目录
Greenplum安全
身份认证
pg_hba.conf配置连接类型
pg_hba.conf配置连接数据库
pg_hba.conf配置连接用户
pg_hba.conf配置连接网络地址
pg_hba.conf配置用户的认证方法
Greenplum安全
身份认证
1、Handles the user anthentication
2、The file is located in $MASTER_DATA_DIRECTORY
3、Comments are ignored
4、File is read line by line
5、First matching line is used
6、All subsequent lines are ignored
7、Pessimistic - if no grants,then deny access
8、To be able to access to a Greenplum database from a distant host,the couple role/host has to be set in the configuration file pg_hba.conf
pg_hba.conf配置连接类型
Type of connection:
local : Connection is coming in over the Unix Domain Socket
host : Connection over the network ,encryption is optional
hostssl : Connection over the network ,encryption is enforced
hostnossl: Connection over the network ,no encrytion
pg_hba.conf配置连接数据库
Name of database:
1、Database name, or list of database names separated by comma
2、‘all’ for all databases
3、@followed by filename : file containing databases , one per line
pg_hba.conf配置连接用户
Name of the user:
1、Role name,or list of role names separated by comma
2、‘all’ for all roles
3、@followed by filename,file containing role names, one per line
4、+role name: a group where access is granted all members of this group
pg_hba.conf配置连接网络地址
Network address
1、only for host ,hostssl and hostnossl(1st column)
2、Network address might be an IPv2 or IPv6 address
CIDR-Address IP-Address + IP-Mask Comment
192.107.2.89/32 192.107.2.89 255.255.255.255 Single network
192.107.2.0/24 192.107.2.0 255.255.255.0 Small network
192.107.0.0/16 192.107.0.0 255.255.0.0 Large network
0.0.0.0/0 0.0.0.0 0.0.0.0 Full network
pg_hba.conf配置用户的认证方法
Authentication method:
trust : 该模式可以不用密码直接连接数据库,不安全,一般用于集群内部局域网内
reject:该模式表示拒绝所有请求
md5 : 该模式较常用,发送之前使用md5算法加密的密码
password : 该模式是使用明文密码进行身份认证
ldap : 使用LDAP服务器认证
gss : 用GSSAPI和Kerberos认证用户,只对TCP/IP链接可用
pam: 使用操作系统提供的可插入认证模块服务(PAM)认证
redius:用RADIUS服务器认证
cert : 使用SSL客户端证书认证
Ident: 通过获取客户端的操作系统用户名,检查是否与被访问的数据库用户名匹配