Home Explore Blog CI



postgresql
6th chunk of `doc/src/sgml/client-auth.sgml`
c1faa97ed57e28adafb7c1cfb5fb9595b84f5676d7e38e5f0000000100000fa4
 users.  Otherwise, this is either the name of a specific
       database user, a regular expression (when starting with a slash
       (<literal>/</literal>), or a group name preceded by <literal>+</literal>.
       (Recall that there is no real distinction between users and groups
       in <productname>PostgreSQL</productname>; a <literal>+</literal> mark really means
       <quote>match any of the roles that are directly or indirectly members
       of this role</quote>, while a name without a <literal>+</literal> mark matches
       only that specific role.) For this purpose, a superuser is only
       considered to be a member of a role if they are explicitly a member
       of the role, directly or indirectly, and not just by virtue of
       being a superuser.
       Multiple user names and/or regular expressions can be supplied by
       separating them with commas.
      </para>
      <para>
       If the user name starts with a slash (<literal>/</literal>), the
       remainder of the name is treated as a regular expression.
       (See <xref linkend="posix-syntax-details"/> for details of
       <productname>PostgreSQL</productname>'s regular expression syntax.)
      </para>
      <para>
       A separate file containing user names and/or regular expressions can
       be specified by preceding the file name with <literal>@</literal>.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term><replaceable>address</replaceable></term>
     <listitem>
      <para>
       Specifies the client machine address(es) that this record
       matches.  This field can contain either a host name, an IP
       address range, or one of the special key words mentioned below.
      </para>

      <para>
       An IP address range is specified using standard numeric notation
       for the range's starting address, then a slash (<literal>/</literal>)
       and a <acronym>CIDR</acronym> mask length.  The mask
       length indicates the number of high-order bits of the client
       IP address that must match.  Bits to the right of this should
       be zero in the given IP address.
       There must not be any white space between the IP address, the
       <literal>/</literal>, and the CIDR mask length.
      </para>

      <para>
       Typical examples of an IPv4 address range specified this way are
       <literal>172.20.143.89/32</literal> for a single host, or
       <literal>172.20.143.0/24</literal> for a small network, or
       <literal>10.6.0.0/16</literal> for a larger one.
       An IPv6 address range might look like <literal>::1/128</literal>
       for a single host (in this case the IPv6 loopback address) or
       <literal>fe80::7a31:c1ff:0000:0000/96</literal> for a small
       network.
       <literal>0.0.0.0/0</literal> represents all
       IPv4 addresses, and <literal>::0/0</literal> represents
       all IPv6 addresses.
       To specify a single host, use a mask length of 32 for IPv4 or
       128 for IPv6.  In a network address, do not omit trailing zeroes.
      </para>

      <para>
       An entry given in IPv4 format will match only IPv4 connections,
       and an entry given in IPv6 format will match only IPv6 connections,
       even if the represented address is in the IPv4-in-IPv6 range.
      </para>

      <para>
       You can also write <literal>all</literal> to match any IP address,
       <literal>samehost</literal> to match any of the server's own IP
       addresses, or <literal>samenet</literal> to match any address in any
       subnet that the server is directly connected to.
      </para>

      <para>
       If a host name is specified (anything that is not an IP address
       range or a special key word is treated as a host name),
       that name is compared with the result of a reverse name
       resolution of the client's IP address (e.g., reverse DNS
       lookup, if DNS is used).  Host name comparisons are case
       insensitive.  If there is a match, then
Title: Specifying Client Addresses and User Names
Summary
The address field in pg_hba.conf specifies the client machine address(es) that a record matches, and can contain a host name, IP address range, or special key words. The user field can match specific users, groups, or regular expressions, and multiple values can be supplied by separating them with commas. Regular expressions can be used by starting the name with a slash, and a separate file containing user names or addresses can be specified by preceding the file name with '@'. IP address ranges can be specified using CIDR notation, and special key words like 'all', 'samehost', and 'samenet' can be used to match specific addresses.