YugabyteDB host-based authentication for YSQL manages access control for localhost, remote hosts, and clients. Using host-based authentication, you can define rules for access to localhost and remote clients based on IP addresses, authentication methods, and use of TLS (aka SSL) certificates.
The default YugabyteDB
listen_addresses setting only accepts connections from
localhost. To allow remote connections, you must add client authentication records to the YB-TServer --ysql_hba_conf_csv configuration flag. The flag works similarly to the
pg_hba.conf file in PostgreSQL. The values include records that specify allowed connection types, users, client IP addresses, and authentication methods. These records are stored in the autogenerated YugabyteDB ysql_hba.conf file.
When a connection request is received, YugabyteDB does the following:
- Searches the
ysql_hba.confrecords serially until the first record with a matching connection type, client address, requested database, and
- Authenticates based on the matching record.
- If the information provided in the connection request matches the expected content, allows access. If authentication fails, then subsequent records are not evaluated and access is denied.
--ysql_hba_conf_csv flag is read on start-up of your cluster. If you edit the file on an active cluster, you need to restart your
yb-tserver processes for changes to take effect.
--ysql_hba_conf_csvshould be applied to all
yb-tserverservers in a rolling upgrade and restart, making sure that all YB-TServers are not stopped at the same time.
The system view
pg_hba_file_rules can be helpful for pre-testing changes to the
--ysql_hba_conf_csv flag, or for diagnosing problems if the flag did not have the desired effects. Rows in the view with non-null error fields indicate problems in the corresponding lines of the file.
TipTo connect to a particular database, a user must not only pass the
--ysql_hba_conf_csvchecks, but must have the
CONNECTprivilege for the database. To restrict which users can connect to which databases, granting or revoking the
CONNECTprivilege is typically easier than putting the rules in
--ysql_hba_conf_csventries. Refer to the
Records in the YugabyteDB
ysql_hba.conf file are autogenerated based on the values included in the
--ysql_hba_conf_csv flag. For example, starting a YB-TServer with the following
--ysql_hba_conf_csv flag will enable MD5 authorization for all users except
yugabyte, which can use trust when connecting from localhost:
--ysql_hba_conf_csv="host all yugabyte 127.0.0.1/0 trust, host all all 0.0.0.0/0 md5, host all yugabyte ::1/128 trust, host all all ::0/0 md5"
To display the values in the
ysql_hba.conf file, run the following
SHOW statement to get the file location:
yugabyte=# SHOW hba_file;
hba_file ------------------------------------------------------------------- /Users/yugabyte/yugabyte-data/node-1/disk-1/pg_data/ysql_hba.conf (1 row)
and then view the file. Because the file is autogenerated, edits are overwritten by the autogenerated content. Here is an example.
# This is an autogenerated file, do not edit manually! host all yugabyte 127.0.0.1/0 trust host all yugabyte ::1/128 trust /Users/yugabyte/yugabyte-data/node-1/disk-1/pg_data/ysql_hba.conf (END)
ysql_hba.conf records are examined sequentially for each connection attempt, the order of the records is significant. Typically, earlier records have tight connection match parameters and weaker authentication methods, while later records have looser match parameters and stronger authentication methods. For example, you might want to use trust authentication for local TCP/IP connections, but require a password for remote TCP/IP connections. In this case, a record specifying
trust authentication for connections from
127.0.0.1 would appear before a record specifying password authentication for a wider range of allowed client IP addresses.
Each record specified in the
--ysql_hba_conf_csv flag must match one of the following record formats available for local, CIDR addresses, or IP addresses:
local database user auth-method [auth-options] host database user address auth-method [auth-options] hostssl database user address auth-method [auth-options] hostnossl database user address auth-method [auth-options] host database user IP-address netmask auth-method [auth-options] hostssl database user IP-address netmask auth-method [auth-options] hostnossl database user IP-address netmask auth-method [auth-options]
Similarly to PostgreSQL, YugabyteDB supports opening connections via the UNIX sockets when local authentication is used. However, unlike PostgreSQL, YugabyteDB requires ysqlsh, psql and other tools to provide the full path to the socket location when using the following authentication methods:
One way to obtain the path to the socket location is from the YB-TServer logs, similar to the following:
2023-09-05 13:56:20.154 UTC  LOG: listening on Unix socket "/tmp/.yb.127.0.0.1:5433/.s.PGSQL.5433"
If you use ysqlsh, use the
-h flag, and pass in the first part of the path (in the preceding example,
/tmp/.yb.127.0.0.1:5433/) as follows:
./bin/ysqlsh -h /tmp/.yb.127.0.0.1:5433
For psql, you also need specify the port number as follows:
psql -h /tmp/.yb.127.0.0.1:5433/ -p 5433
This record matches connection attempts made using TCP/IP, including localhost.
host records match either SSL or non-SSL connection attempts.
This record specifies a local or remote host that can connect to a YugabyteDB cluster using SSL.
This record only matches connection attempts made over TCP/IP that do not use SSL.
