Postgresql 中文操作指南
21.2. User Name Maps #
在使用像 Ident 或 GSSAPI 这样的外部验证系统时,启动连接的操作系统用户名称可能与要使用的数据库用户(角色)不相同。在这种情况下,可以应用用户名映射来将操作系统用户名映射到数据库用户。若要使用用户名映射,请在 pg_hba.conf 的选项字段中指定 map=map-name。此选项受所有接收外部用户名验证方式支持。由于不同的连接可能需要用不同的映射,要在 pg_hba.conf 中的 map-name 参数中指定所用映射的名称,来表明要为每个单独的连接使用哪个映射。
When using an external authentication system such as Ident or GSSAPI, the name of the operating system user that initiated the connection might not be the same as the database user (role) that is to be used. In this case, a user name map can be applied to map the operating system user name to a database user. To use user name mapping, specify map=map-name in the options field in pg_hba.conf. This option is supported for all authentication methods that receive external user names. Since different mappings might be needed for different connections, the name of the map to be used is specified in the map-name parameter in pg_hba.conf to indicate which map to use for each individual connection.
用户名映射在 ident 映射文件中定义,默认情况下该文件名为 pg_ident.conf,并存储在集群的数据目录中。(但是,可以将映射文件放置在其他位置;请参阅 ident_file 配置参数。)ident 映射文件包含一般形式的行:
User name maps are defined in the ident map file, which by default is named pg_ident.conf and is stored in the cluster’s data directory. (It is possible to place the map file elsewhere, however; see the ident_file configuration parameter.) The ident map file contains lines of the general forms:
map-name system-username database-username
include file
include_if_exists file
include_dir directory注释、空格和行延续的处理与在 pg_hba.conf 中相同。map-name 是一个任意名称,将在 pg_hba.conf 的中使用它来引用此映射。其他两个字段指定一个操作系统用户名和一个匹配的数据库用户名。map-name 可以重复使用,以便在一个映射中指定多个用户映射。
Comments, whitespace and line continuations are handled in the same way as in pg_hba.conf. The map-name is an arbitrary name that will be used to refer to this mapping in pg_hba.conf. The other two fields specify an operating system user name and a matching database user name. The same map-name can be used repeatedly to specify multiple user-mappings within a single map.
至于 pg_hba.conf,此文件中的行可以包括指令,遵循相同的规则。
As for pg_hba.conf, the lines in this file can be include directives, following the same rules.
对于给定的操作系统用户对应多少个数据库用户,反之亦然,并没有限制。因此,映射中的条目应该被认为表示“此操作系统用户被允许作为此数据库用户连接”,而不是暗示它们是等效的。如果在外部验证系统中获取的用户名与用户请求连接的数据库用户名配对的任何映射条目,则允许连接。值 all 可以用作 database-username,以指定,如果 system-username 匹配,则允许此用户以任何现有的数据库用户身份登录。引用 all 会使关键字失去其特殊含义。
There is no restriction regarding how many database users a given operating system user can correspond to, nor vice versa. Thus, entries in a map should be thought of as meaning “this operating system user is allowed to connect as this database user”, rather than implying that they are equivalent. The connection will be allowed if there is any map entry that pairs the user name obtained from the external authentication system with the database user name that the user has requested to connect as. The value all can be used as the database-username to specify that if the system-username matches, then this user is allowed to log in as any of the existing database users. Quoting all makes the keyword lose its special meaning.
如果 database-username 以 + 字符开头,则操作系统用户可以像在 pg_hba.conf 中处理以 + 打头的用户名一样,登录属于该角色的任何用户。因此,+ 标记表示“匹配直接或间接属于此角色的任何角色”,而没有 + 标记的名称仅匹配此特定角色。引用以 + 打头的用户名使 + 失去其特殊含义。
If the database-username begins with a + character, then the operating system user can login as any user belonging to that role, similarly to how user names beginning with + are treated in pg_hba.conf. Thus, a + mark means “match any of the roles that are directly or indirectly members of this role”, while a name without a + mark matches only that specific role. Quoting a username starting with a + makes the + lose its special meaning.
