diff --git a/gpdb-doc/dita/admin_guide/client_auth.xml b/gpdb-doc/dita/admin_guide/client_auth.xml index aa457816148520f50e779a37602d660edb5a13e8..6c41ad13061669ac6d8a9236078d2b807403c49a 100644 --- a/gpdb-doc/dita/admin_guide/client_auth.xml +++ b/gpdb-doc/dita/admin_guide/client_auth.xml @@ -10,9 +10,10 @@ superuser role. This role will have the same name as the operating system user who initialized the Greenplum Database system. This role is referred to as gpadmin. By default, the system is configured to only allow local - connections to the database from the gpadmin role. To allow any other roles - to connect, or to allow connections from remote hosts, you configure Greenplum Database to - allow such connections.

+ connections to the database from the gpadmin role. If you want to allow any + other roles to connect, or if you want to allow connections from remote hosts, you have to + configure Greenplum Database to allow such connections. This section explains how to configure + client connections and authentication to Greenplum Database.

The PgBouncer connection pooler is bundled with Greenplum Database. PgBouncer can be configured to support LDAP or Active Directory authentication for users connecting to Greenplum Database through the connection pooler client connections to Greenplum Database. See @@ -22,25 +23,23 @@ Allowing Connections to Greenplum Database

Client access and authentication is controlled by the standard PostgreSQL host-based - authentication file, pg_hba.conf. In Greenplum Database, the - pg_hba.conf file of the master instance controls client access and - authentication to your Greenplum Database system. Greenplum Database segments have - pg_hba.conf files that are configured to allow only client - connections from the master host and never accept client connections. Do not alter the - pg_hba.conf file on your segments.

-

See The pg_hba.conf File in the PostgreSQL - documentation for more information.

+ authentication file, pg_hba.conf. For detailed information about this + file, see The pg_hba.conf File in the PostgreSQL + documentation.

+

In Greenplum Database, the pg_hba.conf file of the master instance + controls client access and authentication to your Greenplum Database system. The Greenplum + Database segments also have pg_hba.conf files, but these are already + correctly configured to allow only client connections from the master host. The segments + never accept outside client connections, so there is no need to alter the + pg_hba.conf file on segments.

The general format of the pg_hba.conf file is a set of records, one - per line. Blank lines and any text after the # comment character are ignored. - The first matching record is used for authentication. After the first match, the following - records are not evaluated. If the client cannot be authenticated using the method specified - in the first matching record, the connection is rejected. A record consists of a number of - fields that are separated by spaces and/or tabs. Fields can contain white space if the field - value is quoted. Records cannot be continued across multiple lines. - Each remote client access record has the following format:

+ per line. Greenplum Database ignores blank lines and any text after the # + comment character. A record consists of a number of fields that are separated by spaces or + tabs. Fields can contain white space if the field value is quoted. Records cannot be + continued across lines. Each remote client access record has the following format:

host   database   role   CIDR-address   authentication-method -

Each UNIX-domain socket access record has the following format:

+

Each UNIX-domain socket access record is in this format:

local   database   role   authentication-method

The following table describes meaning of each field.

@@ -64,13 +63,14 @@ hostMatches connection attempts made using TCP/IP. Remote TCP/IP connections will not be possible unless the server is started with an appropriate - value for the listen_addresses server configuration parameter. + value for the listen_addresses server configuration + parameter. hostssl Matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption. SSL must be enabled at server start time by - setting the ssl configuration parameter + setting the ssl server configuration parameter. hostnossl @@ -101,41 +101,57 @@ names. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this must be zero in the given IP address. There must not be any white space between the IP address, the /, and the - CIDR mask length.

Typical examples of a CIDR-address are 192.0.2.89/32 for a - single host, or 192.0.2.0/24 for a small network, or 10.6.0.0/16 for a larger one. - To specify a single host, use a CIDR mask of 32 for IPv4 or 128 for IPv6. In a - network address, do not omit trailing zeroes.

+ CIDR mask length.

Typical examples of a CIDR-address are 172.20.143.89/32 for a + single host, or 172.20.143.0/24 for a small network, or 10.6.0.0/16 for a larger + one. To specify a single host, use a CIDR mask of 32 for IPv4 or 128 for IPv6. In + a network address, do not omit trailing zeroes.

