一、用户要创建密码 testDB=# alter role gpadmin with password 'gpadmin';ALTER ROLE
二、在master节点的$MASTER_DATA_DIRECTORY/pg_hba.conf中添加新客户端服务器信息 master节点的pg_hba.conf配置文件控制客户端访问Greenplum系统。 segment节点也有pg_hba.conf配置文件,它只能控制master节点能否访问segment,决不能运行客户端连接。不要修改segment的pg_hba.conf文件!!
格式: host database role CIDR-address authentication-method
如果使用scoket访问greenplum系统则用下面的格式 local database role authentication-method 详见下面表格的参数介绍。
pg_hba.conf中记录是被顺序读取的,所有记录的顺序是有象征性意义的。 通常前面的记录匹配更少的连接但要求较弱的认证,后面的记录匹配更多的连接但要求更严格的认证。 比如:
# allow the gpadmin user local access to all databases
# using ident authentication
local all gpadmin ident sameuser
host all gpadmin 127.0.0.1/32 ident
host all gpadmin ::1/128 ident
# allow the 'dba' role access to any database from any
# host with IP address 192.168.x.x and use md5 encrypted
# passwords to authenticate the user
# Note that to use SHA-256 encryption, replace md5 with
# password in the line below
host all dba 192.168.0.0/32 md5
# allow all roles access to any database from any
# host and use ldap to authenticate the user. Greenplum role
# names must match the LDAP common name.
host all all 192.168.0.0/32 ldap ldapserver=usldap1
ldapport=1389 ldapprefix="cn="
ldapsuffix=",ou=People,dc=company,dc=com"
个人案例:允许gpadmin用户在192.168.1.x网段访问所有数据库,使用md5验证。 #addhost all gpadmin 192.168.1.0/24 md5
三、生效 在master 执行gpstop -u重新加载pg_hba.conf文件,并不会shutdown Greenplum系统。 $ gpstop -u
四、验证 $ psql -h 192.168.1.171 -p 5432 -d postgres -U gpadmin -W Password for user gpadmin:
附英文介绍
Field | Description |
---|---|
local |
Matches connection attempts using UNIX-domain sockets. Without a record of this type, UNIX-domain socket connections are disallowed. 适用于socket方式。 |
host |
Matches connection attempts made using TCP/IP. Remote TCP/IP connections will not be possible unless the server is started with an appropriate value for thelisten_addresses server configuration parameter. TCP/IP方式访问Greenplum系统。 |
hostssl |
Matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption. SSL must be enabled at server start time by setting the sslconfiguration parameter TCP/IP+ssl(加密)方式访问Greenplum系统。 |
hostnossl |
Matches connection attempts made over TCP/IP that do not use SSL. |
database |
Specifies which database names this record matches. The value all specifies that it matches all databases. Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with @. 数据库名。 |
role |
Specifies which database role names this record matches. The value all specifies that it matches all roles. If the specified role is a group and you want all members of that group to be included, precede the role name with a +. Multiple role names can be supplied by separating them with commas. A separate file containing role names can be specified by preceding the file name with @. 角色。 |
CIDR-address |
Specifies the client machine IP address range that this record matches. It contains an IP address in standard dotted decimal notation and a CIDR mask length. IP addresses can only be specified numerically, not as domain or host names. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this must be zero in the given IP address. There must not be any white space between the IP address, the /, and the CIDR mask length. Typical examples of a CIDR-address are 172.20.143.89/32 for a single host, or 172.20.143.0/24 for a small network, or 10.6.0.0/16 for a larger one. To specify a single host, use a CIDR mask of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes. |
IP-address IP-mask |
These fields can be used as an alternative to the CIDR-address notation. Instead of specifying the mask length, the actual mask is specified in a separate column. For example, 255.0.0.0 represents an IPv4 CIDR mask length of 8, and 255.255.255.255 represents a CIDR mask length of 32. These fields only apply to host, hostssl, and hostnossl records. |
authentication-method |
Specifies the authentication method to use when connecting. Greenplum supports the authentication methods supported by PostgreSQL 9.0. 来源: <http://gpdb.docs.pivotal.io/4330/admin_guide/client_auth.html> |