Fine-grained authentication

YugabyteDB fine-grained authentication for YSQL manages access control for localhost, remote hosts, and clients. By default, authentication is restricted to localhost connections. Using fine-grained authentication, you can define rules for access to localhost and remote clients based on IP addresses, authentication methods, and use of TLS (aka SSL) certificates.

This client authentication is managed in YugabyteDB by the YB-TServer’s configuration option —ysql_hba_conf, which works similar to the pg_hb.conf file in PostgreSQL. The values include records that specify allowed connection types, users, client IP addresses, and the authentication method.

The default setting for listen_addresses in YugabyteDB accepts connections only from localhost. To allow remote connections, you must add client authentication records to the YB-TServer ==ysql_hba_conf configuration settings.

When a connection request is received by YugabyteDB, the following steps occur:

  • A connection request is received
  • YugabyteDB searches through the —yb_hba_conf records serially until the first record with a matching connection type, client address, requested database, and username is found.
  • Authentication is performed based on the matching record.
  • If the information provided in the connection request matches the expected content, access is allowed. If authentication fails, then subsequent records are not evaluated and access is denied.Records in YugabyteDB’s yb_hba.conf are autogenerated based on the values included in the —ysql_hba_conf option. For example, starting a YB-TServer with the following —ysql_hba_conf command line option will enable authorization for all users except yugabyte:
  1. --ysql_hba_conf="host all yugabyte 0.0.0.0/0 trust, host all all 0.0.0.0/0 md5, host all yugabyte ::0/0 trust, host all all ::0/0 md5"

You can display the current settings for the yb_hba.conf file, run the following SHOW statement to get the file location:

  1. yugabyte=# SHOW hba_file;

  1.                       hba_file

/Users/yugabyte/yugabyte-data/node-1/disk-1/pg_data/ysql_hba.conf(1 row)

and then view the file. Because the file is autogenerated, edits are overwritten by the autogenerated content.

In the yb_hba.conf are the records autogenerated based on your —ysql_hba_conf setting. Here is an example.

  1. # This is an autogenerated file, do not edit manually!
  2. host all all 0.0.0.0/0 trust
  3. host all all ::0/0 trust
  4. /Users/yugabyte/yugabyte-data/node-1/disk-1/pg_data/ysql_hba.conf (END)

Record formats

Each record specified in the —ysql_hba_conf configuration option must match one of the following record formats available for local, CIDR addresses, or IP addresses:

  1. local      database  user  auth-method  [auth-options]
  2. host       database  user  address  auth-method  [auth-options]
  3. hostssl    database  user  address  auth-method  [auth-options]
  4. hostnossl  database  user  address  auth-method  [auth-options]
  5. host       database  user  IP-address  netmask  auth-method  [auth-options]
  6. hostssl    database  user  IP-address  netmask  auth-method  [auth-options]
  7. hostnossl  database  user  IP-address  netmask  auth-method  [auth-options]
Record formats (with links to field descriptions)
Local (localhost)
localdatabaseuserauth-methodauth-options
CIDR addresses
hostdatabaseuseraddressauth-methodauth-options
hostssldatabaseuseraddressauth-methodauth-options
hostnossldatabaseuseraddressauth-methodauth-options
IP addresses
hostdatabaseuserIP-addressnetmaskauth-methodauth-options
hostssldatabaseuserIP-addressnetmaskauth-methodauth-options
hostnossldatabaseuserIP-addressnetmaskauth-methodauth-options

Fields

local

This record matches connection attempts using Unix-domain sockets. Without a record of this type, Unix-domain socket connections are disallowed.

host

This record matches connection attempts made using TCP/IP. host records match either SSL or non-SSL connection attempts.

hostssl

This record specifies a local or remote host that can connect to a YugabyteDB cluster using SSL.

hostnossl

This record only matches connection attempts made over TCP/IP that do not use SSL.

database

Specifies which database names this record matches. Valid values include:

  • all: Specifies that it matches all databases.
  • sameuser: Specifies that the record matches if the requested database has the same name as the requested user.
  • samerole: Specifies that the requested user must be a member of the role with the same name as the requested database. Superusers are not considered to be members of a role for the purposes of samerole unless they are explicitly members of the role, directly or indirectly, and not just by virtue of being a superuser.
  • replication: Specifies that the record matches if a physical replication connection is requested (note that replication connections do not specify any particular database). Otherwise, this is the name of a specific PostgreSQL database.

Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with @.

user

Specifies which database user names this record matches. Valid values include:

The value all specifies that it matches all users. Otherwise, this is either the name of a specific database user, or a group name preceded by +. (Recall that there is no real distinction between users and groups in YugabyteDB; a + mark really means “match any of the roles that are directly or indirectly members of this role”, while a name without a + mark matches only that specific role.) For this purpose, a superuser is only considered to be a member of a role if they are explicitly a member of the role, directly or indirectly, and not just by virtue of being a superuser.

Multiple user names can be supplied by separating them with commas.

A separate file containing user names can be specified by preceding the file name with @.

address

Specifies the client machine addresses that this record matches. This field can contain either a host name, an IP address range, or one of the special key words mentioned below.

An IP address range is specified using standard numeric notation for the range’s starting address, then a slash (/) and a CIDR mask length. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this should be zero in the given IP address. There must not be any white space between the IP address, the /, and the CIDR mask length.

