2002-09-14 20:35:46 +02:00
|
|
|
# PostgreSQL Client Authentication Configuration File
|
|
|
|
# ===================================================
|
|
|
|
#
|
2010-01-26 07:58:39 +01:00
|
|
|
# Refer to the "Client Authentication" section in the PostgreSQL
|
|
|
|
# documentation for a complete description of this file. A short
|
|
|
|
# synopsis follows.
|
2002-09-14 20:35:46 +02:00
|
|
|
#
|
Add support for file inclusions in HBA and ident configuration files
pg_hba.conf and pg_ident.conf gain support for three record keywords:
- "include", to include a file.
- "include_if_exists", to include a file, ignoring it if missing.
- "include_dir", to include a directory of files. These are classified
by name (C locale, mostly) and need to be prefixed by ".conf", hence
following the same rules as GUCs.
This commit relies on the refactoring pieces done in efc9816, ad6c528,
783e8c6 and 1b73d0b, adding a small wrapper to build a list of
TokenizedAuthLines (tokenize_include_file), and the code is shaped to
offer some symmetry with what is done for GUCs with the same options.
pg_hba_file_rules and pg_ident_file_mappings gain a new field called
file_name, to track from which file a record is located, taking
advantage of the addition of rule_number in c591300 to offer an
organized view of the HBA or ident records loaded.
Bump catalog version.
Author: Julien Rouhaud
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/20220223045959.35ipdsvbxcstrhya@jrouhaud
2022-11-24 05:51:34 +01:00
|
|
|
# ----------------------
|
|
|
|
# Authentication Records
|
|
|
|
# ----------------------
|
|
|
|
#
|
2002-09-14 20:35:46 +02:00
|
|
|
# This file controls: which hosts are allowed to connect, how clients
|
|
|
|
# are authenticated, which PostgreSQL user names they can use, which
|
2005-01-08 00:59:17 +01:00
|
|
|
# databases they can access. Records take one of these forms:
|
2002-09-14 20:35:46 +02:00
|
|
|
#
|
2020-05-26 02:19:28 +02:00
|
|
|
# local DATABASE USER METHOD [OPTIONS]
|
|
|
|
# host DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
|
|
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
|
|
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
|
|
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
|
|
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
2002-09-14 20:35:46 +02:00
|
|
|
#
|
2005-01-08 00:59:17 +01:00
|
|
|
# (The uppercase items must be replaced by actual values.)
|
|
|
|
#
|
2021-04-29 06:51:42 +02:00
|
|
|
# The first field is the connection type:
|
|
|
|
# - "local" is a Unix-domain socket
|
|
|
|
# - "host" is a TCP/IP socket (encrypted or not)
|
|
|
|
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
|
|
|
|
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
|
|
|
|
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
|
|
|
|
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
|
2005-01-08 00:59:17 +01:00
|
|
|
#
|
2010-01-26 07:58:39 +01:00
|
|
|
# DATABASE can be "all", "sameuser", "samerole", "replication", a
|
2023-02-15 23:38:52 +01:00
|
|
|
# database name, a regular expression (if it starts with a slash (/))
|
|
|
|
# or a comma-separated list thereof. The "all" keyword does not match
|
|
|
|
# "replication". Access to replication must be enabled in a separate
|
|
|
|
# record (see example below).
|
|
|
|
#
|
|
|
|
# USER can be "all", a user name, a group name prefixed with "+", a
|
|
|
|
# regular expression (if it starts with a slash (/)) or a comma-separated
|
|
|
|
# list thereof. In both the DATABASE and USER fields you can also write
|
|
|
|
# a file name prefixed with "@" to include names from a separate file.
|
2004-08-26 15:44:38 +02:00
|
|
|
#
|
2010-10-15 21:53:39 +02:00
|
|
|
# ADDRESS specifies the set of hosts the record matches. It can be a
|
|
|
|
# host name, or it is made up of an IP address and a CIDR mask that is
|
|
|
|
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
|
2010-10-24 14:54:00 +02:00
|
|
|
# specifies the number of significant bits in the mask. A host name
|
|
|
|
# that starts with a dot (.) matches a suffix of the actual host name.
|
2010-10-15 21:53:39 +02:00
|
|
|
# Alternatively, you can write an IP address and netmask in separate
|
|
|
|
# columns to specify the set of hosts. Instead of a CIDR-address, you
|
|
|
|
# can write "samehost" to match any of the server's own IP addresses,
|
|
|
|
# or "samenet" to match any address in any subnet that the server is
|
|
|
|
# directly connected to.
|
2005-01-08 00:59:17 +01:00
|
|
|
#
|
2017-04-18 13:50:50 +02:00
|
|
|
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
|
|
|
|
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
|
|
|
|
# Note that "password" sends passwords in clear text; "md5" or
|
|
|
|
# "scram-sha-256" are preferred since they send encrypted passwords.
|
2004-08-26 15:44:38 +02:00
|
|
|
#
|
2008-10-23 15:31:10 +02:00
|
|
|
# OPTIONS are a set of options for the authentication in the format
|
2010-01-26 07:58:39 +01:00
|
|
|
# NAME=VALUE. The available options depend on the different
|
|
|
|
# authentication methods -- refer to the "Client Authentication"
|
|
|
|
# section in the documentation for a list of which options are
|
|
|
|
# available for which authentication methods.
|
2002-09-14 20:35:46 +02:00
|
|
|
#
|
2010-01-26 07:58:39 +01:00
|
|
|
# Database and user names containing spaces, commas, quotes and other
|
|
|
|
# special characters must be quoted. Quoting one of the keywords
|
|
|
|
# "all", "sameuser", "samerole" or "replication" makes the name lose
|
|
|
|
# its special character, and just match a database or username with
|
|
|
|
# that name.
|
2003-12-25 04:44:05 +01:00
|
|
|
#
|
Add support for file inclusions in HBA and ident configuration files
pg_hba.conf and pg_ident.conf gain support for three record keywords:
- "include", to include a file.