 IP-address

IP-mask

 These fields can be used as an alternative to the CIDR-address notation. Instead of specifying the mask length, the actual mask is specified in a - separate column. For example, 255.255.255.255 represents a CIDR mask length of 32. - These fields only apply to host, hostssl, and hostnossl records. + separate column. For example, 255.0.0.0 represents an IPv4 CIDR mask length of 8, + and 255.255.255.255 represents a CIDR mask length of 32. These fields only apply to + and 255.255.255.255 represents a CIDR mask length of 32. These fields only apply to + host, hostssl, and hostnossl records. authentication-method Specifies the authentication method to use when connecting. Greenplum supports the authentication methods supported by + href="http://www.postgresql.org/docs/9.0/static/auth-methods.html" + scope="external" format="html">authentication methods supported by PostgreSQL 9.0.
+ For a more secure system, consider removing records for remote + connections that use trust authentication from the pg_hba.conf file. Trust + authentication grants any user who can connect to the server access to the database using + any role they specify. You can safely replace trust authentication with ident authentication + for local UNIX-socket connections. You can also use ident authentication for local and + remote TCP clients, but the client host must be running an ident service and you must trust + the integrity of that machine. Editing the pg_hba.conf File +

Initially, the pg_hba.conf file is set up with generous permissions for + the gpadmin user and no database access for other Greenplum Database roles. You will need + to edit the pg_hba.conf file to enable users' access to databases and to + secure the gpadmin user. Consider removing entries that have trust authentication, since + they allow anyone with access to the server to connect with any role they choose. For + local (UNIX socket) connections, use ident authentication, which requires the operating + system user to match the role specified. For local and remote TCP connections, ident + authentication requires the client's host to run an indent service. You can install an + ident service on the master host and then use ident authentication for local TCP + connections, for example 127.0.0.1/28. Using ident authentication for remote TCP + connections is less secure because it requires you to trust the integrity of the ident + service on the client's host.

This example shows how to edit the pg_hba.conf file of the master to allow remote client access to all databases from all roles using encrypted password authentication.

- For a more secure system, consider removing all connections that use trust - authentication from your master pg_hba.conf. Trust authentication - means the role is granted access without any authentication, therefore bypassing all - security. Replace trust entries with ident authentication if your system has an ident - service available.
Editing pg_hba.conf
    @@ -146,22 +162,22 @@ earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For - example:# allow the gpadmin user local access to all databases + example:# allow the gpadmin user local access to all databases # using ident authentication local   all   gpadmin   ident         sameuser host    all   gpadmin   127.0.0.1/32  ident host    all   gpadmin   ::1/128       ident -# allow the 'dba' role access to any database from any -# host with IP address 192.168.x.x and use md5 encrypted +# allow the 'dba' role access to any database from any +# host with IP address 192.168.x.x and use md5 encrypted # passwords to authenticate the user -# Note that to use SHA-256 encryption, replace md5 with +# Note that to use SHA-256 encryption, replace md5 with # password in the line below host    all   dba   192.168.0.0/32  md5 -# allow all roles access to any database from any -# host and use ldap to authenticate the user. Greenplum role +# allow all roles access to any database from any +# host and use ldap to authenticate the user. Greenplum role # names must match the LDAP common name. -host    all   all   192.168.0.0/32  ldap ldapserver=usldap1 -ldapport=1389 ldapprefix="cn=" +host    all   all   192.168.0.0/32  ldap ldapserver=usldap1 +ldapport=1389 ldapprefix="cn=" ldapsuffix=",ou=People,dc=company,dc=com"
  1. Save and close the file.
  2. Reload the pg_hba.conf configuration file for @@ -186,8 +202,8 @@ ldapsuffix=",ou=People,dc=company,dc=com"
    3. can configure the max_connections server configuration parameter. This is a local parameter, meaning that you must set it in the postgresql.conf file of the master, the standby master, and each segment - instance (primary and mirror). The value of max_connections on segments - should be 5-10 times the value on the master.

    + instance (primary and mirror). The recommended value of max_connections on + segments is 5-10 times the value on the master.

    When you set max_connections, you must also set the dependent parameter max_prepared_transactions. This value must be at least as large as the value of max_connections on the master, and segment instances should be set @@ -227,13 +243,13 @@ max_prepared_transactions=100 on the master to 200.

    $ gpconfig -c max_connections -v 1000 -m 200 -

    The value on the segments must be greater than the value on the master. The value - of max_connections on segments should be 5-10 times the value on the - master.

    +

    The value on the segments must be greater than the value on the master. The + recommended value of max_connections on segments is 5-10 times the + value on the master.

