在 PostgreSQL 中,有很多的认证方式(ldap,md5,scram-sha-256……)。PostgreSQL 提供多种认证方式,能够基于 地址、数据库、用户 进行认证。
不同的认证方式,认证口令(密码)的存储位置也不相同。有些是存储在数据库中的,这些可以查看 pg_authid 表(select * from pg_authid)。参考「20.5. Password Authentication」一文。
数据库用户名与操作系统用户名是分离的,但是如果数据库用户具有在操作系统中的对应用户名,那分配 匹配操作系统用户名的 数据库用户名是有意义的。
配置文件(The pg_hba.conf File)
注意事项:该部分描述的认证并非我们理解的数据库认证,而是更底层的认证,其更倾向于控制用户参与认证的方法,而非具体的帐号密码等等。
客户端认证由 pg_hba.conf 文件控制,HBA(host-based authentication),默认的 pg_hba.conf 在 initdb 时创建,但是可以使用 hba_file 指令指定该文件位置;
该文件通常位于/var/lib/pgsql/data/pg_hba.conf,或者可以使用 locate(1)命令进行定位。
当配置文件发生变更后,需要 reload 进行加载。
视图 pg_hba_file_rules 用于协助排查配置文件错误。
在配置文件中,是系列记录:空格分割字段,反斜线换行,井号注释,引号处理空格字符。
记录格式:a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, the authentication method
首个匹配 connection type, client address, requested database, user name 的记录,将用于认证。
配置文件格式:
local database user auth-method [auth-options] host database user address auth-method [auth-options] hostssl database user address auth-method [auth-options] hostnossl database user address auth-method [auth-options] hostgssenc database user address auth-method [auth-options] hostnogssenc database user address auth-method [auth-options] host database user IP-address IP-mask auth-method [auth-options] hostssl database user IP-address IP-mask auth-method [auth-options] hostnossl database user IP-address IP-mask auth-method [auth-options] hostgssenc database user IP-address IP-mask auth-method [auth-options] hostnogssenc database user IP-address IP-mask auth-method [auth-options] local: using Unix-domain sockets host: using TCP/IP database: Specifies which database name(s) this record matches. # all/sameuser/samerole user: Specifies which database user name(s) this record matches. address: Specifies the client machine address(es) that this record matches. # 172.20.143.89/32 172.20.143.0/24 auth-method: Specifies the authentication method to use # trust, reject, md5, password, ... auth-options:
用户名映射(User Name Maps)
当使用外部系统时,发起连接的用户名 和 数据库的用户名可能不同,此时需要进行映射处理。
认证方法(Authentication Methods)
PostgreSQL 提供多种认证方法:
01)Trust authentication, which simply trusts that users are who they say they are.
02)Password authentication, which requires that users send a password.
03)GSSAPI authentication, which relies on a GSSAPI-compatible security library. Typically this is used to access an authentication server such as a Kerberos or Microsoft Active Directory server.
04)SSPI authentication, which uses a Windows-specific protocol similar to GSSAPI.
05)Ident authentication, which relies on an “Identification Protocol” (RFC 1413) service on the client’s machine. (On local Unix-socket connections, this is treated as peer authentication.)
06)Peer authentication, which relies on operating system facilities to identify the process at the other end of a local connection. This is not supported for remote connections.
07)LDAP authentication, which relies on an LDAP authentication server.
08)RADIUS authentication, which relies on a RADIUS authentication server.
09)Certificate authentication, which requires an SSL connection and authenticates users by checking the SSL certificate they send.
10)PAM authentication, which relies on a PAM (Pluggable Authentication Modules) library.
11)BSD authentication, which relies on the BSD Authentication framework (currently available only on OpenBSD).
Trust Authentication
该认证方式通常用于操作系统本地受信用户,以及通过 Unix-socket 连接,并需要进行合理的权限限制。
在实际的生产环境中,用户多是通过网络进行认证,我们暂时不会采用该种认证方式;
Password Authentication
密码认证方式有多种,本质相同,仅是密码发送方式、密码存储方式不同。
scram-sha-256
md5
password
数据库的密码是独立存储的(相比操作系统用户密码),保存于 pg_authid 表。
管理用户密码:
1)CREATE ROLE:CREATE ROLE foo WITH LOGIN PASSWORD ‘secret’
2)ALTER ROLE:
3)psql> \password
GSSAPI Authentication
WIP
SSPI Authentication
WIP
Ident Authentication
WIP
Peer Authentication
WIP
LDAP Authentication
WIP
RADIUS Authentication
WIP
Certificate Authentication
WIP
PAM Authentication
WIP
BSD Authentication
WIP
认证问题(Authentication Problems)
常见认证问题。
补充说明
口令的加密方式
密码的加密方式是查看配置文件(使用grep -i password /var/lib/pgsql/data/postgresql.conf命令);
或者使用SHOW password_encryption;语句查看;
可以在/var/lib/pgsql/data/postgresql.conf中配置口令加密方式,值为on等价于md5。参考「19.3. Connections and Authentication」中的说明。
参考文献
Chapter 20. Client Authentication
20.5. Password Authentication
Default PostgreSQL password encryption method