PostgreSQL连接管理深度解析

PG默认安装完成后，只监听本地连接及允许本地socket连接，且没有配置默认超级用户postgres密码。

1. 配置文件

1.1 监听地址配置listen_addresses

postgresql.conf 配置文件中控制客户端监听访问限制，需重启数据库生效

[postgres@pgdb pg16]$ cat postgresql.conf |grep -Ei 'listen_addresses|password_encryption'
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
listen_addresses = '*'
#password_encryption = scram-sha-256    # scram-sha-256 or md5

listen_addresses = ‘*’ #监听所有客户端地址

password_encryption = scram-sha-256 #密码加密策略

[postgres@pgdb pg16]$ pg_ctl restart

1.2 访问控制pg_hba.conf

pg_hba.conf 实例访问控制，如果有重叠规则，以最上面地址规则为准

• 哪些主机可以连接数据库实例

• 客户端使用什么连接方式和认证方式

• 连接方式(TYPE)：local,host,hostssl,hostnossl

• 认证方式：trust, reject, md5, password, scram, gss, sspi, ident, peer, pam, ldap, radius or cert

  • trust 无条件地允许连接 无需密码验证

• 哪个数据库用户可以使用它

• 允许这个用户使用哪些数据库

# TYPE  DATABASE        USER            ADDRESS                 METHOD# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
host    all             all             192.168.1.109/32        scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust

重加载配置生效

$ pg_ctl reload

2. 密码策略

2.1 密码加密策略

密码加密策略：postgresql.conf 配置文件中password_encryption 和 pg_hba.conf 配置文件中一致

建议采用默认加密策略 scram-sha-256

postgres=# show password_encryption ;password_encryption 
---------------------scram-sha-256[postgres@pgdb pg16]$ cat postgresql.conf |grep -i password_encryption
#password_encryption = scram-sha-256    # scram-sha-256 or md5[postgres@pgdb pg16]$ cat pg_hba.conf | grep -i 'host  '
# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
#host    all             all             127.0.0.1/32            trust
host    all             all             192.168.1.109/32            scram-sha-256
host    all             all             ::1/128                 trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust 

• 测试修改用户加密策略

  • 修改密码加密策略不会调整之前创建用户加密方式

  • 新建用户采用新加密方式

  • 修改用户密码采用新加密方式

postgres=# show password_encryption ;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256
postgres=# alter system set password_encryption=md5;
ALTER SYSTEM
postgres=# select pg_reload_conf();
-[ RECORD 1 ]--+--
pg_reload_conf | t
postgres=# show password_encryption ;
-[ RECORD 1 ]-------+----
password_encryption | md5
postgres=# select usename,passwd from pg_shadow ;
-[ RECORD 1 ]----------------------------------------------------------------------------------------------------------------------------------
usename | postgres
passwd  | SCRAM-SHA-256$4096:unAzuVPVTqAX8koqcZ+Gfg==$Q2FGalVS23BRCl6k3tQ4IOYNj9/+qN0YaeXknKMdudE=:rk2jZgTM0WVe+28UYKAkv9KNkwZw74nAAn+wrwtpskQ=
postgres=# create user user1 with password 'user1';
CREATE ROLE
postgres=# select usename,passwd from pg_shadow ;
-[ RECORD 1 ]----------------------------------------------------------------------------------------------------------------------------------
usename | postgres
passwd  | SCRAM-SHA-256$4096:unAzuVPVTqAX8koqcZ+Gfg==$Q2FGalVS23BRCl6k3tQ4IOYNj9/+qN0YaeXknKMdudE=:rk2jZgTM0WVe+28UYKAkv9KNkwZw74nAAn+wrwtpskQ=
-[ RECORD 2 ]----------------------------------------------------------------------------------------------------------------------------------
usename | user1
passwd  | md57d1b5a4329b6478e976508ab9a49ee3d
postgres=# alter user postgres with password 'postgres123';
ALTER ROLE
postgres=# select usename,passwd from pg_shadow ;
-[ RECORD 1 ]--------------------------------
usename | user1
passwd  | md57d1b5a4329b6478e976508ab9a49ee3d
-[ RECORD 2 ]--------------------------------
usename | postgres
passwd  | md5163311300b0732b814a34aabfdfffe62

