Configure Client Authentication
This topic explains how to configure client connections and authentication for Cloudberry Database.
When a Cloudberry Database system is first initialized, the system contains one predefined superuser role. This role will have the same name as the operating system user who initialized the Cloudberry Database system. This role is referred to as gpadmin
. By default, the system is configured to only allow local connections to the database from the gpadmin
role. If you want to allow any other roles to connect, or if you want to allow connections from remote hosts, you have to configure Cloudberry Database to allow such connections. This section explains how to configure client connections and authentication to Cloudberry Database.
Allowing Connections to Cloudberry Database
Client access and authentication is controlled by a configuration file named pg_hba.conf
(the standard PostgreSQL host-based authentication file). For detailed information about this file, see The pg_hba.conf File in the PostgreSQL documentation.
In Cloudberry Database, the pg_hba.conf
file of the coordinator instance controls client access and authentication to your Cloudberry system. The segments also have pg_hba.conf
files, but these are already correctly configured to only allow client connections from the coordinator host. The segments never accept outside client connections, so there is no need to alter the pg_hba.conf
file on segments.
The general format of the pg_hba.conf
file is a set of records, one per line. Blank lines are ignored, as is any text after a # comment character. A record is made up of a number of fields which are separated by spaces and/or tabs. Fields can contain white space if the field value is quoted. Records cannot be continued across lines.
A record can have one of seven formats:
local <database> <user> <auth-method> [<auth-options>]
host <database> <user> <address> <auth-method> [<auth-options>]
hostssl <database> <user> <address> <auth-method> [<auth-options>]
hostnossl <database> <user> <address> <auth-method> [<auth-options>]
host <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]
hostssl <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]
hostnossl <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]
The meaning of the pg_hba.conf
fields is as follows:
local
Matches connection attempts using UNIX-domain sockets. Without a record of this type, UNIX-domain socket connections are disallowed.
host
Matches connection attempts made using TCP/IP. Remote TCP/IP connections will not be possible unless the server is started with an appropriate value for the listen_addresses
server configuration parameter. Cloudberry Database by default allows connections from all hosts ('*'
).
hostssl
Matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption. SSL must be enabled at server start time by setting the ssl
configuration parameter to on. Requires SSL authentication be configured in postgresql.conf
. See Configuring postgresql.conf for SSL Authentication.
hostnossl
Matches connection attempts made over TCP/IP that do not use SSL.
database
Specifies which database names this record matches. The value all
specifies that it matches all databases. Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with @
.
user
Specifies which database role names this record matches. The value all
specifies that it matches all roles. If the specified role is a group and you want all members of that group to be included, precede the role name with a +
. Multiple role names can be supplied by separating them with commas. A separate file containing role names can be specified by preceding the file name with @
.
address
Specifies the client machine addresses that this record matches. This field can contain either a host name, an IP address range, or one of the special key words mentioned below.
An IP address range is specified using standard numeric notation for the range's starting address, then a slash (/
) and a CIDR mask length. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this should be zero in the given IP address. There must not be any white space between the IP address, the /
, and the CIDR mask length.
Typical examples of an IPv4 address range specified this way are 172.20.143.89/32
for a single host, or 172.20.143.0/24
for a small network, or 10.6.0.0/16
for a larger one. An IPv6 address range might look like ::1/128
for a single host (in this case the IPv6 loopback address) or fe80::7a31:c1ff:0000:0000/96
for a small network. 0.0.0.0/0
represents all IPv4 addresses, and ::0/0
represents all IPv6 addresses. To specify a single host, use a mask length of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes.
An entry given in IPv4 format will match only IPv4 connections, and an entry given in IPv6 format will match only IPv6 connections, even if the represented address is in the IPv4-in-IPv6 range.
Entries in IPv6 format will be rejected if the host system C library does not have support for IPv6 addresses.
You can also write all
to match any IP address, samehost
to match any of the server's own IP addresses, or samenet
to match any address in any subnet to which the server is directly connected.
If a host name is specified (an address that is not an IP address, IP range, or special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client IP address (for example, reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (for example, forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client IP address. If both directions match, then the entry is considered to match.
The host name that is used in pg_hba.conf
should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.
