Modifying a Client Authentication Configuration

Scenarios

You can modify a client authentication configuration record based on your application requirements. After the modification, existing sessions that have already been authenticated using the original configuration remain unaffected and continue to function. New sessions, however, will fail to connect if they do not meet the updated authentication requirements. Ensure that the modified configuration aligns with your application requirements.

Constraints

• Client authentication configurations can only be modified for an instance when all its nodes are in the available state.
• In a cross-region disaster recovery scenario, modifying a client authentication configuration on the primary instance is not automatically synchronized to the DR instance. If you also need to modify the same configuration on the DR instance, manually modify it on the DR instance.
• Instances of V2.0-8.1.0 or later support IPv6 addresses. For details about how to view the instance version, see Checking the DB Engine Version.
• For centralized instances, configuration changes are synchronized across all nodes. For distributed instances, changes are synchronized across all CN components.
• When an external client uses the M-compatible protocol to remotely connect to an M-compatible database, only the SHA-256 authentication method is supported.
• Modified authentication configurations are only applied for newly created sessions.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select a region and project.
3. Click in the upper left corner of the page and choose Databases > GaussDB.
4. On the Instances page, click the name of the target instance to go to the Basic Information page.
5. In the navigation pane, choose Database Management > Client Authentication.
6. On the Authentication Configurations tab, locate the target configuration and click Modify in the Operation column.
   Figure 1 Modifying a client authentication configuration
   

7. After a record is modified, click Save in the Operation column.
   Figure 2 Modifying a client authentication configuration
   

   Table 1 Parameter description

   Parameter	Description
   Type	Client connection type. host: The DB instance accepts both standard TCP/IP socket connections and SSL-encrypted TCP/IP socket connections. hostssl: The DB instance only accepts SSL-encrypted TCP/IP socket connections. hostnossl: The DB instance only accepts standard TCP/IP socket connections.
   Database	Databases that can be accessed. all: The rule matches all databases. A specific database name or a list of databases NOTE: The value replication matches requests for replication connections, which are not associated with any specific database. If you intend to access a database named replication, you must explicitly specify "replication" as the database name in the Database column.
   User	Users who are allowed to access the databases. all: The record matches all users. A specific database username or a list of users
   Address	Allowed IP address range. Currently, only the IP address/mask length format is supported. For instances with a DB engine version of V2.0-8.1.0 or later, IPv6 addresses are also supported in the Address column.
   Method	Authentication method used for connection. reject: A connection is rejected unconditionally. It is commonly used to block certain hosts. md5: MD5 is used for authentication. This method is considered insecure and is not recommended. It is disabled by default. To enable it, modify the password_encryption_type parameter. For details about how to modify the parameter, see Modifying Instance Parameters. sha256: The client is required to provide a password encrypted using the SHA-256 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SHA-256 hash, enhancing security. sm3: The client is required to provide a password encrypted using the SM3 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SM3 hash, enhancing security. cert: A client certificate is used for authentication. This method requires SSL configuration and a valid client SSL certificate. No password is required. The cert authentication method only supports rules with the hostssl client connection type.

8. After the modification is saved, check the updated configuration information in the list.