  3. Set the value of the max_prepared_transactions parameter. This gpconfig command sets the value to 200 on the master and all segments.

    - $ gpconfig -c max_prepared_transactions -v 200 + $ gpconfig -c max_prepared_transactions -v 200

    The value of max_prepared_transactions must be greater than or equal to max_connections on the master.

    4. @@ -245,7 +261,7 @@ max_prepared_transactions=100 the gpconfig -s option. This gpconfig command displays the values of the max_connections parameter.

    - $ gpconfig -s max_connections + $ gpconfig -s max_connections

diff --git a/gpdb-doc/dita/security-guide/topics/Authenticate.xml b/gpdb-doc/dita/security-guide/topics/Authenticate.xml index af7fea74b0f1ebee4f36135075a0787d37eef1ef..e05bd008d923c16a7d5874a48b1852ab5c74da46 100644 --- a/gpdb-doc/dita/security-guide/topics/Authenticate.xml +++ b/gpdb-doc/dita/security-guide/topics/Authenticate.xml @@ -40,10 +40,10 @@ client access record is in this format: host   database   role   CIDR-address   authentication-method

-

Each UNIX-domain socket access record is in this format: +

A UNIX-domain socket access record is in this format: local   database   role   authentication-method

-

The meaning of the pg_hba_conf fields is as follows: +

The meaning of the pg_hba.conf fields is as follows: local Matches connection attempts using UNIX-domain sockets. Without a record of this @@ -110,21 +110,35 @@ authentication-method Specifies the authentication method to use when connecting. See for more details. + href="#topic_nyh_gwd_jr" format="dita"/> for options.

+ For a more secure system, consider removing records for remote + connections that use trust authentication from the pg_hba.conf file. Trust + authentication grants any user who can connect to the server access to the database using + any role they specify. You can safely replace trust authentication with ident authentication + for local UNIX-socket connections. You can also use ident authentication for local and + remote TCP clients, but the client host must be running an ident service and you must trust + the integrity of that machine. Editing the pg_hba.conf File +

Initially, the pg_hba.conf file is set up with generous permissions for + the gpadmin user and no database access for other Greenplum Database roles. You will need to + edit the pg_hba.conf file to enable users' access to databases and to + secure the gpadmin user. Consider removing entries that have trust authentication, since + they allow anyone with access to the server to connect with any role they choose. For local + (UNIX socket) connections, use ident authentication, which requires the operating system + user to match the role specified. For local and remote TCP connections, ident authentication + requires the client's host to run an indent service. You could install an ident service on + the master host and then use ident authentication for local TCP connections, for example + 127.0.0.1/28. Using ident authentication for remote TCP connections is less secure because + it requires you to trust the integrity of the ident service on the client's host.

This example shows how to edit the pg_hba.conf file of the master to allow remote client access to all databases from all roles using encrypted password authentication.

- For a more secure system, consider removing all connections that use trust - authentication from your master pg_hba.conf. Trust authentication means the - role is granted access without any authentication, therefore bypassing all security. Replace - trust entries with ident authentication if your system has an ident service available.

To edit pg_hba.conf:

  1. Open the file $MASTER_DATA_DIRECTORY/pg_hba.conf in a text editor.
    2. @@ -190,8 +204,10 @@ host    all   dba   192.168.0.0/32  md5 Ident - Authenticates based on the client's operating system user name. You should only - use this for local connections. + Authenticates based on the client's operating system user name. This is secure for + local socket connections. Using ident for TCP connections from remote hosts requires + that the client's host is running an ident service. The ident authentication method + should only be used with remote hosts on a trusted, closed network.

    Following are some sample pg_hba.conf basic authentication diff --git a/gpdb-doc/dita/utility_guide/client_utilities/psql.xml b/gpdb-doc/dita/utility_guide/client_utilities/psql.xml index db0bcdcf2865c7bc762747e904e3e6803c5cabb1..982e9de7e1a6107538d79c20b9c49c03df6f6d4a 100644 --- a/gpdb-doc/dita/utility_guide/client_utilities/psql.xml +++ b/gpdb-doc/dita/utility_guide/client_utilities/psql.xml @@ -177,7 +177,9 @@ -h host | --host host The host name of the machine on which the Greenplum master database server is running. If not specified, reads from the environment variable PGHOST - or defaults to localhost. + or defaults to localhost. + When starting psql on the master host, if the host + value begins with a slash, it is used as the directory for the UNIX-domain socket. -p port | --port port