|
1 | 1 | # |
2 | | -# Example PostgreSQL host access control file. |
| 2 | +# |
| 3 | +# PostgreSQL HOST ACCESS CONTROL FILE |
3 | 4 | # |
4 | 5 | # |
5 | 6 | # This file controls what hosts are allowed to connect to what databases |
6 | | -# and specifies some options on how users on a particular host are identified. |
7 | | -# It is read each time a host tries to make a connection to a database. |
8 | | -# |
9 | | -# Each line (terminated by a newline character) is a record. A record cannot |
10 | | -# be continued across two lines. |
| 7 | +# and specifies some options on how users on a particular host are |
| 8 | +# identified. It is read each time a host tries to make a connection to a |
| 9 | +# database. |
| 10 | +# |
| 11 | +# Each line (terminated by a newline character) is a record. A record |
| 12 | +# cannot be continued across two lines. |
11 | 13 | # |
12 | 14 | # There are 3 kinds of records: |
13 | 15 | # |
14 | 16 | # 1) comment: Starts with #. |
15 | 17 | # |
16 | 18 | # 2) empty: Contains nothing excepting spaces and tabs. |
17 | 19 | # |
18 | | -# 3) content: anything else. |
19 | | -# |
20 | | -# Unless specified otherwise, "record" from here on means a content |
21 | | -# record. |
| 20 | +# 3) record: anything else. |
22 | 21 | # |
23 | | -# A record consists of tokens separated by spaces or tabs. Spaces and |
| 22 | +# Only record lines are significant. |
| 23 | +# |
| 24 | +# A record consists of tokens separated by spaces or tabs. Spaces and |
24 | 25 | # tabs at the beginning and end of a record are ignored as are extra |
25 | 26 | # spaces and tabs between two tokens. |
26 | | -# |
27 | | -# The first token in a record is the record type. The interpretation of the |
28 | | -# rest of the record depends on the record type. |
29 | | -# |
| 27 | +# |
| 28 | +# The first token in a record is the record type. The interpretation of |
| 29 | +# the rest of the record depends on the record type. |
| 30 | + |
| 31 | + |
30 | 32 | # Record type "host" |
31 | 33 | # ------------------ |
32 | 34 | # |
33 | | -# This record identifies a set of network hosts that are permitted to connect |
34 | | -# to databases.No network hosts are permitted to connect except as specified |
35 | | -# by a "host" record.See the record type "local" to specify permitted |
36 | | -# connectionsusingUNIX sockets. |
| 35 | +# This record identifies a set of network hosts that are permitted to |
| 36 | +#connectto databases. No network hosts are permitted to connect except |
| 37 | +#as specifiedby a "host" record. See the record type "local" to specify |
| 38 | +#permittedconnectionsfor local users viaUNIX domain sockets. |
37 | 39 | # |
38 | 40 | # Format: |
39 | 41 | # |
40 | 42 | # host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT] |
41 | 43 | # |
42 | | -# DBNAME is the name of a PostgreSQL database, "all" to indicate all |
43 | | -# databases, or "sameuser" to restrict a user's access to a database |
44 | | -# with the same user name. |
45 | | -# |
46 | | -# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and |
47 | | -# mask to identify a set of hosts. These hosts are allowed to connect to |
48 | | -# Database DBNAME. |
49 | | -# |
50 | | -# AUTHTYPE is a keyword indicating the method used to authenticate the |
51 | | -# user, i.e. to determine that the principal is authorized to connect |
52 | | -# under the PostgreSQL username he supplies in his connection parameters. |
53 | | -# |
54 | | -# ident: Authentication is done by the ident server on the remote |
55 | | -# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if |
56 | | -# specified, is a map name to be found in the pg_ident.conf file. |
57 | | -# That table maps from ident usernames to PostgreSQL usernames. The |
