Postgres 不允许 localhost 但可与 127.0.0.1 一起使用 [英] Postgres not allowing localhost but works with 127.0.0.1
问题描述
如果我说 -h localhost,Postgres 不接受连接,但如果我说 -h 127.0.0.1
Postgres not accepting connection if I say -h localhost but it works if I say -h 127.0.0.1
[root@5d9ca0effd7f opensips]# psql -U postgres -h localhost -W
Password for user postgres:
psql: FATAL: Ident authentication failed for user "postgres"
[root@5d9ca0effd7f opensips]# psql -U postgres -h 127.0.0.1 -W
Password for user postgres:
psql (8.4.20)
Type "help" for help.
postgres=#
我的/var/lib/pgsql/data/pg_hba.conf
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
local all all ident
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
如果我添加以下行,则 Postgres 服务 failed 无法启动:
If I add following line then Postgres service failed to start:
host all all localhost ident
host all all localhost trust
那里出了什么问题?
我的 /etc/hosts 文件:
[root@5d9ca0effd7f opensips]# cat /etc/hosts
172.17.0.2 5d9ca0effd7f
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
推荐答案
在 pg_hba.conf 中,第一次匹配很重要.手册:
In pg_hba.conf, the first match counts. The manual:
具有匹配连接类型、客户端地址的第一条记录,请求的数据库,用户名用于执行身份验证.没有失败";或备份":如果选择了一条记录并且认证失败,不考虑后续记录.如果不记录匹配,访问被拒绝.
The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
注意颠倒的顺序:
host all all 127.0.0.1/32 trust
host all all 127.0.0.1/32 ident
但是:
host all all localhost ident
host all all localhost trust
请记住在将更改保存到 pg_hba.conf 后重新加载.(不需要重启.)手册:
Remember to reload after saving changes to pg_hba.conf. (Restart is not necessary.) The manual:
pg_hba.conf 文件在启动时和主服务器时读取进程收到 SIGHUP 信号.如果您在一个活动的系统,您需要向 postmaster 发送信号(使用 pg_ctl reload,调用 SQL 函数 pg_reload_conf(),或使用 kill -HUP)让它重新读取文件.
The
pg_hba.conffile is read on start-up and when the main server process receives aSIGHUPsignal. If you edit the file on an active system, you will need to signal the postmaster (usingpg_ctl reload, calling the SQL functionpg_reload_conf(), or usingkill -HUP) to make it re-read the file.
如果你真的添加"了像你写的那些行,根本不应该有任何影响.但是,如果您替换这些行,就会有.
If you really "add" the lines like you wrote, there should not be any effect at all. But if you replace the lines, there is.
在第一种情况下,您获得 trust 身份验证方法,这是一种开放策略.手册:
In the first case, you get trust authentication method, which is an open-door policy. The manual:
PostgreSQL 假定任何可以连接到服务器的人都是有权使用任何数据库用户名访问数据库他们指定(甚至是超级用户名)
PostgreSQL assumes that anyone who can connect to the server is authorized to access the database with whatever database user name they specify (even superuser names)
但在第二种情况下,您会得到 ident 身份验证方法,必须正确设置才能工作.
But in the second case you get the ident authentication method, which has to be set up properly to work.
另外,Cas 稍后指出,localhost 涵盖 IPv4 和 IPv6,而127.0.0.1/32 仅适用于 IPv4.
Plus, as Cas pointed out later, localhost covers both IPv4 and IPv6, while 127.0.0.1/32 only applies to IPv4.
如果您实际使用的是过时的 8.4 版,请转到 8.4 的旧手册.您知道 8.4 已于 2014 年 EOL 不再支持?考虑升级到当前版本.
If you are actually using the outdated version 8.4, go to the old manual for 8.4. You are aware that 8.4 has reached EOL in 2014 and is not supported any more? Consider upgrading to a current version.
在 Postgres 9.1 或更高版本中,您宁愿使用 peer 而不是 ident.
In Postgres 9.1 or later you would rather use peer than ident.
更多:
这篇关于Postgres 不允许 localhost 但可与 127.0.0.1 一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
