You can call the ModifyPGHbaConfig operation to modify the pg_hba.conf file of an ApsaraDB RDS for PostgreSQL instance.

ApsaraDB RDS for PostgreSQL allows you to modify the pg_hba.conf file based on your business requirements. For more information, see Introduction to the pg_hba.conf file.

You can modify the information of the Active Directory (AD) domain controller in the pg_hba.conf file of an instance. Then, you can connect the instance to a self-managed AD domain. For more information, see Connect an ApsaraDB RDS for PostgreSQL instance to a self-managed AD domain.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyPGHbaConfig

The operation that you want to perform. Set the value to ModifyPGHbaConfig.

ClientToken String No 1

This parameter is reserved. You do not need to specify this parameter.

DBInstanceId String Yes pgm-bp1lymyn1v3i****

The ID of the instance. You can call the DescribeDBInstances operation to query the IDs of instances.

OpsType String Yes add

The type of modification that you want to perform on the pg_hba.conf file. Valid values:

  • add: Add one or more AD domains. The value of the PriorityId parameter of each new AD domain must be different from the value of the PriorityId parameter of any existing AD domain.
  • delete: Delete one or more AD domains. The value of the PriorityId parameter for each deleted AD domain is also deleted from the pg_hba.conf file.
  • modify: Modify one or more AD domains. The value of the PriorityId parameter of each modified AD domain is also changed to the new value in the pg_hba.conf file.
  • update: Replace the existing configuration data in the pg_hba.conf file with the new configuration data.
HbaItem.N.Type String Yes host

The type of connection that is verified by the AD domain.

Valid values:

  • host: The AD domain verifies TCP/IP connections, including SSL connections and non-SSL connections.
  • hostssl: The AD domain verifies only TCP/IP connections that are established over SSL.
  • hostnossl: The AD domain verifies only TCP/IP connections that are not established over SSL.
    Note You can set this parameter to hostssl only when SSL encryption is enabled for the instance. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance.
HbaItem.N.Mask String No null

The mask of the instance. If the value of the Address parameter is an IP address, you can use this parameter to specify the mask of the IP address.

HbaItem.N.Database String Yes all

The name of the database that the specified users are allowed to access. If you set this parameter to all, the specified users are allowed to access all databases in the instance.

If you specify multiple databases, separate the database names with commas (,).

HbaItem.N.PriorityId Integer Yes 2

The priority of the AD domain that you want to add. If you set this parameter to 0, the AD domain has the highest priority. Valid values: 0 to 10000.

This parameter is used to identify each AD domain. When you add an AD domain, the value of the PriorityId parameter of the new AD domain must be different from the value of the PriorityId parameter of any existing AD domain. When you modify or delete an AD domain, you must also modify or delete the value of the PriorityId parameter for this AD domain.

HbaItem.N.Address String Yes 0.0.0.0/0

The IP addresses from which the specified users can access the specified databases. If you set this parameter to 0.0.0.0/0, the specified users are allowed to access the specified databases from all IP addresses.

HbaItem.N.User String Yes ldapuser

The user that is allowed to access the instance. If you specify multiple users, separate the usernames with commas (,).

HbaItem.N.Method String Yes ldap

The authentication method of the AD domain. Valid values:

  • trust
  • reject
  • scram-sha-256
  • md5
  • password
  • gss
  • sspi
  • ldap
  • radius
  • cert
  • pam
HbaItem.N.Option String No ldapserver=The private IP address of the ECS instance ldapbasedn ="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=The username of the administrator user of the AD domain controller, CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="The password of the administrator user of the AD domain controller" ldapsearchattribute="sAMAccountName"

Optional. The value of this parameter is based on the value of the HbaItem.N.Method parameter. In this topic, LDAP is used as an example. You must specify this parameter. For more information, see Authentication Methods.

Response parameters

Parameter Type Example Description
RequestId String 458E0781-C46C-55F5-A0E5-1DD284B28A3F

The ID of the request.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=ModifyPGHbaConfig
&DBInstanceId=pgm-bp1lymyn1v3ifjyj
&OpsType=add
&HbaItem.1.Address=0.0.0.0/0
&HbaItem.1.Database=all
&HbaItem.1.Method=ldap
&HbaItem.1.PriorityId=2
&HbaItem.1.Type=host
&HbaItem.1.User=ldapuser
&HbaItem.1.Option=ldapserver=172.16.XX.XX ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=pgadmin,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="test_123456" ldapsearchattribute="sAMAccountName"

Description of the sample request

When you use an HTTPS request, you must encode the URL. 

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyPGHbaConfigResponse>
    <RequestId>458E0781-C46C-55F5-A0E5-1DD284B28A3F</RequestId>
</ModifyPGHbaConfigResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "458E0781-C46C-55F5-A0E5-1DD284B28A3F"
}

Error codes

Http status code Error code Error message Description
400 MinorVersionNotSupport The current database minor version does not support the operation. The error message returned because the operation is not supported by the minor engine version that is run by the instance.
403 IncorrectDBInstanceState Current DB instance state does not support this operation. The error message returned because this operation is not supported when the instance is in the current state.
404 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the instance is locked.

For a list of error codes, visit the API Error Center.