HBA Management
HBA rule changes require re-rendering configuration files and reloading services. This article covers HBA rule daily management operations.
Quick Reference
| Operation | Command |
|---|---|
| Refresh cluster HBA | bin/pgsql-hba <cls> |
| Refresh specific instances | bin/pgsql-hba <cls> <ip>... |
| Refresh PostgreSQL only | ./pgsql.yml -l <cls> -t pg_hba,pg_reload |
| Refresh Pgbouncer only | ./pgsql.yml -l <cls> -t pgbouncer_hba,pgbouncer_reload |
| View current HBA | psql -c "TABLE pg_hba_file_rules" |
| Verify HBA config | psql -c "SELECT pg_reload_conf()" |
Refresh HBA Rules
After modifying HBA rules in pigsty.yml, you need to re-render configuration files and reload services.
Using the Admin Script
The recommended approach is using the bin/pgsql-hba script to refresh PostgreSQL and Pgbouncer HBA in one step:
# Refresh entire cluster's HBA rules
bin/pgsql-hba pg-meta
# Refresh specific instances (multiple IPs separated by spaces)
bin/pgsql-hba pg-meta 10.10.10.10
bin/pgsql-hba pg-meta 10.10.10.11 10.10.10.12
# View script help
bin/pgsql-hba --help
The script internally executes:
./pgsql.yml -l <cluster> -t pg_hba,pg_reload,pgbouncer_hba,pgbouncer_reload
Using Ansible Playbook
Directly use the relevant tags from the pgsql.yml playbook:
# Refresh PostgreSQL HBA and reload
./pgsql.yml -l pg-meta -t pg_hba,pg_reload
# Refresh Pgbouncer HBA and reload
./pgsql.yml -l pg-meta -t pgbouncer_hba,pgbouncer_reload
# Refresh both
./pgsql.yml -l pg-meta -t pg_hba,pg_reload,pgbouncer_hba,pgbouncer_reload
# Use extra variables to force reload
./pgsql.yml -l pg-meta -e pg_reload=true -t pg_hba,pg_reload
Related Tags
| Tag | Description |
|---|---|
pg_hba | Render PostgreSQL HBA configuration file |
pg_reload | Reload PostgreSQL config (requires pg_reload=true) |
pgbouncer_hba | Render Pgbouncer HBA configuration file |
pgbouncer_reload | Reload Pgbouncer config |
Configuration File Locations
HBA configuration files are rendered by Ansible:
| Service | Config File Path | Template File |
|---|---|---|
| PostgreSQL | /pg/data/pg_hba.conf | roles/pgsql/templates/pg_hba.conf |
| Pgbouncer | /etc/pgbouncer/pgb_hba.conf | roles/pgsql/templates/pgbouncer.hba |
Warning: Don’t edit these files directly—they will be overwritten the next time a playbook runs. All changes should be made in
pigsty.yml.
Verify HBA Rules
View Currently Active HBA Rules
# Use psql to view PostgreSQL HBA rules
psql -c "TABLE pg_hba_file_rules"
# Or view the config file directly
cat /pg/data/pg_hba.conf
# View Pgbouncer HBA rules
cat /etc/pgbouncer/pgb_hba.conf
Check HBA Configuration Syntax
# PostgreSQL config reload (validates syntax)
psql -c "SELECT pg_reload_conf()"
# If there are syntax errors, check the logs
tail -f /pg/log/postgresql-*.log
Test Connection Authentication
# Test connection for specific user from specific address
psql -h <host> -p 5432 -U <user> -d <database> -c "SELECT 1"
# See which HBA rule matches the connection
psql -c "SELECT * FROM pg_hba_file_rules WHERE database @> ARRAY['<dbname>']::text[]"
Common Management Scenarios
Add New HBA Rule
- Edit
pigsty.yml, add rule to the cluster’spg_hba_rules:
pg-meta:
vars:
pg_hba_rules:
- {user: new_user, db: new_db, addr: '192.168.1.0/24', auth: pwd, title: 'new app access'}
- Execute refresh:
bin/pgsql-hba pg-meta
Emergency IP Block
When detecting a malicious IP, quickly add a blocklist rule:
- Add high-priority (
order: 0) deny rule:
pg_hba_rules:
- {user: all, db: all, addr: '10.1.1.100/32', auth: deny, order: 0, title: 'emergency block'}
- Refresh immediately:
bin/pgsql-hba pg-meta
Role-Based Rules
Configure different HBA rules for primary and replica:
pg_hba_rules:
# Only primary allows write users
- {user: writer, db: all, addr: intra, auth: pwd, role: primary, title: 'writer on primary'}
# Replicas allow read-only users
- {user: reader, db: all, addr: world, auth: ssl, role: replica, title: 'reader on replica'}
After refresh, rules are automatically enabled or disabled based on the instance’s pg_role.