Specifies which database names this record matches. Valid values include:
all: matches all databases.
sameuser: the record matches if the requested database has the same name as the requested user.
samerole: the requested user must be a member of the role with the same name as the requested database. Superusers are not considered to be members of a role for the purposes of
sameroleunless they are explicitly members of the role, directly or indirectly, and not just by virtue of being a superuser.
replication: the record matches if a physical replication connection is requested (note that replication connections do not specify any particular database). Otherwise, this is the name of a specific PostgreSQL database.
Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with
Files included by
@ constructs are read as lists of names, which can be separated by either whitespace or commas. Comments are introduced by
#, just as in the
--ysql_hba_conf_csv flag, and nested
@ constructs are allowed. Unless the file name following
@ is an absolute path, it is taken to be relative to the directory containing the referencing file.
Specifies which database user names this record matches. Valid values include:
all matches all users. Otherwise, this is either the name of a specific database user, or a group name preceded by +. (Recall that there is no real distinction between users and groups in YugabyteDB; a
+ really means "match any of the roles that are directly or indirectly members of this role", while a name without a
+ matches only that specific role.) For this purpose, a superuser is only considered to be a member of a role if they are explicitly a member of the role, directly or indirectly, and not just by virtue of being a superuser.
Multiple user names can be supplied by separating them with commas.
A separate file containing user names can be specified by preceding the file name with
Specifies the client machine addresses that this record matches. This field can contain either a host name, an IP address range, or one of the special key words mentioned below.
An IP address range is specified using standard numeric notation for the range's starting address, then a slash (/) and a CIDR mask length. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this should be zero in the given IP address. There must not be any white space between the IP address, the
/, and the CIDR mask length.
Examples of an IPv4 address range specified this way are
172.20.143.89/32 for a single host, or
172.20.143.0/24 for a small network, or
10.6.0.0/16 for a larger one.
0.0.0.0/0 represents all IPv4 addresses.
An IPv6 address range might look like
::1/128 for a single host (in this case, the IPv6 loopback address) or
fe80::7a31:c1ff:0000:0000/96 for a small network.
::0/0 represents all IPv6 addresses.
To specify a single host, use a mask length of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes.
An entry given in IPv4 format will match only IPv4 connections, and an entry given in IPv6 format will match only IPv6 connections, even if the represented address is in the IPv4-in-IPv6 range. Entries in IPv6 format will be rejected if the system's C library does not support IPv6 addresses.
You can also use the following key words:
allmatches any IP address.
samehostmatches any of the server's own IP addresses.
samenetmatches any address in any subnet that the server is directly connected to.
If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (for example, reverse DNS lookup, if DNS is used). Host name comparisons are case-insensitive. If there is a match, then a forward name resolution (for example, forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name specified in the
--ysql_hba_conf_csv flag should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)
A host name specification that starts with a dot (
.) matches a suffix of the actual host name. So
.example.com would match
foo.example.com (but not just
When host names are specified using the
--ysql_hba_conf_csv flag, you want the name resolution to be reasonably fast. It can be advantageous to set up a local name resolution cache, such as
nscd. Enable the configuration parameter
log_hostname to see the client's host name instead of the IP address in the log.
This field only applies to
IP-address | netmask
These two fields can be used as an alternative to the IP-address/mask-length notation. Instead of specifying the mask length, the actual mask is specified in a separate column. For example,
255.0.0.0 represents an IPv4 CIDR mask length of
255.255.255.255 represents a CIDR mask length of
When there is only one host, the netmask is
255.255.255.255, representing a single IP address. For details, see Netmask Quick Reference.
Specifies the authentication method to use when a connection matches this record.
Specify that any user from the defined host can connect to a YugabyteDB database without requiring a password. If the specified host is not secure or provides access to unknown users, this is a security risk. Even for local connections,
peer should be used instead.
Specify that the host or user should be rejected. Reject the connection unconditionally. Use this to filter out certain hosts from a group. For example, a reject line could block a specific host from connecting, while a later line allows the remaining hosts in a specific network to connect.
md5 password encryption. For more information, refer to Password authentication.
scram-sha256 password encryption. For more information, refer to Password authentication.
Specify that for a connecting user, the password supplied must match the password in the global
yb_show system table for the username. The password must be sent in clear text.
Obtain the operating system user name of the client by contacting the ident server on the client and check if it matches the requested database user name. Ident authentication can only be used on TCP/IP connections. When specified for local connections, peer authentication will be used instead.
Obtain the client's operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections.
Use LDAP for password authentication. For more information, refer to LDAP authentication.
Specify that any user requires a TLS certificate to connect. For more information, refer to Encryption in transit.
Specify that any user requires GSSAPI authentication to connect.
After the auth-method field, you can add fields in the form
name=value that specify options specific to the authentication method.
In addition to the method-specific options, there is one method-independent authentication option
clientcert, which can be specified in any
hostssl record. When set to 1, this option requires the client to present a valid (trusted) SSL certificate, in addition to the other requirements of the authentication method.
Single host entry
The following record allows a single host with the IP address
192.168.1.10 to connect to any database (
all) as any user (
all) without a password (
host all 192.168.1.10 255.255.255.255 trust
The following record allows local connections to any database as user
yugabyte without a password (
local all yugabyte trust
The following record allows SSL connections to any database as any user from any address using
md5 password authentication.
hostssl all all all md5