【設置client認證】
要從遠端連接GP,修改配置文件 pg_hba.conf (標準PostgreSQL host-basedauthentication文件)
雖然在master和segment都存在pg_hba.conf,但是隻要修改master就可以了。client只能連接master,從來不需要直連segment。
pg_hba.conf的內容遠端訪問格式如下:
local database user auth-method [auth-options]
host database user CIDR-address auth-method [auth-options]
hostssl database user CIDR-address auth-method [auth-options]
hostnossl database user CIDR-address auth-method [auth-options]
host database user IP-address IP-mask auth-method [auth-options]
hostssl database user IP-address IP-mask auth-method [auth-options]
hostnossl database user IP-address IP-mask auth-method [auth-options]
解釋:
[local] - 使用unix-domain socket連接
[host] - 使用TCP/IP連接,host包含SSL和non-SSL連接
[hostssl] - 使用TCP/IP連接, 只接受SSL加密連接
[hostnossl] - 使用TCP/IP連接, 接受non-ssl連接
[database] - 數據庫名稱,all表示全部數據庫,多個數據庫用逗號分隔
[user] -數據庫用戶,all表示全部數據庫,多個數據用逗號分隔,+表示role或group的成員,@表示來源於外部文件
[CIDR-address] - CIDR地址,如:172.20.143.89/32 ,"/"前面是ip地址,後面是子網掩碼 (僅用於host, hostssl, and hostnossl)
[IP-address]/[IP-mask] - 跟CIDR-address是一樣,只是2種表示方式 (僅用於 host,hostssl, and hostnossl)
[auth-method] - 包含選項有:trust/reject/md5/password/gss/sspi/krb5/ident/ldap/radius/cert/pam
使用較多的: trust(不需要任何驗證)
reject(拒絕任何請求)
md5(需要提供MD5加密的密碼)
password(非加密的密碼)
ident(OS用戶本地連接)
(注:線下可以使用trust,線上必須把trust設置去掉)
修改完配置文件,需要執行: $ gpstop -u
官方示例如下:
# Allow any user on the local system to connect to any databasewith
# any database user name using Unix-domain sockets (the default forlocal
# connections).
#
# TYPE DATABASE USER CIDR-ADDRESS METHOD
local all all trust
# The same using local loopback TCP/IP connections.
#
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 127.0.0.1/32 trust
# The same as the previous line, but using a separate netmaskcolumn
#
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host all all 127.0.0.1 255.255.255.255 trust
# Allow any user from any host with IP address 192.168.93.x toconnect
# to database "postgres" as the same user name that ident reportsfor
# the connection (typically the operating system user name).
#
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host