Adding a Client Authentication Configuration

Scenarios

When a host needs to connect to a database remotely, its information must be added to the database system's configuration file, along with client authentication rules. To simplify the process, GaussDB automatically includes the following default rules in the client authentication configuration file when an instance is created:

Default configurations for a centralized instance (assuming that the subnet CIDR block of the instance is 192.168.0.0)

        
             TYPE   DATABASE        USER    ADDRESS           METHOD
host    all            all     0:0:0:0/0         sha256
host    all            all     192.168.0.0/16    sha256
host    replication    all     192.168.0.0/16    sha256
host    replication    all     0:0:0:0/0         sha256

The first record allows all users from any IPv4 client to access all databases using the SHA-256 authentication method.
The second record allows all users from IPv4 clients within the current instance's subnet to access all databases using SHA-256.
The third record allows all users from IPv4 clients within the current instance's subnet to request a replication connection using SHA-256.
The fourth record allows all users from any IPv4 client to request a replication connection using SHA-256.

Default configurations for a distributed instance

This record allows all users from any IPv4 client to access all databases using the SHA-256 authentication method.

         
              TYPE   DATABASE        USER    ADDRESS           METHOD
host    all            all     0:0:0:0/0         sha256

In most cases, the default configurations are sufficient for typical remote connection requirements. However, if you require more granular control over client access or the existing authentication settings do not meet your operational requirements, GaussDB allows you to add custom client authentication configurations on the management console. This section describes how to add client authentication configurations on the console.

Constraints

Client authentication can only be configured for an instance when all its nodes are in the available state.
In cross-region disaster recovery scenarios, the client authentication configurations added to the primary instance will not be automatically synchronized to the DR instance.
Instances of V2.0-8.1.0 or later support IPv6 addresses. For details about how to view the instance version, see Checking the DB Engine Version.
For centralized instances, configuration changes are synchronized across all nodes. For distributed instances, changes are synchronized across all CN components.
When an external client uses the M-compatible protocol to remotely connect to an M-compatible database, only the SHA-256 authentication method is supported.
Added authentication configurations are only applied for newly created sessions.
A maximum of 10 authentication rules can be added in a single batch operation.

Procedure

Log in to the management console.
Click in the upper left corner and select a region and project.
Click in the upper left corner of the page and choose Databases > GaussDB.
On the Instances page, click the name of the target instance to go to the Basic Information page.
In the navigation pane, choose Database Management > Client Authentication.
On the Authentication Configurations tab, click Batch Add.

Figure 1 Adding a client authentication configuration

Configure authentication rules and click OK.

Figure 2 Configuring access authentication rules
Click to enlarge

**Table 1** Parameter description
Parameter	Description
Type	Client connection type. host: The DB instance accepts both standard TCP/IP socket connections and SSL-encrypted TCP/IP socket connections. hostssl: The DB instance only accepts SSL-encrypted TCP/IP socket connections. hostnossl: The DB instance only accepts standard TCP/IP socket connections.
Database	Databases that can be accessed. all: The rule matches all databases. A specific database name or a list of databases NOTE: The value replication matches requests for replication connections, which are not associated with any specific database. If you intend to access a database named replication, you must explicitly specify "replication" as the database name in the Database column.
User	Users who are allowed to access the databases. all: The record matches all users. A specific database username or a list of users
Address	Allowed IP address range. Currently, only the IP address/mask length format is supported. For instances with a DB engine version of V2.0-8.1.0 or later, IPv6 addresses are also supported in the Address column.
Method	Authentication method used for connection. reject: A connection is rejected unconditionally. It is commonly used to block certain hosts. md5: MD5 is used for authentication. This method is considered insecure and is not recommended. It is disabled by default. To enable it, modify the password_encryption_type parameter. For details about how to modify the parameter, see Modifying Instance Parameters. sha256: The client is required to provide a password encrypted using the SHA-256 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SHA-256 hash, enhancing security. sm3: The client is required to provide a password encrypted using the SM3 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SM3 hash, enhancing security. cert: A client certificate is used for authentication. This method requires SSL configuration and a valid client SSL certificate. No password is required. The cert authentication method only supports rules with the hostssl client connection type.