Refresh HBA After Cluster Expansion
When new instances are added to the cluster, rules using addr: cluster need refresh to include new members:
# Add new instance
./pgsql.yml -l 10.10.10.14
# Refresh all instances' HBA (includes new member IPs)
bin/pgsql-hba pg-meta
Refresh HBA After Failover
After Patroni failover, instance pg_role may not match the configuration. If HBA rules use role filtering:
- Update role definitions in
pigsty.yml - Refresh HBA rules
# Refresh after updating roles in config file
bin/pgsql-hba pg-meta
Troubleshooting
Connection Rejected
Symptom: FATAL: no pg_hba.conf entry for host "x.x.x.x", user "xxx", database "xxx"
Troubleshooting steps:
- Check current HBA rules:
psql -c "TABLE pg_hba_file_rules"
Confirm if client IP, username, database matches any rule
Check rule order (first match wins)
Add corresponding rule and refresh
Authentication Failed
Symptom: FATAL: password authentication failed for user "xxx"
Troubleshooting steps:
- Confirm password is correct
- Check password encryption method (
pg_pwd_enc) compatibility with client - Check if user exists:
\duorSELECT * FROM pg_roles WHERE rolname = 'xxx'
HBA Rules Not Taking Effect
Troubleshooting steps:
- Confirm refresh command was executed
- Check if Ansible execution succeeded
- Confirm PostgreSQL reloaded:
psql -c "SELECT pg_reload_conf()"
- Check if config file was updated:
head -20 /pg/data/pg_hba.conf
Rule Order Issues
HBA uses first-match-wins logic. If rules aren’t working as expected:
- Check
ordervalues - Use
psql -c "TABLE pg_hba_file_rules"to view actual order - Adjust
ordervalues or rule positions
Online HBA Modification (Not Recommended)
While you can directly edit /pg/data/pg_hba.conf and reload, this is not recommended:
# Direct edit (not recommended)
vi /pg/data/pg_hba.conf
# Reload config
psql -c "SELECT pg_reload_conf()"
# Or
pg_ctl reload -D /pg/data
# Or
systemctl reload postgresql
Problem: Manual changes will be overwritten the next time an Ansible playbook runs.
Correct approach: Always modify in pigsty.yml, then run bin/pgsql-hba to refresh.
Pgbouncer HBA Management
Pgbouncer HBA management is similar to PostgreSQL, with some differences:
Configuration Differences
- Config file:
/etc/pgbouncer/pgb_hba.conf - Doesn’t support
db: replication - Authentication method: local connections use
peerinstead ofident
Refresh Commands
# Refresh Pgbouncer HBA only
./pgsql.yml -l pg-meta -t pgbouncer_hba,pgbouncer_reload
# Or use unified script (refreshes both PostgreSQL and Pgbouncer)
bin/pgsql-hba pg-meta
View Pgbouncer HBA
cat /etc/pgbouncer/pgb_hba.conf
Best Practices
- Always manage in config files: Don’t directly edit
pg_hba.conf—all changes throughpigsty.yml - Verify in test environment first: HBA changes can cause connection issues—verify in test environment first
- Use order to control priority: Blocklist rules use
order: 0to ensure priority matching - Refresh promptly: Refresh HBA after adding/removing instances or failover
- Principle of least privilege: Only open necessary access—avoid
addr: world+auth: trust - Monitor authentication failures: Watch for authentication failures in
pg_stat_activity - Backup configuration: Backup
pigsty.ymlbefore important changes
Command Quick Reference
# Refresh HBA (recommended)
bin/pgsql-hba <cluster>
# View PostgreSQL HBA
psql -c "TABLE pg_hba_file_rules"
cat /pg/data/pg_hba.conf
# View Pgbouncer HBA
cat /etc/pgbouncer/pgb_hba.conf
# Reload PostgreSQL config
psql -c "SELECT pg_reload_conf()"
# Test connection
psql -h <host> -U <user> -d <db> -c "SELECT 1"
# View authentication failure logs
tail -f /pg/log/postgresql-*.log | grep -i auth
Related Documentation
- HBA Configuration: HBA rule configuration syntax and parameter details
- User Management: User and role management operations
- Access Control: Role system and permission model
- Security & Compliance: PostgreSQL cluster security features
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.