Postgresql 中文操作指南

Chapter 21. Client Authentication

Table of Contents

当客户端应用程序连接到数据库服务器时,它会指定其想要以该用户名进行连接的 PostgreSQL 数据库用户名,这与以特定用户登录 Unix 计算机的方式非常相似。在 SQL 环境中,活动数据库用户名决定了对数据库对象的访问权限查看 Chapter 22 以获取更多信息。因此,必须限制哪些数据库用户可以连接。

When a client application connects to the database server, it specifies which PostgreSQL database user name it wants to connect as, much the same way one logs into a Unix computer as a particular user. Within the SQL environment the active database user name determines access privileges to database objects — see Chapter 22 for more information. Therefore, it is essential to restrict which database users can connect.

Note

Chapter 22 中所述,PostgreSQL 实际上针对“角色”进行权限管理。在本章中,我们将始终使用 database user 以表示“拥有 LOGIN 权限的角色”。

As explained in Chapter 22, PostgreSQL actually does privilege management in terms of “roles”. In this chapter, we consistently use database user to mean “role with the LOGIN privilege”.

Authentication 是数据库服务器建立客户端身份并通过延伸决定是否允许客户端应用程序(或运行客户端应用程序的用户)使用所请求的数据库用户名进行连接的过程。

Authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the database user name that was requested.

PostgreSQL 提供多种不同的客户端身份验证方法。用于验证特定客户端连接的方法可以根据(客户端)主机地址、数据库和用户进行选择。

PostgreSQL offers a number of different client authentication methods. The method used to authenticate a particular client connection can be selected on the basis of (client) host address, database, and user.

PostgreSQL 数据库用户名在逻辑上与服务器运行所在的的操作系统的用户名无关。如果特定服务器的所有用户在服务器的机器上也拥有帐户,则分配与其操作系统用户名匹配的数据库用户名是有意义的。但是,接受远程连接的服务器可能拥有许多没有本地操作系统帐户的数据库用户,并且在这样的情况下,数据库用户名和操作系统用户名之间不需要有任何连接。

PostgreSQL database user names are logically separate from user names of the operating system in which the server runs. If all the users of a particular server also have accounts on the server’s machine, it makes sense to assign database user names that match their operating system user names. However, a server that accepts remote connections might have many database users who have no local operating system account, and in such cases there need be no connection between database user names and OS user names.