目录git
Greenplum安全github
身份认证算法
Greenplum安全
身份认证
一、Handles the user anthentication 二、The file is located in $MASTER_DATA_DIRECTORY 三、Comments are ignored 四、File is read line by line 五、First matching line is used 六、All subsequent lines are ignored 七、Pessimistic - if no grants,then deny access 八、To be able to access to a Greenplum database from a distant host,the couple role/host has to be set in the configuration file pg_hba.conf
pg_hba.conf配置链接类型
Type of connection: local : Connection is coming in over the Unix Domain Socket host : Connection over the network ,encryption is optional hostssl : Connection over the network ,encryption is enforced hostnossl: Connection over the network ,no encrytion
pg_hba.conf配置链接数据库
Name of database: 一、Database name, or list of database names separated by comma 二、‘all’ for all databases 三、@followed by filename : file containing databases , one per line
pg_hba.conf配置链接用户
Name of the user: 一、Role name,or list of role names separated by comma 二、‘all’ for all roles 三、@followed by filename,file containing role names, one per line 四、+role name: a group where access is granted all members of this group
pg_hba.conf配置链接网络地址
Network address 一、only for host ,hostssl and hostnossl(1st column) 二、Network address might be an IPv2 or IPv6 address CIDR-Address IP-Address + IP-Mask Comment 192.107.2.89/32 192.107.2.89 255.255.255.255 Single network 192.107.2.0/24 192.107.2.0 255.255.255.0 Small network 192.107.0.0/16 192.107.0.0 255.255.0.0 Large network 0.0.0.0/0 0.0.0.0 0.0.0.0 Full network
pg_hba.conf配置用户的认证方法
Authentication method: trust : 该模式能够不用密码直接链接数据库,不安全,通常用于集群内部局域网内 reject:该模式表示拒绝全部请求 md5 : 该模式较经常使用,发送以前使用md5算法加密的密码 password : 该模式是使用明文密码进行身份认证 ldap : 使用LDAP服务器认证 gss : 用GSSAPI和Kerberos认证用户,只对TCP/IP连接可用 pam: 使用操做系统提供的可插入认证模块服务(PAM)认证 redius:用RADIUS服务器认证 cert : 使用SSL客户端证书认证 Ident: 经过获取客户端的操做系统用户名,检查是否与被访问的数据库用户名匹配