A host name specification that starts with a dot (.) matches a suffix of the actual host name. So .example.com
would match foo.example.com
(but not just example.com
).
When host names are specified in pg_hba.conf
, you should ensure that name resolution is reasonably fast. It can be advantageous to set up a local name resolution cache such as nscd
. Also, you can enable the server configuration parameter log_hostname
to see the client host name instead of the IP address in the log.
IP-address
IP-mask
These two fields can be used as an alternative to the CIDR address notation. Instead of specifying the mask length, the actual mask is specified in a separate column. For example, 255.0.0.0
represents an IPv4 CIDR mask length of 8, and 255.255.255.255
represents a CIDR mask length of 32.
auth-method
Specifies the authentication method to use when a connection matches this record. See Authentication Methods for options.
auth-options
After the auth-method
field, there can be field(s) of the form name=value
that specify options for the authentication method. Details about which options are available for which authentication methods are described in Authentication Methods.
Files included by @ constructs are read as lists of names, which can be separated by either whitespace or commas. Comments are introduced by #, just as in pg_hba.conf
, and nested @ constructs are allowed. Unless the file name following @ is an absolute path, it is taken to be relative to the directory containing the referencing file.
The pg_hba.conf
records are examined sequentially for each connection attempt, so the order of the records is significant. Typically, earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For example, you might wish to use trust
authentication for local TCP/IP connections but require a password for remote TCP/IP connections. In this case a record specifying trust
authentication for connections from 127.0.0.1 would appear before a record specifying password
authentication for a wider range of allowed client IP addresses.
The pg_hba.conf
file is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you must reload the file using this command:
$ gpstop -u
For a more secure system, remove records for remote connections that use trust
authentication from the pg_hba.conf
file. trust
authentication grants any user who can connect to the server access to the database using any role they specify. You can safely replace trust
authentication with ident
authentication for local UNIX-socket connections. You can also use ident
authentication for local and remote TCP clients, but the client host must be running an ident service and you must trust
the integrity of that machine.
Editing the pg_hba.conf File
Initially, the pg_hba.conf
file is set up with generous permissions for the gpadmin user and no database access for other Cloudberry Database roles. You will need to edit the pg_hba.conf
file to enable users' access to databases and to secure the gpadmin user. Consider removing entries that have trust
authentication, since they allow anyone with access to the server to connect with any role they choose. For local (UNIX socket) connections, use ident
authentication, which requires the operating system user to match the role specified. For local and remote TCP connections, ident
authentication requires the client's host to run an indent service. You could install an ident service on the coordinator host and then use ident
authentication for local TCP connections, for example 127.0.0.1/28
. Using ident
authentication for remote TCP connections is less secure because it requires you to trust the integrity of the ident service on the client's host.
Cloudberry Command Center provides an interface for editing the pg_hba.conf
file. It verifies entries before you save them, keeps a version history of the file so that you can reload a previous version of the file, and reloads the file into Cloudberry Database.
This example shows how to edit the pg_hba.conf
file on the coordinator host to allow remote client access to all databases from all roles using encrypted password authentication.
To edit pg_hba.conf
:
-
Open the file
$COORDINATOR_DATA_DIRECTORY/pg_hba.conf
in a text editor. -
Add a line to the file for each type of connection you want to allow. Records are read sequentially, so the order of the records is significant. Typically, earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For example:
# allow the gpadmin user local access to all databases
# using ident authentication
local all gpadmin ident sameuser
host all gpadmin 127.0.0.1/32 ident
host all gpadmin ::1/128 ident
# allow the 'dba' role access to any database from any
# host with IP address 192.168.x.x and use md5 encrypted
# passwords to authenticate the user
# Note that to use SHA-256 encryption, replace md5 with
# password in the line below
host all dba 192.168.0.0/32 md5
Authentication Methods
Basic Authentication
Trust
Allows the connection unconditionally, without the need for a password or any other authentication. This entry is required for the gpadmin
role, and for Cloudberry utilities (for example gpinitsystem
, gpstop
, or gpstart
amongst others) that need to connect between nodes without prompting for input or a password.