Typical examples of an IPv4 address range specified this way are 172.20.143.89/32 for a single host, or 172.20.143.0/24 for a small network, or 10.6.0.0/16 for a larger one. An IPv6 address range might look like ::1/128 for a single host (in this case the IPv6 loopback address) or fe80::7a31:c1ff:0000:0000/96 for a small network. 0.0.0.0/0 represents all IPv4 addresses, and ::0/0 represents all IPv6 addresses. To specify a single host, use a mask length of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes.

An entry given in IPv4 format will match only IPv4 connections, and an entry given in IPv6 format will match only IPv6 connections, even if the represented address is in the IPv4-in-IPv6 range. Note that entries in IPv6 format will be rejected if the system’s C library does not have support for IPv6 addresses.

You can also write all to match any IP address, samehost to match any of the server’s own IP addresses, or samenet to match any address in any subnet that the server is directly connected to.

If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client’s IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client’s IP address. If both directions match, then the entry is considered to match. (The host name that is specified in the —pg_hba_conf configuration setting should be the one that address-to-name resolution of the client’s IP address returns, otherwise the line won’t be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)

A host name specification that starts with a dot (.) matches a suffix of the actual host name. So .example.com would match foo.example.com (but not just example.com).

When host names are specified in —pg_hba_conf, you should make sure that name resolution is reasonably fast. It can be of advantage to set up a local name resolution cache such as nscd. Also, you may wish to enable the configuration parameter log_hostname to see the client’s host name instead of the IP address in the log.

This field only applies to host, hostssl, and hostnossl records.

IP-address | netmask

These two fields can be used as an alternative to the IP-address/mask-length notation. Instead of specifying the mask length, the actual mask is specified in a separate column. For example, 255.0.0.0 represents an IPv4 CIDR mask length of 8, and 255.255.255.255 represents a CIDR mask length of 32.

Applies to host, hostssl, and hostnossl records.

When there is only one host, the netmask is 255.255.255.255, representing a single IP address. For more information, see Netmask Quick Reference.

auth-method

Specifies the authentication method to use when a connection matches this record.

trust

Specify that any user from the defined host can connect to a YugabyteDB database without requiring a password. If the specified host is not secure or provides access to unknown users, this is a security risk.

reject

Specify that the host or user should be rejected. Reject the connection unconditionally. This is useful for “filtering out” certain hosts from a group, for example a reject line could block a specific host from connecting, while a later line allows the remaining hosts in a specific network to connect.

password

Specify that for a connecting user, the password supplied must match the password in the global yb_show system table for the username. The password must be sent in clear text.

ident

Obtain the operating system user name of the client by contacting the ident server on the client and check if it matches the requested database user name. Ident authentication can only be used on TCP/IP connections. When specified for local connections, peer authentication will be used instead.

peer

Obtain the client’s operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections.

auth-options

After the auth-method field, there can be fields of the form name=value that specify options for the authentication method. Details about which options are available for which authentication methods appear below.

In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. When set to 1, this option requires the client to present a valid (trusted) SSL certificate, in addition to the other requirements of the authentication method.

Files included by @ constructs are read as lists of names, which can be separated by either whitespace or commas. Comments are introduced by #, just as in the pg_hba_conf configuration setting, and nested @ constructs are allowed. Unless the file name following @ is an absolute path, it is taken to be relative to the directory containing the referencing file.

Since the —pg hba conf records are examined sequentially for each connection attempt, the order of the records is significant. Typically, earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For example, one might wish to use trust authentication for local TCP/IP connections but require a password for remote TCP/IP connections. In this case a record specifying trust authentication for connections from 127.0.0.1 would appear before a record specifying password authentication for a wider range of allowed client IP addresses.

The —pg_hba_conf configuration setting is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you will need to signal the postmaster (using pg_ctl reload, calling the SQL function pg_reload_conf(), or using kill -HUP) to make it re-read the file.

The system view pg_hba_file_rules can be helpful for pre-testing changes to the pg_hba.conf file, or for diagnosing problems if loading of the file did not have the desired effects. Rows in the view with non-null error fields indicate problems in the corresponding lines of the file.

TipTo connect to a particular database, a user must not only pass the —pg_hba_conf checks, but must have the CONNECT privilege for the database. If you wish to restrict which users can connect to which databases, it’s usually easier to control this by granting or revoking CONNECT privilege than to put the rules in pg_hba_conf` entries.

Examples

Single host entry

The following record allows a single host with the IP address 192.168.1.10 to connect to any database (all) as any user (all) without a password (trust).

  1. host all 192.168.1.10 255.255.255.255 trust

Check user permissions

  1. testdb=#
  2. SELECT relname as "Relation", relacl as "Access permissions"
  4. testdb-#
  5.        FROM pg_class
  7. testdb-#
  8.        WHERE  relkind IN ('r', 'v', 'S')
  10. testdb-#
  11.        AND relname !~ '^pg_'
  13. testdb-#
  14.        ORDER BY relname;
  16.  Relation |     Access permissions
  17. ----------+----------------------------------
  18.  foo      | {"=arwR","jdrake=arwR"}
  19.  my_list  | {"=","jdrake=arwR","jworsley=r"}
  20. (2 rows)

Start yb-tserver with the following —ysql_hba_conf setting:

  1. --ysql_hba_conf="host all yugabyte 0.0.0.0/0 trust,host all all 0.0.0.0/0 md5,host all yugabyte ::0/0 trust,host all all ::0/0 md5"

This will enable authentication for all users except yugabyte.