openGauss provides a variety of different client authentication methods.
Host-based authentication: The server checks the configuration file based on the client's IP address, user name, and database to be accessed to determine whether the user is authenticated. Host authentication allows the host to authenticate some or all system users. Applicable to all users of the system or a subset using the Match command.
Password authentication: including encrypted password authentication for remote connections and non-encrypted password authentication for local connections. Log in to the remote host using the account and password. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the one you need to connect to. There may be other servers pretending to be real servers, that is, being attacked by "man-in-the-middle".
SSL Encryption: Use OpenSSL (Open Source Secure Communication Library) to provide an environment for server-side and client-side secure connections. Users must create a pair of keys for themselves and place the public key on the server they need to access. This level of authentication not only encrypts all transmitted data, but also avoids "man-in-the-middle" attack methods. But the whole login process may take 10 seconds.
The above three authentication methods all need to configure the "pg_hba.conf" file. After the database is installed, the default configuration file will be automatically generated and generally installed in the $GAUSSHOME/data directory. Below we will introduce this key configuration file.
Configuration file parsing
Client authentication is controlled by a configuration file pg_hba.conf, where hba is the abbreviation of host-based authentication , which means host-based authentication). Client access can be set for IPV4, IPV6 and replication privilege (related to logical replication, such as migrating data from openGauss to other databases).
Top comments (0)