For a more secure system, remove records for remote connections that use trust
authentication from the pg_hba.conf
file. trust
authentication grants any user who can connect to the server access to the database using any role they specify. You can safely replace trust
authentication with ident
authentication for local UNIX-socket connections. You can also use ident
authentication for local and remote TCP clients, but the client host must be running an ident service and you must trust
the integrity of that machine.
Reject
Reject the connections with the matching parameters. You should typically use this to restrict access from specific hosts or insecure connections.
Ident
Authenticates based on the client's operating system user name. This is secure for local socket connections. Using ident
for TCP connections from remote hosts requires that the client's host is running an ident service. The ident
authentication method should only be used with remote hosts on a trusted, closed network.
md5
Require the client to supply a double-MD5-hashed password for authentication.
password
Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks.
The password-based authentication methods are md5
and password
. These methods operate similarly except for the way that the password is sent across the connection: MD5-hashed and clear-text respectively.
If you are at all concerned about password "sniffing" attacks then md5
is preferred. Plain password
should always be avoided if possible. If the connection is protected by SSL encryption then password
can be used safely (although SSL certificate authentication might be a better choice if you are depending on using SSL).
Following are some sample pg_hba.conf
basic authentication entries:
hostnossl all all 0.0.0.0 reject
hostssl all testuser 0.0.0.0/0 md5
local all gpuser ident
Or:
local all gpadmin ident
host all gpadmin localhost trust
host all gpadmin cdw trust
local replication gpadmin ident
host replication gpadmin samenet trust
host all all 0.0.0.0/0 md5
SSL Client Authentication
SSL authentication compares the Common Name (cn) attribute of an SSL certificate provided by the connecting client during the SSL handshake to the requested database user name. The database user should exist in the database. A map file can be used for mapping between system and database user names.
SSL Authentication Parameters
Authentication method:
-
Cert
Authentication options:
Hostssl
Connection type must be hostssl.
map=mapping
mapping.
This is specified in the
pg_ident.conf
, or in the file specified in theident_file
server setting.Following are sample
pg_hba.conf
entries for SSL client authentication:Hostssl testdb certuser 192.168.0.0/16 cert
Hostssl testdb all 192.168.0.0/16 cert map=gpuser
OpenSSL Configuration
You can make changes to the OpenSSL configuration by updating the openssl.cnf
file under your OpenSSL installation directory, or the file referenced by $OPENSSL_CONF
, if present, and then restarting the Cloudberry Database server.
Creating a Self-Signed Certificate
A self-signed certificate can be used for testing, but a certificate signed by a certificate authority (CA) (either one of the global CAs or a local one) should be used in production so that clients can verify the server's identity. If all the clients are local to the organization, using a local CA is recommended.
To create a self-signed certificate for the server:
-
Enter the following
openssl
command:openssl req -new -text -out server.req
-
Enter the requested information at the prompts.
Make sure you enter the local host name for the Common Name. The challenge password can be left blank.
-
The program generates a key that is passphrase-protected; it does not accept a passphrase that is less than four characters long. To remove the passphrase (and you must if you want automatic start-up of the server), run the following command:
openssl rsa -in privkey.pem -out server.key
rm privkey.pem -
Enter the old passphrase to unlock the existing key. Then run the following command:
openssl req -x509 -in server.req -text -key server.key -out server.crt
This turns the certificate into a self-signed certificate and copies the key and certificate to where the server will look for them.
-
Finally, run the following command:
chmod og-rwx server.key
For more details on how to create your server private key and certificate, refer to the OpenSSL documentation.
Configuring postgresql.conf for SSL Authentication
The following Server settings need to be specified in the postgresql.conf
configuration file:
-
ssl
boolean. Enables SSL connections. -
ssl_renegotiation_limit
integer. Specifies the data limit before key renegotiation. -
ssl_ciphers
string. Configures the list SSL ciphers that are allowed.ssl_ciphers
overrides any ciphers string specified in/etc/openssl.cnf
. The default valueALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
enables all ciphers except for ADH, LOW, EXP, and MD5 ciphers, and prioritizes ciphers by their strength.infoWith TLS 1.2 some ciphers in MEDIUM and HIGH strength still use NULL encryption (no encryption for transport), which the default
ssl_ciphers
string allows. To bypass NULL ciphers with TLS 1.2 use a string such asTLSv1.2:!eNULL:!aNULL
.It is possible to have authentication without encryption overhead by using
NULL-SHA
orNULL-MD5
ciphers. However, a man-in-the-middle could read and pass communications between client and server. Also, encryption overhead is minimal compared to the overhead of authentication. For these reasons, NULL ciphers should not be used.
