Configure Client Authentication
This topic explains how to configure client connections and authentication for Apache Cloudberry.
When a Apache Cloudberry system is first initialized, the system contains one predefined superuser role. This role will have the same name as the operating system user who initialized the Apache Cloudberry system. This role is referred to as gpadmin
. By default, the system is configured to only allow local connections to the database from the gpadmin
role. If you want to allow any other roles to connect, or if you want to allow connections from remote hosts, you have to configure Apache Cloudberry to allow such connections. This section explains how to configure client connections and authentication to Apache Cloudberry.
Allowing Connections to Apache Cloudberry
Client access and authentication is controlled by a configuration file named pg_hba.conf
(the standard PostgreSQL host-based authentication file). For detailed information about this file, see The pg_hba.conf File in the PostgreSQL documentation.
In Apache Cloudberry, the pg_hba.conf
file of the coordinator instance controls client access and authentication to your Cloudberry system. The segments also have pg_hba.conf
files, but these are already correctly configured to only allow client connections from the coordinator host. The segments never accept outside client connections, so there is no need to alter the pg_hba.conf
file on segments.
The general format of the pg_hba.conf
file is a set of records, one per line. Blank lines are ignored, as is any text after a # comment character. A record is made up of a number of fields which are separated by spaces and/or tabs. Fields can contain white space if the field value is quoted. Records cannot be continued across lines.
A record can have one of seven formats:
local <database> <user> <auth-method> [<auth-options>]
host <database> <user> <address> <auth-method> [<auth-options>]
hostssl <database> <user> <address> <auth-method> [<auth-options>]
hostnossl <database> <user> <address> <auth-method> [<auth-options>]
host <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]
hostssl <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]
hostnossl <database> <user> <IP-address> <IP-mask> <auth-method> [<auth-options>]