58 | | -# special map name "sameuser" indicates an implied map (not found |
59 | | -# in pg_ident.conf) that maps every ident username to the identical |
60 | | -# PostgreSQL username. |
| 44 | +# DBNAME is the name of a PostgreSQL database, "all" to indicate all |
| 45 | +# databases, or "sameuser" to restrict a user's access to a database with |
| 46 | +# the same user name. |
61 | 47 | # |
62 | | -# trust: No authentication is done. Trust that the user has the |
63 | | -# authority to use whatever username he specifies. Before |
64 | | -# PostgreSQL version 6, all authentication was done this way. |
65 | | -# |
66 | | -# reject: Reject the connection. |
67 | | -# |
68 | | -# password: Authentication is done by matching a password supplied in clear |
69 | | -# by the host. If AUTH_ARGUMENT is specified then the password |
70 | | -# is compared with the user's entry in that file (in the $PGDATA |
71 | | -# directory). See pg_passwd(1). If it is omitted then the |
72 | | -# password is compared with the user's entry in the pg_shadow |
73 | | -# table. |
74 | | -# |
75 | | -# crypt: Authentication is done by matching an encrypted password supplied |
76 | | -# by the host with that held for the user in the pg_shadow table. |
77 | | -# |
78 | | -# krb4: Kerberos V4 authentication is used. |
79 | | -# |
80 | | -# krb5: Kerberos V5 authentication is used. |
| 48 | +# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address |
| 49 | +# and mask to identify a set of hosts. These hosts are allowed to connect |
| 50 | +# to Database DBNAME. There is a separate section about AUTHTYPE below. |
| 51 | + |
81 | 52 |
|
82 | 53 | # Record type "hostssl" |
83 | 54 | # --------------------- |
84 | 55 | # |
| 56 | +# The format of this record is identical to that of "host". |
| 57 | +# |
85 | 58 | # This record identifies the authentication to use when connecting to a |
86 | 59 | # particular database via TCP/IP sockets over SSL. Note that normal |
87 | 60 | # "host" records are also matched - "hostssl" records can be used to |
88 | | -# require a SSL connection. |
89 | | -# This keyword is only available if the server is compiled with SSL support |
90 | | -# enabled. |
91 | | -# |
92 | | -# The format of this record is identical to that of "host". |
| 61 | +# require a SSL connection. This keyword is only available if the server |
| 62 | +# is compiled with SSL support enabled. |
| 63 | + |
93 | 64 |
|
94 | 65 | # Record type "local" |
95 | 66 | # ------------------ |
|
101 | 72 | # |
102 | 73 | # local DBNAME AUTHTYPE [AUTH_ARGUMENT] |
103 | 74 | # |
104 | | -# The format is the same as that of the "host" record type except that the |
105 | | -# IP_ADDRESS and ADDRESS_MASK are omitted and the "ident", "krb4" and "krb5" |
106 | | -#values of AUTHTYPE are not allowed. |
| 75 | +# The format is the same as that of the "host" record type except that |
| 76 | +#theIP_ADDRESS and ADDRESS_MASK are omitted. Local supports only |
| 77 | +#AUTHTYPEs "trust", "password", "crypt", and "reject". |
107 | 78 |
|
108 | | -# For backwards compatibility, PostgreSQL also accepts pre-version 6 records, |
109 | | -# which look like: |
110 | | -# |
111 | | -# all 127.0.0.1 0.0.0.0 |
112 | 79 |
|
| 80 | +# Authentication Types (AUTHTYPE) |
| 81 | +# ------------------------------- |
| 82 | +# |
| 83 | +# AUTHTYPE is a keyword indicating the method used to authenticate the |
| 84 | +# user, i.e. to determine that the user is authorized to connect under |
| 85 | +# the PostgreSQL username supplied in his connection parameters. |
| 86 | +# |
| 87 | +# trust: No authentication is done. Trust that the user has the |
| 88 | +# authority to use whatever username he specifies. |
| 89 | +# |
| 90 | +# password:Authentication is done by matching a password supplied |