The default location for the following SSL server files is the Cloudberry Database coordinator data directory ($COORDINATOR_DATA_DIRECTORY
):
server.crt
- Server certificate.server.key
- Server private key.root.crt
- Trusted certificate authorities.root.crl
- Certificates revoked by certificate authorities.
If Cloudberry Database coordinator mirroring is enabled with SSL client authentication, the SSL server files should not be placed in the default directory $COORDINATOR_DATA_DIRECTORY
. If a gpinitstandby
operation is performed, the contents of $COORDINATOR_DATA_DIRECTORY
is copied from the coordinator to the standby coordinator and the incorrect SSL key, and cert files (the coordinator files, and not the standby coordinator files) will prevent standby coordinator start up.
You can specify a different directory for the location of the SSL server files with the postgresql.conf
parameters sslcert
, sslkey
, sslrootcert
, and sslcrl
.
Configuring the SSL Client Connection
SSL options:
sslmode
Specifies the level of protection.
require
Only use an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca
was specified.
verify-ca
Only use an SSL connection. Verify that the server certificate is issued by a trusted CA.
verify-full
Only use an SSL connection. Verify that the server certificate is issued by a trusted CA and that the server host name matches that in the certificate.
sslcert
The file name of the client SSL certificate. The default is $COORDINATOR_DATA_DIRECTORY/postgresql.crt
.
sslkey
The secret key used for the client certificate. The default is $COORDINATOR_DATA_DIRECTORY/postgresql.key
.
sslrootcert
The name of a file containing SSL Certificate Authority certificate(s). The default is $COORDINATOR_DATA_DIRECTORY/root.crt
.
sslcrl
The name of the SSL certificate revocation list. The default is $COORDINATOR_DATA_DIRECTORY/root.crl
.
The client connection parameters can be set using the following environment variables:
sslmode
–PGSSLMODE
sslcert
–PGSSLCERT
sslkey
–PGSSLKEY
sslrootcert
–PGSSLROOTCERT
sslcrl
–PGSSLCRL
For example, run the following command to connect to the postgres
database from localhost
and verify the certificate present in the default location under $COORDINATOR_DATA_DIRECTORY
:
psql "sslmode=verify-ca host=localhost dbname=postgres"
Limiting Concurrent Connections
Cloudberry Database allocates some resources on a per-connection basis, so setting the maximum number of connections allowed is recommended.
To limit the number of active concurrent sessions to your Cloudberry Database system, you can configure the max_connections
server configuration parameter. This is a local parameter, meaning that you must set it in the postgresql.conf
file of the coordinator, the standby coordinator, and each segment instance (primary and mirror). The recommended value of max_connections
on segments is 5-10 times the value on the coordinator.
When you set max_connections
, you must also set the dependent parameter max_prepared_transactions
. This value must be at least as large as the value of max_connections
on the coordinator, and segment instances should be set to the same value as the coordinator.
For example:
-
In
$COORDINATOR_DATA_DIRECTORY/postgresql.conf
(including standby coordinator):max_connections=100
max_prepared_transactions=100 -
In
SEGMENT_DATA_DIRECTORY/postgresql.conf
for all segment instances:max_connections=500
max_prepared_transactions=100
The following steps set the parameter values with the Cloudberry Database utility gpconfig
.
To change the number of allowed connections
-
Log into the Cloudberry Database coordinator host as the Cloudberry Database administrator and source the file
$GPHOME/greenplum_path.sh
. -
Set the value of the
max_connections
parameter. Thisgpconfig
command sets the value on the segments to 1000 and the value on the coordinator to 200.$ gpconfig -c max_connections -v 1000 -m 200
The value on the segments must be greater than the value on the coordinator. The recommended value of
max_connections
on segments is 5-10 times the value on the coordinator. -
Set the value of the
max_prepared_transactions
parameter. Thisgpconfig
command sets the value to 200 on the coordinator and all segments.$ gpconfig -c max_prepared_transactions -v 200
The value of
max_prepared_transactions
must be greater than or equal tomax_connections
on the coordinator. -
Stop and restart your Cloudberry Database system.
