Postgresql 中文操作指南

21.4. Trust Authentication #

指定 trust 身份验证时,PostgreSQL 假设任何能够连接到服务器的人都可以使用他们指定的任何数据库用户名称访问数据库(甚至是超级用户名称)。当然,databaseuser 列中规定的限制仍然适用。仅当对服务器连接提供适当的操作系统级保护时,才应使用此方法。

When trust authentication is specified, PostgreSQL assumes that anyone who can connect to the server is authorized to access the database with whatever database user name they specify (even superuser names). Of course, restrictions made in the database and user columns still apply. This method should only be used when there is adequate operating-system-level protection on connections to the server.

trust 身份验证适用于单用户工作站上的本地连接,并且非常方便。在多用户计算机上,它通常不适合单独使用。但是,如果使用文件系统权限限制对服务器 Unix 域套接字文件的访问,你甚至可以在多用户计算机上使用 trust。要做到这一点,请根据 Section 20.3 中的说明设置 unix_socket_permissions(可能还有 unix_socket_group)配置参数。或者,你可以设置 unix_socket_directories 配置参数,以将套接字文件放在适当受限的目录中。

trust authentication is appropriate and very convenient for local connections on a single-user workstation. It is usually not appropriate by itself on a multiuser machine. However, you might be able to use trust even on a multiuser machine, if you restrict access to the server’s Unix-domain socket file using file-system permissions. To do this, set the unix_socket_permissions (and possibly unix_socket_group) configuration parameters as described in Section 20.3. Or you could set the unix_socket_directories configuration parameter to place the socket file in a suitably restricted directory.

设置文件系统权限仅对 Unix 套接字连接有帮助。本地 TCP/IP 连接不受文件系统权限的限制。因此,如果你想将文件系统权限用于本地安全性,请从 pg_hba.conf 中删除 host …​ 127.0.0.1 …​ 行,或将其更改为非 trust 身份验证方法。

Setting file-system permissions only helps for Unix-socket connections. Local TCP/IP connections are not restricted by file-system permissions. Therefore, if you want to use file-system permissions for local security, remove the host …​ 127.0.0.1 …​ line from pg_hba.conf, or change it to a non-trust authentication method.

trust 身份验证仅适用于 TCP/IP 连接,前提是你信任已通过 specify trustpg_hba.conf 行被允许连接到服务器的每台机器上的每个用户。对除 localhost(127.0.0.1)以外的任何 TCP/IP 连接使用 trust 并不合理。

trust authentication is only suitable for TCP/IP connections if you trust every user on every machine that is allowed to connect to the server by the pg_hba.conf lines that specify trust. It is seldom reasonable to use trust for any TCP/IP connections other than those from localhost (127.0.0.1).