aboutsummaryrefslogtreecommitdiffstats
path: root/modules/postgresql/templates/pg_hba.conf
blob: bfc86c12f40681eefea7e03213d26750311ef3cc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file.  A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access.  Records take one of these forms:
#
# local      DATABASE  USER  METHOD  [OPTIONS]
# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof.
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof.  In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# CIDR-ADDRESS specifies the set of hosts the record matches.  It is
# made up of an IP address and a CIDR mask that is an integer (between
# 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies the number
# of significant bits in the mask.  Alternatively, you can write an IP
# address and netmask in separate columns to specify the set of hosts.
# Instead of a CIDR-address, you can write "samehost" to match any of
# the server's own IP addresses, or "samenet" to match any address in
# any subnet that the server is directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "krb5", "ident", "pam", "ldap", "radius" or "cert".  Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE.  The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted.  Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal.  If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect.  You can
# use "pg_ctl reload" to do that.

# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records.  In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.

# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser.  If you do not trust all your local users,
# use another authentication method.


# TYPE  DATABASE        USER            CIDR-ADDRESS            METHOD
# This file is in mageia svn:
# $Id$

# Nanar:
# This bypass global config for specific user/base
<% 

# FIXME ip v6 is hardcoded, facter do not seems to support
# fetch it
for i in db
%>
host      <%= i %>     <%= i %>          127.0.0.1/32            md5
host      <%= i %>     <%= i %>          ::1/128                 md5
hostssl   <%= i %>     <%= i %>          <%= ipaddress %>/32     md5
hostssl   <%= i %>     <%= i %>          2a02:2178:2:7::2/128    md5
<%
end 
%>

<% 
lang = ['en']
for l in lang
%>
host      phpbb_<%= l %>     phpbb          127.0.0.1/32            md5
host      phpbb_<%= l %>     phpbb          ::1/128                 md5
hostssl   phpbb_<%= l %>     phpbb          <%= ipaddress %>/32     md5
hostssl   phpbb_<%= l %>     phpbb          2a02:2178:2:7::2/128    md5
# temporary, for the forum on friteuse vm
hostssl   phpbb_<%= l %>     phpbb             192.168.122.0/24        md5
<%
end
%>
# When creating the database ( with bin/checkstup.pl ) bugzilla need to 
# access to template1 ( https://bugzilla.mozilla.org/show_bug.cgi?id=542507 )
host      template1        bugs            127.0.0.1/32            md5
host      template1        bugs            ::1/128                 md5
hostssl   template1        bugs            212.85.158.146/32       md5
hostssl   template1        bugs            2a02:2178:2:7::2/128    md5

# Allow youri-ckeck on rabbit to access the results db
hostssl	youri_check	youri	88.190.12.224/32	md5
# Allow local access too
hostssl	youri_check	youri	212.85.158.146/32	md5
hostssl	youri_check	youri	2a02:2178:2:7::2/128	md5

# "local" is for Unix domain socket connections only
local   all             all                                     ident map=local
# IPv4 local connections:
host    all             all             127.0.0.1/32            pam
# IPv6 local connections:
host    all             all             ::1/128                 pam

hostssl all             all             0.0.0.0/0               pam
hostssl all             all             ::0/0                   pam