Postgresql – What exactly is the use of the column USER in a pg_hba.conf file

postgresql

Let's say I have a pg_hba.conf file for my Postgresql server. I know that in order to allow other IP addresses to access my Postgresql server, I need to write their entries in my pg_hba.conf file. Now, what I don't understand is the use of the column USER in the pg_hba.conf file. Lets say my file contains the following entry

host all    user123     192.168.10.27/32    md5

According to my understanding, it means that in order to access my Postgresql server from the machine with IP 192.168.10.27, someone needs to be logged in as the user 'user123'.
But, as far as i understand, in order to access my Postgresql server from 192.168.10.27, i need to create a separate connection to my server from 192.168.10.27. So even if I am logged in as 'user123', I will be anyways creating a separate connection to access my Postgresql server, which won't depend on whether I am logged in as 'user123' or someone else.
Hence, I don't understand the use of USER column.
Can someone please help me?

Best Answer

"someone needs to be logged in as the user 'user123'" - no, that means that someone tries to connect with the Postgres database user user123.

This can be used to allow certain database users to connect only from certain client computers, e.g. the user for a web application is only allowed to connect from the IP of the webserver.

Or this can be used to prevent superuser logins from remote connections by only allowing local connections for the database user postgres.

Related Solutions

Postgresql – Correct pg_hba.conf to allow script to run locally with a specific db-user

Since you want the backup user to connect locally from the database server. I assume the backup is running on a dedicated backup account on the OS.

Using pg_hba.conf you can specify like:

# TYPE  DATABASE USER   ADDRESS METHOD
local   all      backup_user    peer map=local_peers_backup_user

(method peer (with local/peer an address is not needed))

combine this with a pg_ident.conf like:

# MAPNAME                SYSTEM-USERNAME   PG-USERNAME
local_peers_backup_user  postgres          backup_user
local_peers_backup_user  OSBKPUSER         backup_user

This allows the os user postgres and OSBKUSER to connect to all databases in the cluster as the postgres database user named backup_user, using peer authentication. This works using sockets, on linux.

connected as your OSBKPUSER running psql suffices to get connected as backup_user, assuming that you already prepared the environment variables for the OSBKPUSER and OSBKPUSER has only 1 map. Otherwise run psql -U backup_user.

This connect method is secure, if you trust that the access to your dbserver is secured.

PostgreSQL 9.5 – How to Restore Privileges of User Postgres

If you edit your pg_hba.conf to allow login as one of the other superusers, then you can login as one of those and then alter role postgres superuser.

Best Answer

Related Solutions

Postgresql – Correct pg_hba.conf to allow script to run locally with a specific db-user

PostgreSQL 9.5 – How to Restore Privileges of User Postgres

Related Question