openGauss Configuration File Reference

Table 1 Parameter description

Parameter	Description	Value Range
local	Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed.	N/A
host	Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL.	N/A
hostssl	Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL.	For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode.
hostnossl	Indicates that this record accepts only a common TCP/IP socket connection.	N/A
DATABASE	Database that a record matches and can access	all: indicates that this record matches all databases.sameuser: indicates that the database must have the same name as the user who requests database access.samerole: indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.samegroup: is the same as that of samerole and indicates that this record matches a database if the user who requests the database is a member of a role having the same name as the database.A file containing database names with an at sign (@) added before the file name, or a database list in a file using commas (,) or line feeds to separate databasesA specific database name or a list of databases separated by commas (,)NOTE:replication indicates that if a replication link is requested, the records match the link. But this does not mean the record matches any specific database. To use a database named replication, specify it in the database column.
USER	Users who match the record and are allowed to access databases	all: indicates that this record matches all users.+User role: indicates that this record matches all members that directly or indirectly belong to the role.NOTE:+ is a prefix character.A file containing usernames, with an at sign (@) added before the file name. Users in the file are separated by commas (,) or line feeds.A specific database username or a list of users separated by commas (,)
ADDRESS	Range of IP addresses that match the record and can be visited	IPv4 addresses and IPv6 addresses are supported. The IP address range can be expressed in the following two formats:
METHOD	Authentication method used for connection	The following authentication modes are supported. For details, see Table 2.

Table 2 Authentication modes

Authentication Mode	Description
trust	In trust mode, only the connection initiated from the local server using gsql with the -U parameter not specified is trusted. In this case, no password is required.
reject	Rejects connections unconditionally. This authentication mode is usually used for filtering certain hosts.
md5	Requires that the client must provide an MD5-encrypted password for authentication.
sha256	Requires that the client must provide a SHA256-encrypted password for authentication. The password is encrypted based on the unidirectional SHA-256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security.
sm3	The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security.
cert	A client certificate is used for authentication. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required.
gss	Uses the GSSAPI-based Kerberos authentication.
peer	Obtains the username of the OS where the client is located and checks whether the username is the same as the initial username of the database. In this mode, only the initial database user can connect to the database in local mode. You can configure pg_ident.conf to establish the mapping between the OS user and the initial database user.