$ gpstop -r
-
You can check the value of parameters on the coordinator and segments with the
gpconfig
-s
option. Thisgpconfig
command displays the values of themax_connections
parameter.$ gpconfig -s max_connections
Raising the values of these parameters may cause Cloudberry Database to request more shared memory. To mitigate this effect, consider decreasing other memory-related parameters such as gp_cached_segworkers_threshold
.
Encrypting Client/Server Connections
Enable SSL for client connections to Cloudberry Database to encrypt the data passed over the network between the client and the database.
Cloudberry Database has native support for SSL connections between the client and the coordinator server. SSL connections prevent third parties from snooping on the packets, and also prevent man-in-the-middle attacks. SSL should be used whenever the client connection goes through an insecure link, and must be used whenever client certificate authentication is used.
Enabling Cloudberry Database in SSL mode requires the following items.
-
OpenSSL installed on both the client and the coordinator server hosts (coordinator and standby coordinator).
-
The SSL files server.key (server private key) and server.crt (server certificate) should be correctly generated for the coordinator host and standby coordinator host.
- The private key should not be protected with a passphrase. The server does not prompt for a passphrase for the private key, and Cloudberry Database start up fails with an error if one is required.
- On a production system, there should be a key and certificate pair for the coordinator host and a pair for the standby coordinator host with a subject CN (Common Name) for the coordinator host and standby coordinator host.
A self-signed certificate can be used for testing, but a certificate signed by a certificate authority (CA) should be used in production, so the client can verify the identity of the server. Either a global or local CA can be used. If all the clients are local to the organization, a local CA is recommended.
-
Ensure that Cloudberry Database can access server.key and server.crt, and any additional authentication files such as
root.crt
(for trusted certificate authorities). When starting in SSL mode, the Cloudberry Database coordinator looks for server.key and server.crt. As the default, Cloudberry Database does not start if the files are not in the coordinator data directory ($COORDINATOR_DATA_DIRECTORY
). Also, if you use other SSL authentication files such asroot.crt
(trusted certificate authorities), the files must be on the coordinator host.If Cloudberry Database coordinator mirroring is enabled with SSL client authentication, SSL authentication files must be on both the coordinator host and standby coordinator host and should not be placed in the default directory
$COORDINATOR_DATA_DIRECTORY
. When coordinator mirroring is enabled, aninitstandby
operation copies the contents of the$COORDINATOR_DATA_DIRECTORY
from the coordinator to the standby coordinator and the incorrect SSL key, and cert files (the coordinator files, and not the standby coordinator files) will prevent standby coordinator start up.You can specify a different directory for the location of the SSL server files with the
postgresql.conf
parameterssslcert
,sslkey
,sslrootcert
, andsslcrl
.
Cloudberry Database can be started with SSL enabled by setting the server configuration parameter ssl=on
in the postgresql.conf
file on the coordinator and standby coordinator hosts. This gpconfig
command sets the parameter:
gpconfig -c ssl -m on -v off
Setting the parameter requires a server restart. This command restarts the system: gpstop -ra
.
Creating a Self-signed Certificate without a Passphrase for Testing Only
To create a quick self-signed certificate for the server for testing, use the following OpenSSL command:
# openssl req -new -text -out server.req
Enter the information requested by the prompts. Be sure to enter the local host name as Common Name. The challenge password can be left blank.
The program will generate a key that is passphrase protected, and does not accept a passphrase that is less than four characters long.
To use this certificate with Cloudberry Database, remove the passphrase with the following commands:
# openssl rsa -in privkey.pem -out server.key
# rm privkey.pem
Enter the old passphrase when prompted to unlock the existing key.
Then, enter the following command to turn the certificate into a self-signed certificate and to copy the key and certificate to a location where the server will look for them.
# openssl req -x509 -in server.req -text -key server.key -out server.crt
Finally, change the permissions on the key with the following command. The server will reject the file if the permissions are less restrictive than these.
# chmod og-rwx server.key
For more details on how to create your server private key and certificate, refer to the OpenSSL documentation.