When a client application connects to the database server, it specifies which Postgres user name it wants to connect as, much the same way one logs into a Unix computer as a particular user. Within the SQL environment the active database user name determines access privileges to database objects -- see Chapter 7 for more information about that. It is therefore obviously essential to restrict which database user name(s) a given client can connect as.
Authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the user name that was requested.
Postgres offers client authentication by (client) host and by database, with a number of different authentication methods available.
Postgres database user names are logically separate from user names of the operating system in which the server runs. If all the users of a particular server also have accounts on the server's machine, it makes sense to assign database user names that match their Unix user ids. However, a server that accepts remote connections may have many users who have no local account, and in such cases there need be no connection between database usernames and Unix usernames.
Client authentication is controlled by the file pg_hba.conf in the $PGDATA directory, e.g., /usr/local/pgsql/data/pg_hba.conf. (HBA stands for host-based authentication.) A default pg_hba.conf file is installed when the data area is initialized by initdb.
The general format of the pg_hba.conf file is of a set of records, one per line. Blank lines and lines beginning with a hash character ("#") are ignored. A record is made up of a number of fields which are separated by spaces and/or tabs. Records cannot be continued across lines.
A record may have one of the three formats
local database authentication-method [ authentication-option ] host database IP-address IP-mask authentication-method [ authentication-option ] hostssl database IP-address IP-mask authentication-method [ authentication-option ]The meaning of the fields is as follows:
This record pertains to connection attempts over Unix domain sockets.
This record pertains to connection attempts over TCP/IP networks. Note that TCP/IP connections are completely disabled unless the server is started with the -i switch or the equivalent configuration parameter is set.
This record pertains to connection attempts with SSL over TCP/IP. To make use of this option the server must be built with SSL support enabled. Furthermore, SSL must be enabled with the -l option or equivalent configuration setting when the server is started.
Specifies the database that this record applies to. The value all specifies that it applies to all databases, while the value sameuser identifies the database with the same name as the connecting user. Otherwise, this is the name of a specific Postgres database.
These two fields control to which hosts a host record applies, based on their IP address. (Of course IP addresses can be spoofed but this consideration is beyond the scope of Postgres.) The precise logic is that
must be zero for the record to match.
Specifies the method that users must use to authenticate themselves when connecting to that database. The possible choices follow, details are in Section 4.2.
The connection is allowed unconditionally. This method allows any user that has login access to the client host to connect as any Postgres user whatsoever.
The connection is rejected unconditionally. This is mostly useful to "filter out" certain hosts from a group.
The client is required to supply a password with the connection attempt which is required to match the password that was set up for the user.
An optional file name may be specified after the password keyword. This file is expected to contain a list of users that this record pertains to, and optionally alternative passwords.
The password is sent over the wire in clear text. For better protection, use the crypt method.
Like the password method, but the password is sent over the wire encrypted using a simple challenge-response protocol. This is still not cryptographically secure but it protects against incidental wire-sniffing. The name of a file may follow the crypt keyword that contains a list of users that this record pertains to.
Kerberos V4 is used to authenticate the user. This is only available for TCP/IP connections.
Kerberos V5 is used to authenticate the user. This is only available for TCP/IP connections.
The ident server on the client host is asked for the identity of the connecting user. Postgres then verifies whether the so identified operating system user is allowed to connect as the database user that is requested. This is only available for TCP/IP connections. The authentication option following the ident keyword specifies the name of an ident map that specifies which operating system users equate with which database users. See below for details.
This field is interpreted differently depending on the authentication method, as described there.
The pg_hba.conf file is re-read during each connection attempt. It is therefore trivial to modify access permissions while the server is running: just edit the file.
An example of a pg_hba.conf file is shown in Example 4-1. See below for details on the different authentication methods.
Example 4-1. An example pg_hba.conf file
# TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP # Allow any user on the local system to connect to any # database under any username, but only via an IP connection: host all 127.0.0.1 255.255.255.255 trust # The same, over Unix-socket connections: local all trust # Allow any user from any host with IP address 192.168.93.x to # connect to database "template1" as the same username that ident on that # host identifies him as (typically his Unix username): host template1 192.168.93.0 255.255.255.0 ident sameuser # Allow a user from host 192.168.12.10 to connect to database "template1" # if the user's password in pg_shadow is correctly supplied: host template1 192.168.12.10 255.255.255.255 crypt # In the absence of preceding "host" lines, these two lines will reject # all connection attempts from 192.168.54.1 (since that entry will be # matched first), but allow Kerberos V5-validated connections from anywhere # else on the Internet. The zero mask means that no bits of the host IP # address are considered, so it matches any host: host all 192.168.54.1 255.255.255.255 reject host all 0.0.0.0 0.0.0.0 krb5 # Allow users from 192.168.x.x hosts to connect to any database, if they # pass the ident check. If, for example, ident says the user is "bryanh" # and he requests to connect as PostgreSQL user "guest1", the connection # is allowed if there is an entry in pg_ident.conf for map "omicron" that # says "bryanh" is allowed to connect as "guest1": host all 192.168.0.0 255.255.0.0 ident omicron