初始化后,在数据库目录里会有这样两个文件:“postgresql.conf”和“pg_hba.conf”。
修改“postgresql.conf”第 30 行左右的地方为顶格“tcpip_socket = true”,以允许网络访问。修改“pg_hba.conf”,基于主机的访问控制(Host Based Access)。左边有“#”的内容都是被注释掉的,起说明或参考等作用。我以我现在的文件为例做说明(里面的中文为我的说明):代码:
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of three forms:
#
# local DATABASE USER METHOD [OPTION]
# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
#
# (The uppercase quantities should be replaced by actual values.)
# DATABASE can be "all", "sameuser", "samegroup", a database name (or
# a comma-separated list thereof), or a file name prefixed with "@".
# USER can be "all", an actual user name or a group name prefixed with
# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the
# set of hosts the record matches. METHOD can be "trust", "reject",
# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note
# that "password" uses clear-text passwords; "md5" is preferred for
# encrypted passwords. OPTION is the ident map or the name of the PAM
# service.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect, or use
# "pg_ctl reload". # Put your actual configuration here
# ----------------------------------
#
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
#
# If you want to allow non-local connections, you need to add more
# "host" records. Also, remember TCP/IP connections are only enabled
# if you enable "tcpip_socket" in postgresql.conf. # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
#访问来源 数据库 用户 IP-地址 子网掩码 认证方式 local TFW TFW md5
#对于来自本地的访问,数据库“TFW”对用户“TFW”采用“md5”加密口令认证 local TFW all reject
#对于来自本地的访问,数据库“TFW”对上面没提到的所有用户无条件拒绝认证 host TFW TFW 127.0.0.1 255.255.255.255 md5
#对于来自网络的访问,数据库“TFW”对用户“TFW”,如果提出访问的是本机,采用“md5”加密口令认证 host TFW all 0.0.0.0 0.0.0.0 reject
#对于来网络的访问,数据库“TFW”对上面没提到的所有用户,不管提出访问的哪台机器,也不管它来自哪个子网,无条件拒绝认证 local all all md5
#对于来自本地的访问,上面没提到的数据库对上面没提到的所有用户采用“md5”加密口令认证
host all all 0.0.0.0 0.0.0.0 md5
#对于来网络的访问,上面没提到的数据库对上面没提到的所有用户,不管提出访问的是哪台机器,也不管它来自哪个子网,采用“md5”加密口令认证 ########################################
# Others are all denied
# 其他访问一概无条件拒绝
local all all reject
host all all 0.0.0.0 0.0.0.0 reject
######################################## ########################################
# All denied permissed, not safe
# 对所有访问都信任,太不安全,被注释掉了,只作为参考
#local all all trust
#host all all 0.0.0.0 0.0.0.0 trust
######################################## 这些认证的规则是从上到下一条一条加载的,要注意的是,里面的“all”并不是真正意义上的“所有”,只是前面的规定中没有提到的那部分。个人感觉用“other”也许更恰当。
这样,最终的结果是:所有用户都能通过加密口令访问“TFW”以外的数据库,但是只有用户“TFW”能以加密口令访问数据库“TFW”。更多中文文档参见:PostgreSQL 文档中文化主页---------- 别人写的,你看下有没有用
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货