Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Watch 1
Star 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 0f75e31513
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/auth-username-maps.html

94 lines
8.8KB
Raw Blame History 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.2. User Name Maps</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="auth-pg-hba-conf.html" title="20.1. The pg_hba.conf File" /><link rel="next" href="auth-methods.html" title="20.3. Authentication Methods" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.2. User Name Maps</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-pg-hba-conf.html" title="20.1. The pg_hba.conf File">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-methods.html" title="20.3. Authentication Methods">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-USERNAME-MAPS"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.2. User Name Maps</h2></div></div></div><a id="id-1.6.7.9.2" class="indexterm"></a><p>

  3.    When using an external authentication system such as Ident or GSSAPI,

  4.    the name of the operating system user that initiated the connection

  5.    might not be the same as the database user (role) that is to be used.

  6.    In this case, a user name map can be applied to map the operating system

  7.    user name to a database user.  To use user name mapping, specify

  8.    <code class="literal">map</code>=<em class="replaceable"><code>map-name</code></em>

  9.    in the options field in <code class="filename">pg_hba.conf</code>. This option is

  10.    supported for all authentication methods that receive external user names.

  11.    Since different mappings might be needed for different connections,

  12.    the name of the map to be used is specified in the

  13.    <em class="replaceable"><code>map-name</code></em> parameter in <code class="filename">pg_hba.conf</code>

  14.    to indicate which map to use for each individual connection.

  15.   </p><p>

  16.    User name maps are defined in the ident map file, which by default is named

  17.    <code class="filename">pg_ident.conf</code><a id="id-1.6.7.9.4.2" class="indexterm"></a>

  18.    and is stored in the

  19.    cluster's data directory.  (It is possible to place the map file

  20.    elsewhere, however; see the <a class="xref" href="runtime-config-file-locations.html#GUC-IDENT-FILE">ident_file</a>

  21.    configuration parameter.)

  22.    The ident map file contains lines of the general form:

  23. </p><pre class="synopsis">

  24. <em class="replaceable"><code>map-name</code></em> <em class="replaceable"><code>system-username</code></em> <em class="replaceable"><code>database-username</code></em>

  25. </pre><p>

  26.    Comments and whitespace are handled in the same way as in

  27.    <code class="filename">pg_hba.conf</code>.  The

  28.    <em class="replaceable"><code>map-name</code></em> is an arbitrary name that will be used to

  29.    refer to this mapping in <code class="filename">pg_hba.conf</code>. The other

  30.    two fields specify an operating system user name and a matching

  31.    database user name. The same <em class="replaceable"><code>map-name</code></em> can be

  32.    used repeatedly to specify multiple user-mappings within a single map.

  33.   </p><p>

  34.    There is no restriction regarding how many database users a given

  35.    operating system user can correspond to, nor vice versa.  Thus, entries

  36.    in a map should be thought of as meaning <span class="quote">“<span class="quote">this operating system

  37.    user is allowed to connect as this database user</span>”</span>, rather than

  38.    implying that they are equivalent.  The connection will be allowed if

  39.    there is any map entry that pairs the user name obtained from the

  40.    external authentication system with the database user name that the

  41.    user has requested to connect as.

  42.   </p><p>

  43.    If the <em class="replaceable"><code>system-username</code></em> field starts with a slash (<code class="literal">/</code>),

  44.    the remainder of the field is treated as a regular expression.

  45.    (See <a class="xref" href="functions-matching.html#POSIX-SYNTAX-DETAILS" title="9.7.3.1. Regular Expression Details">Section 9.7.3.1</a> for details of

  46.    <span class="productname">PostgreSQL</span>'s regular expression syntax.)  The regular

  47.    expression can include a single capture, or parenthesized subexpression,

  48.    which can then be referenced in the <em class="replaceable"><code>database-username</code></em>

  49.    field as <code class="literal">\1</code> (backslash-one).  This allows the mapping of

  50.    multiple user names in a single line, which is particularly useful for

  51.    simple syntax substitutions.  For example, these entries

  52. </p><pre class="programlisting">

  53. mymap   /^(.*)@mydomain\.com$      \1

  54. mymap   /^(.*)@otherdomain\.com$   guest

  55. </pre><p>

  56.    will remove the domain part for users with system user names that end with

  57.    <code class="literal">@mydomain.com</code>, and allow any user whose system name ends with

  58.    <code class="literal">@otherdomain.com</code> to log in as <code class="literal">guest</code>.

  59.   </p><div class="tip"><h3 class="title">Tip</h3><p>

  60.     Keep in mind that by default, a regular expression can match just part of

  61.     a string.  It's usually wise to use <code class="literal">^</code> and <code class="literal">$</code>, as

  62.     shown in the above example, to force the match to be to the entire

  63.     system user name.

  64.    </p></div><p>

  65.    The <code class="filename">pg_ident.conf</code> file is read on start-up and

  66.    when the main server process receives a

  67.    <span class="systemitem">SIGHUP</span><a id="id-1.6.7.9.8.3" class="indexterm"></a>

  68.    signal. If you edit the file on an

  69.    active system, you will need to signal the postmaster

  70.    (using <code class="literal">pg_ctl reload</code>, calling the SQL function

  71.    <code class="function">pg_reload_conf()</code>, or using <code class="literal">kill

  72.    -HUP</code>) to make it re-read the file.

  73.   </p><p>

  74.    A <code class="filename">pg_ident.conf</code> file that could be used in

  75.    conjunction with the <code class="filename">pg_hba.conf</code> file in <a class="xref" href="auth-pg-hba-conf.html#EXAMPLE-PG-HBA.CONF" title="Example 20.1. Example pg_hba.conf Entries">Example 20.1</a> is shown in <a class="xref" href="auth-username-maps.html#EXAMPLE-PG-IDENT.CONF" title="Example 20.2. An Example pg_ident.conf File">Example 20.2</a>. In this example, anyone

  76.    logged in to a machine on the 192.168 network that does not have the

  77.    operating system user name <code class="literal">bryanh</code>, <code class="literal">ann</code>, or

  78.    <code class="literal">robert</code> would not be granted access. Unix user

  79.    <code class="literal">robert</code> would only be allowed access when he tries to

  80.    connect as <span class="productname">PostgreSQL</span> user <code class="literal">bob</code>, not

  81.    as <code class="literal">robert</code> or anyone else. <code class="literal">ann</code> would

  82.    only be allowed to connect as <code class="literal">ann</code>. User

  83.    <code class="literal">bryanh</code> would be allowed to connect as either

  84.    <code class="literal">bryanh</code> or as <code class="literal">guest1</code>.

  85.   </p><div class="example" id="EXAMPLE-PG-IDENT.CONF"><p class="title"><strong>Example 20.2. An Example <code class="filename">pg_ident.conf</code> File</strong></p><div class="example-contents"><pre class="programlisting">

  86. # MAPNAME       SYSTEM-USERNAME         PG-USERNAME

  87. 

  88. omicron         bryanh                  bryanh

  89. omicron         ann                     ann

  90. # bob has user name robert on these machines

  91. omicron         robert                  bob

  92. # bryanh can also connect as guest1

  93. omicron         bryanh                  guest1

  94. </pre></div></div><br class="example-break" /></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-pg-hba-conf.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-methods.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.1. The <code class="filename">pg_hba.conf</code> File </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.3. Authentication Methods</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1