pg_hba.conf Dosyası - Client Authentication and Access Control

Giriş

Not:  postgresql.conf dosyası da bazı ayarları içerir. postgresql.conf hangi ethernet kartının (network card) dinleneceğini belirtilir.

pg_hba.conf  "Host Based Authentication" anlamına gelir.  Açıklaması şöyle. 

This file handles client authentication configuration and controls as per doc "which hosts are allowed to connect, how clients are authenticated, which PostgreSQL user names they can use, which databases they can access". You need to edit this file to enable remote connections. The content is self-explanatory in this file.

Sütun Başlıkları

1. Type

2. Database

3. User

4. Address

5. Method

Her satır 7 tane formattan bir tanesine sahip olabilir. Bu formatlar şöyle

local      database  user  auth-method  [auth-options]
host       database  user  address  auth-method  [auth-options]
hostssl    database  user  address  auth-method  [auth-options]
hostnossl  database  user  address  auth-method  [auth-options]
host       database  user  IP-address  IP-mask  auth-method  [auth-options]
hostssl    database  user  IP-address  IP-mask  auth-method  [auth-options]
hostnossl  database  user  IP-address  IP-mask  auth-method  [auth-options]

1. Type Sütunu

local Unix Doman Socket içindir

host IPv4 ve Ipv6 içindir

2. database Sütunu

Açıklaması şöyle

Specifies which database name(s) this record matches. The value all specifies that it matches all databases. The value sameuser specifies that the record matches if the requested database has the same name as the requested user. The valuesamerole specifies that the requested user must be a member of the role with the same name as the requested database. (samegroup is an obsolete but still accepted spelling of samerole.)

3. user Sütunu

Açıklaması şöyle

Specifies which database user name(s) this record matches. The value all specifies that it matches all users.

4. address Sütunu

Açıklaması şöyle

Specifies the client machine address(es) that this record matches. This field can contain either a host name or an IP address range. An IP address range is specified using standard numeric notation for the range’s starting address, then a slash (/) and a CIDR mask length. The mask length indicates the number of high-order bits of the client IP address that must match.

5. auth-method Alanı

Açıklaması şöyle

Specifies the authentication method to use when a connection matches this record. The possible choices are summarized here: https://www.postgresql.org/docs/current/auth-methods.html

Şu değerlerden birini alabilir. Eğer trust ise kullanıcı şifresiz login olur.

trust
reject
md5
password
gss
sspi
krb5
ident
peer
ldap
radius
cert
pam

Örnek

Şöyle yaparız

#Type		DATABASE	USER	ADDRESS	        METHOD
#local is for Unix domain socket connections only
local		all		all			 trust

#IPv4 local connections
host		all		all	127.0.0.1/32     trust

#IPv6 local connections
host		all		all	::1/128	         trust

#Allow replication connections from localhost, by a user with 
#the replication privilege
local		replication	all			 trust
host 		replication	all	127.0.0.1/32     trust
host 		replication	all	::1/128	         trust

Örnek

Şöyle yaparız

# Allow any user from host 192.168.12.10 to connect to database
# "postgres" if the user's password is correctly supplied.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    postgres        all             192.168.12.10/32        scram-sha-256

Örnek

IPv4 ile her yerden bağlantıya izin vermek için bu dosyanın en altına bir satır ekleriz. Şöyle yaparız

host    all             all             0.0.0.0/0            md5

Örnek

IPv4 ve IPv6 ile her yerden bağlantıya izin vermek için bu dosyanın en altına bir satır ekleriz. Şöyle yaparız

host all all 0.0.0.0/0 md5
host all all ::/0 md5

Örnek

Şöyle yaparız

host replication pglogrepl 127.0.0.1/32 md5