client-auth.sgml

来自「PostgreSQL 8.1.4的源码 适用于Linux下的开源数据库系统」· SGML 代码 · 共 973 行 · 第 1/3 页

<!--
$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.86 2005/11/04 23:13:59 petere Exp $
-->

<chapter id="client-authentication">
 <title>Client Authentication</title>

 <indexterm zone="client-authentication">
  <primary>client authentication</primary>
 </indexterm>

 <para>
  When a client application connects to the database server, it
  specifies which <productname>PostgreSQL</productname> database user name it
  wants to connect as, much the same way one logs into a Unix computer
  as a particular user. Within the SQL environment the active database
  user name determines access privileges to database objects &mdash; see
  <xref linkend="user-manag"> for more information. Therefore, it is
  essential to restrict which database users can connect.
 </para>

 <note>
  <para>
   As explained in <xref linkend="user-manag">,
   <productname>PostgreSQL</productname> actually does privilege
   management in terms of <quote>roles</>.  In this chapter, we
   consistently use <firstterm>database user</> to mean <quote>role with the
   <literal>LOGIN</> privilege</quote>.
  </para>
 </note>

 <para>
  <firstterm>Authentication</firstterm> is the process by which the
  database server establishes the identity of the client, and by
  extension determines whether the client application (or the user
  who runs the client application) is permitted to connect with the
  database user name that was requested.
 </para>

 <para>
  <productname>PostgreSQL</productname> offers a number of different
  client authentication methods. The method used to authenticate a
  particular client connection can be selected on the basis of
  (client) host address, database, and user.
 </para>

 <para>
  <productname>PostgreSQL</productname> database user names are logically
  separate from user names of the operating system in which the server
  runs. If all the users of a particular server also have accounts on
  the server's machine, it makes sense to assign database user names
  that match their operating system user names. However, a server that
  accepts remote connections may have many database users who have no local operating system
  account, and in such cases there need be no connection between
  database user names and OS user names.
 </para>

 <sect1 id="auth-pg-hba-conf">
  <title>The <filename>pg_hba.conf</filename> file</title>

  <indexterm zone="auth-pg-hba-conf">
   <primary>pg_hba.conf</primary>
  </indexterm>

  <para>
   Client authentication is controlled by a configuration file,
   which traditionally is named
   <filename>pg_hba.conf</filename> and is stored in the database
   cluster's data directory.
   (<acronym>HBA</> stands for host-based authentication.) A default
   <filename>pg_hba.conf</filename> file is installed when the data
   directory is initialized by <command>initdb</command>.  It is
   possible to place the authentication configuration file elsewhere,
   however; see the <xref linkend="guc-hba-file"> configuration parameter.
  </para>

  <para>
   The general format of the <filename>pg_hba.conf</filename> file is
   a set of records, one per line. Blank lines are ignored, as is any
   text after the <literal>#</literal> comment character. A record is made
   up of a number of fields which are separated by spaces and/or tabs.
   Fields can contain white space if the field value is quoted. Records
   cannot be continued across lines.
  </para>

  <para>
   Each record specifies a connection type, a client IP address range
   (if relevant for the connection type), a database name, a user name,
   and the authentication method to be used for connections matching
   these parameters. The first record with a matching connection type,
   client address, requested database, and user name is used to perform
   authentication. There is no <quote>fall-through</> or
   <quote>backup</>: if one record is chosen and the authentication
   fails, subsequent records are not considered. If no record matches,
   access is denied.
  </para>

  <para>
   A record may have one of the seven formats
<synopsis>
local      <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
host       <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>CIDR-address</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>CIDR-address</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>CIDR-address</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
host       <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>  <optional><replaceable>auth-option</replaceable></optional>
</synopsis>
   The meaning of the fields is as follows:

   <variablelist>
    <varlistentry>
     <term><literal>local</literal></term>
     <listitem>
      <para>
       This record matches connection attempts using Unix-domain
       sockets.  Without a record of this type, Unix-domain socket
       connections are disallowed.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><literal>host</literal></term>
     <listitem>
      <para>
       This record matches connection attempts made using TCP/IP.
       <literal>host</literal> records match either
       <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
       attempts.
      </para>
     <note>
      <para>
       Remote TCP/IP connections will not be possible unless
       the server is started with an appropriate value for the
       <xref linkend="guc-listen-addresses"> configuration parameter,
       since the default behavior is to listen for TCP/IP connections
       only on the local loopback address <literal>localhost</>.
      </para>
     </note>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><literal>hostssl</literal></term>
     <listitem>
      <para>
       This record matches connection attempts made using TCP/IP,
       but only when the connection is made with <acronym>SSL</acronym>
       encryption.
      </para>

