Syntax #
<connection-type> <database> <role> <remote-machine> <auth-method>
- connection-type
The type of connection supported by PostgreSQL and is either: local (meaning via operating system sockets), host (TCP/IP connection, either encrypted or not), hostssl (TCP/IP encrypted only connection), nohostssl (TCP/IP non-encrypted connections).
- database
The name of a specific database that the line refers to or the special keyword all, which means every available database. The special replication keyword is used to handle a special type of connection used to replicate the data to another cluster.
- role
The specific role (either a username or a group) that the line refers to or the special keyword all, which means all available roles (and groups).
- remote-machine
The hostname, IP address, or subnet from which the connection is expected. The special keyword all matches with any remote machine that the connection is established from, while the special keywords samehost and samenet match any hostname or subnet the cluster is attached to.
- auth-method
Dictates how the connection must be handled; more generally, it deals with how the login credentials have to be checked. The main methods are: scram-sha-256, md5 (the method used in older versions), reject to always refuse the connection, trust to always accept the connection without any regard to supplied credentials.
Order of rules #
The order by which the rules are listed in the pg_hba.conf file matters. The first rule that satisfies the logic is applied, and the others are skipped.
Merging multiple rules into a single one #
host forumdb,learnpgdb luca, enrico samenet scram-sha-256
Using groups instead of single roles #
host forumdb +book_authors all scram-sha-256
group前要有"+“号。
Using files instead of single roles #
host forumdb @rejected_users.txtall reject
host forumdb @allowed_users.txtall scram-sha-256
Inspecting pg_hba.conf rules #
SELECT line_number, type,
database, user_name,
address, auth_method
FROM pg_hba_file_rules;