ��ӣ��Ҫ�� �� Section 19.2.1 ��ȡϸ�ڡ�
reject: ��ܾ��ڴ�һ��"��"ĳЩ��
md5: Ҫ��ͻ��ṩһ�� MD5 ��ܵĿ��֤�� Section 19.2.2 ��ȡϸ�ڡ�
crypt: Ҫ��ͻ��ṩһ�� crypt() ��ܵĿ��֤�� 7.2 ��ǰ�Ŀͻ��ֻ��֧�� crypt�� 7.2 �Լ��Ժ�Ŀͻ��ˣ��ǽ��ʹ�� md5�� Section 19.2.2 ��ȡϸ�ڡ�
password: Ҫ��ͻ��ṩһ��δ��ܵĿ��֤�� Ϊ��ʽ��ϴ��ݵģ� ��ǲ�Ӧ��ڲ��ȫ��ʹ��ʽ�� Section 19.2.2 ��ȡϸ�ڡ�
krb4: �� Kerberos V4 ��֤�û��ֻ��ڽ�� TCP/IP ��ӵ�ʱ��á� �� Section 19.2.3 ��ȡϸ�ڡ� ��ע��Kerberos��"�˶��˹"��ϣ��ڤ��˹�Ķ�ͷ��Ź�� Kerberos �� MIT ��Ļ��ԳƼ��㷨��֤Э��/��Կ�� ص��Ҫ��ͬ��;�ķ��һ��֤��ݣ� һ��ͨ��û��Կ��ͬʱ Kerberos ��ʱ��ͬ��Ҫ��Ƚϸߣ��Է�ֹ�طŹ��ͨ�� NTP ��񡣣�
krb5: �� Kerberos V5 ��֤�û��ֻ��ڽ�� TCP/IP ��ӵ�ʱ��á� �� Section 19.2.3 ��ȡϸ�ڡ� ��ע��Kerberos V5 �� V4 �ĸ��Ҫ�ǲ�� DES �㷨�� ͬʱ��һЩ��ԡ��
ident: ��ȡ�ͻ��Ĳ��ϵͳ�� TCP/IP ��ӣ��û��ͨ��ڿͻ��ϵ� ident ��ӽ��жϵģ��ڱ��ӣ��ǴӲ��ϵͳ��ȡ�ġ�� Ȼ��һ�£��û��Ƿ��Ҫ��ݿ��û��ӣ� ��ǲ�� ident �ؼ��ֺ��ӳ�䡣 �� Section 19.2.4 ��ȡϸ�ڡ�
pam: ʹ�ò��ϵͳ�ṩ�Ŀɲ��֤ģ�� Pluggable Authentication Modules�� PAM��֤�� Section 19.2.5 ��ȡϸ�ڡ�

authentication-option

��ѡ��ֶεĺ��ȡ��ѡ��֤��ϸ��档

�� @ ��ļ��ǵ��һ��ֶ�ȡ�ģ� ��Щ��ֿ��ÿհ׻��߶��ŷָ��ע�� # ��룬 �� pg_hba.conf ��Ƕ�� @ ��졣 ��Ǹ�� @ ��ļ��һ��·��򱻵��ļ��Ŀ¼��Ե�·��

��Ϊ��֤ʱϵͳ��Ϊÿ��˳�� pg_hba.conf ��ļ�¼�ģ��Щ��¼��˳��Ƿǳ��ؼ��ġ� ͨ��ǰ�ļ�¼�бȽ��ϵ��ƥ��ͱȽ�� ֤��ļ�¼�бȽ��ɵ�ƥ��ͱȽ��ϵ��֤�� 磬��һ�㶼ϣ��Ա�� TCP/IP ��ʹ�� trust ��֤�� Զ�˵� TCP/IP ��Ҫ����ǽ� trust ��֤�� 127.0.0.1 ��ӣ��¼��㷺�Ŀͻ�� IP ��ַ��ʹ�ÿ��֤�ļ�¼ǰ�档

��̣� postmaster ��յ�SIGHUP �źŵ�ʱ�� ϵͳ��װ�� pg_hba.conf �ļ�� ڻ�Ծ��ϵͳ�ϱ༭�˸��ļ��Ҫ�� kill �� postmaster ��һ�� SIGHUP�źţ��¶�ȡ��ļ��

�� Example 19-1 �� pg_hba.conf ��¼��һЩ��ӡ� �Ķ��ⲻͬ��֤��ϸ�ڡ�

Example 19-1. pg_hba.conf ��¼��

# �����ڱ����ϵ��κ��û�ʹ�� Unix ���׽��֣��������ӵ�ȱʡ��
# ���κ���������κ����ݿ�
# 
#
# TYPE  DATABASE    USER        CIDR-ADDRESS           METHOD
local   all         all                                trust


# ��������ͬ������ʹ�õ����Ի��ģ�loopback��TCP/IP ����
# 
# TYPE  DATABASE    USER        CIDR-ADDRESS           METHOD
host         all    all         127.0.0.1/32           trust

# ������һ����ͬ�������õ��Ƕ����������ֶ�
#
# TYPE  DATABASE    USER        IP-ADDRESS          METHOD
host    all         all         127.0.0.1     255.255.255.255     trust


# ���� IP ��ַΪ 192.168.93.x ���κ����������ݿ�
# "template1" �����������������Լ�����������ͬ ident ���û�����ʶ���Լ�
# ��ͨ�������� Unix �û�����
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    template1   all         192.168.93.0/24       ident sameuser


# ������������ 192.168.12.10 ���û��� "template1" ���ݿ����ӣ�
# ֻҪ���û��ṩ������ȷ�Ŀ��
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    template1   all         192.168.12.10/32      md5


# ���ǰ��û������ "host" �У���ô�������н��ܾ���������
# 192.168.54.1 ���������� (��Ϊǰ��ļ�¼��ƥ��),
# �����������Ի������������κεط�����Ч�� Kerberos 5 ��֤������
# �������ʾ���������� IP ���κ�λ�������ƥ���κ�������
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    all         all         192.168.54.1/32       reject
host    all         all         0.0.0.0/0             krb5

# �������� 192.168.x.x ���κ��û����������ݿ����ӣ�ֻҪ����ͨ�� ident ���
# ����� ident ˵���û��� "bryanh" ����Ҫ���� PostgreSQL �û� "guest1" ���ӣ�
# ��ôֻ���� `pg_ident.conf' ���� "omicron" ��ӳ�䣬˵ "bryanh" ������
#  "guest1" ��������ʱ���������Խ������ӡ�
#
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    all         all         192.168.0.0/16        ident omicron

# ������������ڱ������ӵĽ��е����У���ô���ǽ��������û�
# ֻ�������Լ������ݿ�����(���ݿ������û���ͬ��)��
# ֻ�й���Ա����"support"��ĳ�Ա���⣬���ǿ������ӵ��κ����ݿ⡣
# �ļ� $PGDATA/admins �г�����Щ�������������ݿ����ӵ��û�����
# ����������¶���Ҫ���
#
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
local   sameuser    all                               md5
local   all         @admins                           md5
local   all         +support                          md5

# ����������п��Ժ�����д��һ��
local   all         @admins,+support                  md5

# ���ݿ��ֶ�Ҳ����ʹ���б���ļ��������鲻�У�
local   db1,db2,@demodbs  all                         md5

Chapter 19. �û���֤

19.1. pg_hba.conf �ļ�

Chapter 19. �û��֤

19.1. `pg_hba.conf` �ļ