Configuration File Reference

Table 1 Parameter description

Parameter	Description	Value Range
local	Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed. When gsql is used to initiate a connection from a local server and the -U parameter is not specified, a Unix-domain-socket connection is established.	-
host	Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL.	-
hostssl	Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL.	For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode.
hostnossl	Indicates that this record accepts only a common TCP/IP socket connection.	-
DATABASEGUC	Database that a record matches and can access	all: indicates that this record matches all databases. sameuser: indicates that the database must have the same name as the user who requests database access. samerole: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database. samegroup: is the same as that of samerole and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database. A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databases A specific database name or a list of databases separated by commas (,) NOTE: replication indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named replication, specify it in the database column.
USER	Users who match the record and are allowed to access databases	all: indicates that this record matches all users. +User role: indicates that this record matches all members that directly or indirectly belong to the role. NOTE: + is a prefix character. A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds. A specific database username or a list of users separated by commas (,)
ADDRESS	Range of IP addresses that match the record and can be visited	IPv4 and IPv6 are supported. The IP address range can be expressed in the following two formats: IP address/mask length Example: 10.10.0.0/24 IP address Subnet mask Example: 10.10.0.0 255.255.255.0 NOTE: An IPv4 address matches the IPv6 connection with the corresponding address. For example, 127.0.0.1 matches IPv6 address ::ffff:127.0.0.1.
METHOD	Authentication method used for connection	The following authentication modes are supported. For details, see Table 2. trust reject md5 (not recommended and not supported by default. This authentication mode can be configured using the password_encryption_type parameter.) sha256 cert gss (only for authentication within openGauss)

Table 2 Authentication modes

Authentication Mode	Remarks
trust	In trust mode, only the connection initiated from the local server using gsql with the -U parameter not specified is trusted. In this case, no password is required. The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use the trust authentication, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access: Set the unix_socket_permissions and unix_socket_group parameters. Set the unix_socket_directory parameter to place Unix-domain socket files into a directory requiring certain access permissions. NOTICE: Setting the file system permission imposes restrictions on only Unix-domain socket connections, and does not affect local TCP/IP connections. To ensure local TCP/IP security, openGauss does not allow the trust authentication for remote connection.
reject	Rejects connection unconditionally. This authentication mode is usually used for filtering certain hosts.
md5	Requires that the client must provide an MD5-encrypted password for authentication. NOTICE: This authentication method is not recommended because MD5 is not a secure encryption algorithm and may cause network risks. openGauss retains MD5 authentication and password storage to facilitate use of third-party tools (such as the TPCC test tool).
sha256	Requires that the client must provide a sha256-encrypted password for authentication. The password is encrypted based on the unidirectional sha256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security.
cert	Client certificate authentication mode. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required. NOTICE: This authentication mode supports only hostssl rules.
gss	Uses the GSSAPI-based Kerberos authentication. NOTICE: This authentication mode depends on components such as the Kerberos server. It supports only authentication for communication within openGauss. In the current version, Kerberos authentication cannot be used to connect to external clients. Enabling Kerberos authentication within openGauss slows down the connection setup among nodes in openGauss. The performance of SQL operations during the setup is affected, but later operations are not.