- "include_if_exists", to include a file, ignoring it if missing.
- "include_dir", to include a directory of files. These are classified
by name (C locale, mostly) and need to be prefixed by ".conf", hence
following the same rules as GUCs.
This commit relies on the refactoring pieces done in efc9816, ad6c528,
783e8c6 and 1b73d0b, adding a small wrapper to build a list of
TokenizedAuthLines (tokenize_include_file), and the code is shaped to
offer some symmetry with what is done for GUCs with the same options.
pg_hba_file_rules and pg_ident_file_mappings gain a new field called
file_name, to track from which file a record is located, taking
advantage of the addition of rule_number in c591300 to offer an
organized view of the HBA or ident records loaded.
Bump catalog version.
Author: Julien Rouhaud
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/20220223045959.35ipdsvbxcstrhya@jrouhaud
2022-11-24 05:51:34 +01:00
|
|
|
# ---------------
|
|
|
|
# Include Records
|
|
|
|
# ---------------
|
|
|
|
#
|
|
|
|
# This file allows the inclusion of external files or directories holding
|
|
|
|
# more records, using the following keywords:
|
|
|
|
#
|
|
|
|
# include FILE
|
|
|
|
# include_if_exists FILE
|
|
|
|
# include_dir DIRECTORY
|
|
|
|
#
|
|
|
|
# FILE is the file name to include, and DIR is the directory name containing
|
|
|
|
# the file(s) to include. Any file in a directory will be loaded if suffixed
|
|
|
|
# with ".conf". The files of a directory are ordered by name.
|
|
|
|
# include_if_exists ignores missing files. FILE and DIRECTORY can be
|
|
|
|
# specified as a relative or an absolute path, and can be double-quoted if
|
|
|
|
# they contain spaces.
|
|
|
|
#
|
|
|
|
# -------------
|
|
|
|
# Miscellaneous
|
|
|
|
# -------------
|
|
|
|
#
|
2016-10-25 17:26:15 +02:00
|
|
|
# This file is read on server startup and when the server receives a
|
|
|
|
# SIGHUP signal. If you edit the file on a running system, you have to
|
|
|
|
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
|
|
|
|
# or execute "SELECT pg_reload_conf()".
|
|
|
|
#
|
Add support for file inclusions in HBA and ident configuration files
pg_hba.conf and pg_ident.conf gain support for three record keywords:
- "include", to include a file.
- "include_if_exists", to include a file, ignoring it if missing.
- "include_dir", to include a directory of files. These are classified
by name (C locale, mostly) and need to be prefixed by ".conf", hence
following the same rules as GUCs.
This commit relies on the refactoring pieces done in efc9816, ad6c528,
783e8c6 and 1b73d0b, adding a small wrapper to build a list of
TokenizedAuthLines (tokenize_include_file), and the code is shaped to
offer some symmetry with what is done for GUCs with the same options.
pg_hba_file_rules and pg_ident_file_mappings gain a new field called
file_name, to track from which file a record is located, taking
advantage of the addition of rule_number in c591300 to offer an
organized view of the HBA or ident records loaded.
Bump catalog version.
Author: Julien Rouhaud
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/20220223045959.35ipdsvbxcstrhya@jrouhaud
2022-11-24 05:51:34 +01:00
|
|
|
# ----------------------------------
|
2002-09-14 20:35:46 +02:00
|
|
|
# Put your actual configuration here
|
|
|
|
# ----------------------------------
|
2001-11-19 00:24:16 +01:00
|
|
|
#
|
2002-09-14 20:35:46 +02:00
|
|
|
# If you want to allow non-local connections, you need to add more
|
2010-01-26 07:58:39 +01:00
|
|
|
# "host" records. In that case you will also need to make PostgreSQL
|
|
|
|
# listen on a non-local interface via the listen_addresses
|
|
|
|
# configuration parameter, or via the -i or -h command line switches.
|
2002-09-14 20:35:46 +02:00
|
|
|
|
2004-08-01 07:59:13 +02:00
|
|
|
@authcomment@
|
|
|
|
|
2010-10-15 21:53:39 +02:00
|
|
|
# TYPE DATABASE USER ADDRESS METHOD
|
2001-06-18 18:11:30 +02:00
|
|
|
|
2004-10-06 11:13:10 +02:00
|
|
|
@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
|
2011-03-19 18:44:35 +01:00
|
|
|
@remove-line-for-nolocal@local all all @authmethodlocal@
|
2004-10-06 11:01:18 +02:00
|
|
|
# IPv4 local connections:
|
2012-02-01 20:18:55 +01:00
|
|
|
host all all 127.0.0.1/32 @authmethodhost@
|
2004-10-06 11:01:18 +02:00
|
|
|
# IPv6 local connections:
|
2012-02-01 20:18:55 +01:00
|
|
|
host all all ::1/128 @authmethodhost@
|
2011-05-19 20:03:15 +02:00
|
|
|
# Allow replication connections from localhost, by a user with the
|
|
|
|
# replication privilege.
|
2017-03-09 14:27:16 +01:00
|
|
|
@remove-line-for-nolocal@local replication all @authmethodlocal@
|
|
|
|
host replication all 127.0.0.1/32 @authmethodhost@
|
|
|
|
host replication all ::1/128 @authmethodhost@
|