如果 system-username 字段以斜杠(/)开头,则该字段的其余部分将被视为正则表达式。(有关 PostgreSQL 正则表达式语法,请参阅 Section 9.7.3.1 的详细信息。)正则表达式可以包括单个捕获或带括号的子表达式,然后可以将其作为 \1(反斜杠一)引用在 database-username 字段中。这允许在单行中映射多个用户名,这对于简单的语法替换特别有用。例如,这些条目:
If the system-username field starts with a slash (/), the remainder of the field is treated as a regular expression. (See Section 9.7.3.1 for details of PostgreSQL’s regular expression syntax.) The regular expression can include a single capture, or parenthesized subexpression, which can then be referenced in the database-username field as \1 (backslash-one). This allows the mapping of multiple user names in a single line, which is particularly useful for simple syntax substitutions. For example, these entries
mymap /^(.*)@mydomain\.com$ \1
mymap /^(.*)@otherdomain\.com$ guest将删除以 @mydomain.com 结尾的系统用户名的用户的域部分,并允许以 @otherdomain.com 结尾的任何用户系统名称以 guest 登录。引用包含 \1 does not 的 database-username 会使 \1 失去其特殊含义。
will remove the domain part for users with system user names that end with @mydomain.com, and allow any user whose system name ends with @otherdomain.com to log in as guest. Quoting a database-username containing \1 does not make \1 lose its special meaning.
如果 database-username 字段以斜杠(/)开头,则该字段的其余部分将被视为正则表达式(有关 PostgreSQL 正则表达式语法,请参阅 Section 9.7.3.1 的详细信息)。不能使用 \1 将正则表达式中的捕获用于 system-username 上的正则表达式 database-username。
If the database-username field starts with a slash (/), the remainder of the field is treated as a regular expression (see Section 9.7.3.1 for details of PostgreSQL’s regular expression syntax). It is not possible to use \1 to use a capture from regular expression on system-username for a regular expression on database-username.
Tip
请记住,默认情况下,正则表达式只能匹配字符串的一部分。通常明智的做法是使用 ^ 和 $,如上例所示,以强制匹配与整个系统用户名相匹配。
Keep in mind that by default, a regular expression can match just part of a string. It’s usually wise to use ^ and $, as shown in the above example, to force the match to be to the entire system user name.
pg_ident.conf 文件在启动时和主服务器进程收到 SIGHUP 信号时读取。如果您在活跃系统上编辑该文件,则需要向 postmaster 发信号(使用 pg_ctl reload、调用 SQL 函数 pg_reload_conf(),或使用 kill -HUP),让它重新读取该文件。
The pg_ident.conf file is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you will need to signal the postmaster (using pg_ctl reload, calling the SQL function pg_reload_conf(), or using kill -HUP) to make it re-read the file.
系统视图 pg_ident_file_mappings 有助于对 pg_ident.conf 文件的更改进行预测试,或者在加载文件未产生预期效果的情况下诊断问题。视图中具有非空 error 字段的行表示文件相应行中存在问题。
The system view pg_ident_file_mappings can be helpful for pre-testing changes to the pg_ident.conf file, or for diagnosing problems if loading of the file did not have the desired effects. Rows in the view with non-null error fields indicate problems in the corresponding lines of the file.
Example 21.2 中显示了 Example 21.1 中的 pg_hba.conf 文件结合使用时可以使用的 pg_ident.conf 文件。在此示例中,任何人登录到 192.168 网络上的计算机(没有操作系统用户名 bryanh、ann 或 robert)将不会被授予访问权限。只有当 Unix 用户 robert 尝试以 PostgreSQL 用户 bob 连接时才允许访问,而不是以 robert 或其他人连接。ann 只允许连接为 ann。用户 bryanh 允许连接为 bryanh 或 guest1。
A pg_ident.conf file that could be used in conjunction with the pg_hba.conf file in Example 21.1 is shown in Example 21.2. In this example, anyone logged in to a machine on the 192.168 network that does not have the operating system user name bryanh, ann, or robert would not be granted access. Unix user robert would only be allowed access when he tries to connect as PostgreSQL user bob, not as robert or anyone else. ann would only be allowed to connect as ann. User bryanh would be allowed to connect as either bryanh or as guest1.
Example 21.2. An Example pg_ident.conf File
Example 21.2. An Example pg_ident.conf File
# MAPNAME SYSTEM-USERNAME PG-USERNAME
omicron bryanh bryanh
omicron ann ann
# bob has user name robert on these machines
omicron robert bob
# bryanh can also connect as guest1
omicron bryanh guest1