      <para>
       To make use of this option the server must be built with
       <acronym>SSL</acronym> support. Furthermore,
       <acronym>SSL</acronym> must be enabled at server start time
       by setting the <xref linkend="guc-ssl"> configuration parameter (see
       <xref linkend="ssl-tcp"> for more information).
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><literal>hostnossl</literal></term>
     <listitem>
      <para>
       This record type has the opposite logic to <literal>hostssl</>:
       it only matches connection attempts made over
       TCP/IP that do not use <acronym>SSL</acronym>.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><replaceable>database</replaceable></term>
     <listitem>
      <para>
       Specifies which database names this record matches.  The value
       <literal>all</literal> specifies that it matches all databases.
       The value <literal>sameuser</> specifies that the record
       matches if the requested database has the same name as the
       requested user.  The value <literal>samerole</> specifies that
       the requested user must be a member of the role with the same
       name as the requested database.  (<literal>samegroup</> is an
       obsolete but still accepted spelling of <literal>samerole</>.)
       Otherwise, this is the name of
       a specific <productname>PostgreSQL</productname> database.
       Multiple database names can be supplied by separating them with
       commas.  A separate file containing database names can be specified by
       preceding the file name with <literal>@</>.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><replaceable>user</replaceable></term>
     <listitem>
      <para>
       Specifies which database user names this record
       matches. The value <literal>all</literal> specifies that it
       matches all users.  Otherwise, this is either the name of a specific
       database user, or a group name preceded by <literal>+</>.
       (Recall that there is no real distinction between users and groups
       in <productname>PostgreSQL</>; a <literal>+</> mark really means
       <quote>match any of the roles that are directly or indirectly members
       of this role</>, while a name without a <literal>+</> mark matches
       only that specific role.)
       Multiple user names can be supplied by separating them with commas.
       A separate file containing user names can be specified by preceding the
       file name with <literal>@</>.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><replaceable>CIDR-address</replaceable></term>
     <listitem>
      <para>
       Specifies the client machine IP address range that this record
       matches. It contains an IP address in standard dotted decimal
       notation and a CIDR mask length. (IP addresses can only be
       specified numerically, not as domain or host names.)  The mask
       length indicates the number of high-order bits of the client
       IP address that must match.  Bits to the right of this must
       be zero in the given IP address.
       There must not be any white space between the IP address, the
       <literal>/</literal>, and the CIDR mask length.
      </para>

      <para>
       A typical <replaceable>CIDR-address</replaceable> is
       <literal>172.20.143.89/32</literal> for a single host, or
       <literal>172.20.143.0/24</literal> for a network.
       To specify a single host, use a CIDR mask of 32 for IPv4 or
       128 for IPv6.
      </para>

      <para>
       An IP address given in IPv4 format will match IPv6 connections that
       have the corresponding address, for example <literal>127.0.0.1</>
       will match the IPv6 address <literal>::ffff:127.0.0.1</>.  An entry
       given in IPv6 format will match only IPv6 connections, even if the
       represented address is in the IPv4-in-IPv6 range.  Note that entries
       in IPv6 format will be rejected if the system's C library does not have
       support for IPv6 addresses.
      </para>

      <para>
       This field only applies to <literal>host</literal>,
       <literal>hostssl</literal>, and <literal>hostnossl</> records.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><replaceable>IP-address</replaceable></term>
     <term><replaceable>IP-mask</replaceable></term>
     <listitem>
      <para>
       These fields may be used as an alternative to the
       <replaceable>CIDR-address</replaceable> notation. Instead of
       specifying the mask length, the actual mask is specified in a
       separate column. For example, <literal>255.0.0.0</> represents an IPv4
       CIDR mask length of 8, and <literal>255.255.255.255</> represents a
       CIDR mask length of 32.
      </para>

      <para>
       These fields only apply to <literal>host</literal>,
       <literal>hostssl</literal>, and <literal>hostnossl</> records.
      </para>
     </listitem>
    </varlistentry>  

    <varlistentry>
     <term><replaceable>auth-method</replaceable></term>
     <listitem>
      <para>
       Specifies the authentication method to use when connecting via
       this record. The possible choices are summarized here; details
       are in <xref linkend="auth-methods">.

       <variablelist>
        <varlistentry>
         <term><literal>trust</></term>
         <listitem>
         <para>
          Allow the connection unconditionally. This method
          allows anyone that can connect to the
          <productname>PostgreSQL</productname> database server to login as
          any <productname>PostgreSQL</productname> user they like,
          without the need for a password.  See <xref
          linkend="auth-trust"> for details.
         </para>
        </listitem>
       </varlistentry>

       <varlistentry>
        <term><literal>reject</></term>
        <listitem>
         <para>
          Reject the connection unconditionally. This is useful for
          <quote>filtering out</> certain hosts from a group.
         </para>
        </listitem>
       </varlistentry>

       <varlistentry>
        <term><literal>md5</></term>
        <listitem>
         <para>
          Require the client to supply an MD5-encrypted password for
          authentication.
          See <xref linkend="auth-password"> for details.
         </para>
        </listitem>
       </varlistentry>

       <varlistentry>
        <term><literal>crypt</></term>
        <listitem>
         <note>
         <para>
          This option is recommended only for communicating with pre-7.2
          clients.