| 91 | +# in clear by the host. If AUTH_ARGUMENT is specified then |
| 92 | +# the password is compared with the user's entry in that |
| 93 | +# file (in the $PGDATA directory). See pg_passwd(1). If it |
| 94 | +# is omitted then the password is compared with the user's |
| 95 | +# entry in the pg_shadow table. |
| 96 | +# |
| 97 | +# crypt: Same as 'password', but authentication is done by |
| 98 | +# encrypting the password sent over the network. |
| 99 | +# |
| 100 | +# ident: Authentication is done by the ident server on the remote |
| 101 | +# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, |
| 102 | +# if specified, is a map name to be found in the |
| 103 | +# pg_ident.conf file. That table maps from ident usernames |
| 104 | +# to PostgreSQL usernames. The special map name "sameuser" |
| 105 | +# indicates an implied map (not found in pg_ident.conf) |
| 106 | +# that maps every ident username to the identical |
| 107 | +# PostgreSQL username. |
| 108 | +# |
| 109 | +# krb4: Kerberos V4 authentication is used. |
| 110 | +# |
| 111 | +# krb5: Kerberos V5 authentication is used. |
| 112 | +# |
| 113 | +# reject: Reject the connection. |
| 114 | + |
| 115 | + |
| 116 | +# Examples |
| 117 | +# -------- |
| 118 | +# |
113 | 119 | # TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP |
114 | | - |
| 120 | +# |
115 | 121 | #host all 127.0.0.1 255.255.255.255 trust |
116 | | - |
117 | | -# The above allows any user on the local system to connect to any database |
118 | | -# under any username. |
119 | | -
|
| 122 | +# |
| 123 | +# The above allows any user on the local system to connect to any |
| 124 | +#databaseunder any username. |
| 125 | +# |
120 | 126 | #host template1 192.168.93.0 255.255.255.0 ident sameuser |
121 | | - |
| 127 | +# |
122 | 128 | # The above allows any user from any host with IP address 192.168.93.x to |
123 | | -# connect to database template1 as the same username that ident on that host |
124 | | -# identifies him as (typically his Unix username). |
125 | | - |
| 129 | +# connect to database template1 as the same username that ident on that |
| 130 | +# host identifies him as (typically his Unix username). |
| 131 | +# |
| 132 | +#host template1 192.168.12.10 255.255.255.255 crypt |
| 133 | +# |
| 134 | +# The above allows a user from host 192.168.12.10 to connect to |
| 135 | +# database template1 if the password assigned to that user is |
| 136 | +# supplied. User passwords are optionally assigned when a |
| 137 | +# user is created. |
| 138 | +# |
126 | 139 | #host all 192.168.54.1 255.255.255.255 reject |
127 | 140 | #host all 0.0.0.0 0.0.0.0 trust |
128 | | - |
129 | | -# The above would allow anyone anywhere except from 192.168.54.1 to connect to |
130 | | -# any database under any username. |
131 | | - |
| 141 | +# |
| 142 | +# The above would allow anyone anywhere except from 192.168.54.1 to |
| 143 | +#connect toany database under any username. |
| 144 | +# |
132 | 145 | #host all 192.168.77.0 255.255.255.0 ident omicron |
133 | 146 | # |
134 | 147 | # The above would allow users from 192.168.77.x hosts to connect to any |
135 | 148 | # database, but if Ident says the user is "bryanh" and he requests to |
136 | 149 | # connect as PostgreSQL user "guest1", the connection is only allowed if |
137 | | -# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is |
138 | | -# allowed to connect as "guest1". |
| 150 | +# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" |
| 151 | +# is allowed to connect as "guest1". |
| 152 | +# |
139 | 153 |
|
140 | | -# By default, allow anything over UNIX domain sockets and localhost. |
141 | 154 |
|
| 155 | +# By default, allow anything over UNIX domain sockets and localhost. |
142 | 156 | local all trust |
143 | 157 | host all 127.0.0.1 255.255.255.255 trust |