2.2 用户及密码修改

• 修改默认用户postgres密码

postgres=# alter user postgres with password 'postgres';
ALTER ROLE

• 查看用户密码加密策略

postgres=# \x
Expanded display is on.
postgres=# select * from pg_shadow ;
-[ RECORD 1 ]+--------------------------------------------------------------------------------------------------------------------------------------
usename      | postgres
usesysid     | 10
usecreatedb  | t
usesuper     | t
userepl      | t
usebypassrls | t
passwd       | SCRAM-SHA-256$4096:unAzuVPVTqAX8koqcZ+Gfg==$Q2FGalVS23BRCl6k3tQ4IOYNj9/+qN0YaeXknKMdudE=:rk2jZgTM0WVe+28UYKAkv9KNkwZw74nAAn+wrwtpskQ=
valuntil     | 
useconfig    | 

密码口令复杂度管理插件 passwordcheck

http://www.postgresql.org/docs/current/static/passwordcheck.html

3. 三种登录方式

3.1 本地登录

• 本地登录无需密码

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# "local" is for Unix domain socket connections only
local   all             all                                     trust[postgres@pgdb pg16]$ psql
psql (16.1)
Type "help" for help.postgres=# 

• 本地登录需要密码

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# "local" is for Unix domain socket connections only            
#local   all             all                                     trust
local   all             all                                     scram-sha-256[postgres@pgdb pg16]$ psql
Password for user postgres: 

3.2 ident映射本地免密登录

pg_ident.conf配置文件映射操作系统用户到PostgreSQl数据库用户，实现本地操作系统用户免密登录数据库

• 创建user1用户

postgres=# \duList of rolesRole name |                         Attributes                         
-----------+------------------------------------------------------------postgres  | Superuser, Create role, Create DB, Replication, Bypass RLSuser1     | 

• 创建操作系统用户

[root@pgdb ~]# useradd dbquery

• 添加ident映射

[postgres@pgdb pg16]$ vi pg_ident.conf 
# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
pguser1         dbquery                 user1

• pg_hba.conf添加映射配置信息

# "local" is for Unix domain socket connections only
local   all             all                                     trust
local   all             all                                     ident map=pguser1

• reload配置信息

[postgres@pgdb pg16]$ pg_ctl reload
server signaled

• 操作系统用户登录数据库用户无需密码

[root@pgdb ~]# su - dbquery
[dbquery@pgdb ~]$ /pgsql/app/pg16/bin/psql -U user1 -d postgres -p 5432
psql (16.1)
Type "help" for help.postgres=> exit

3.3 远程登录

IPv4需要密码登录，保证用户密码的加密方式，与postgresql.conf 配置文件中 和 pg_hba.conf 配置文件中 password_encryption 一致

/32 的情况下，它只表示单个 IP 地址，即 192.168.1.109 本身

/24 表示 192.168.1.0 到 192.168.1.255 的整个子网

/16 表示 192.168.0.0 到 192.168.255.255 的更大范围

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# IPv4 local connections:
# 本地远程连接 无需密码
#host    all             all             127.0.0.1/32            trust
# 所有地址远程连接 
#host    all             all             all                     scram-sha-256
# 192.168.1.109远程连接 
#host    all             all             192.168.1.109/32        scram-sha-256
# 192.168网段远程连接 
#host    all             all             192.168.0.0/16          scram-sha-256
# 192.168.1网段远程连接 host    all             all             192.168.1.0/24          scram-sha-256

远程连接

[postgres@pgdb pg16]$ psql -h 192.168.1.109 -p 5432 -d postgres -U postgres -W
Password: 
psql (16.1)
Type "help" for help.postgres=#

4. 常见连接故障排查

1. 防火墙检查

systemctl status firewalld.service

• postgresql.conf配置文件 listen_addresses 监听地址检查

cat $PGDATA/postgresql.conf |grep -i listen_addresses

• pg_hba.conf配置文件 实例访问控制检查

cat pg_hba.conf 
# IPv4 local connections:

• 用户密码加密策略

\du
select * from pg_shadow ;

• 不同密码验证加密方式测试结果
  

4.1 对等身份验证peer报错

pg13中peer代表与操作系统相同用户的pg用户免密登录
#local   all             all                                     peertestdb13=# \c testdb13 u13
FATAL:  Peer authentication failed for user "u13"
Previous connection kept调整为
local   postgres             postgres                                     peer
local   all             all                                     scram-sha-256