You can call the ModifyPGHbaConfig operation to modify the pg_hba.conf file of an ApsaraDB RDS for PostgreSQL instance.

ApsaraDB RDS for PostgreSQL allows you to modify the pg_hba.conf file based on your business requirements. For more information, see Introduction to the pg_hba.conf file.

You can modify the information of the Active Directory (AD) domain controller in the pg_hba.conf file of an instance. Then, you can connect the instance to a self-managed AD domain. For more information, see Connect an ApsaraDB RDS for PostgreSQL instance to a self-managed AD domain.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyPGHbaConfig

The operation that you want to perform. Set the value to ModifyPGHbaConfig.

ClientToken String No 1

This parameter is reserved. You do not need to specify this parameter.

DBInstanceId String Yes pgm-bp1lymyn1v3i****

The ID of the instance. You can call the DescribeDBInstances operation to query the IDs of instances.

OpsType String Yes add

The method that you use to modify the pg_hba.conf file. Valid values:

  • add: adds one or more records. If you use this method, make sure that the value of the PriorityId parameter for each new record is different from the value of the PriorityId parameter for any existing record.
  • delete: deletes one or more records. If you use this method, the record that corresponds to the specified value of the PriorityId parameter is deleted from the pg_hba.conf file.
  • modify: modifies one or more records. If you use this method, the record that corresponds to the specified value of the PriorityId parameter is modified.
  • update: overwrites the existing configuration in the pg_hba.conf file by using the new configuration.
HbaItem.N.Type String Yes host

The connection type of record N.

Valid values:

  • host: The record matches TCP/IP connections, including SSL connections and non-SSL connections.
  • hostssl: The record matches only TCP/IP connections that are established over SSL.
  • hostnossl: The record matches only TCP/IP connections that are not established over SSL.
    Note You can set this parameter to hostssl only when SSL encryption is enabled for the instance. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance.
HbaItem.N.Mask String No 0

The mask for record N. If the value of the Address parameter is an IP address, you can use this parameter to specify the mask of the IP address.

HbaItem.N.Database String Yes all

The name of the database for record N. If you set this parameter to all, the specified users are allowed to access all databases on the instance.

If you specify multiple databases, separate the database names with commas (,).

HbaItem.N.PriorityId Integer Yes 2

The priority of record N. If you set this parameter to 0, the record has the highest priority. Valid values: 0 to 10000.

This parameter is used to identify each record. When you add a record, the value of the PriorityId parameter for the new record must be different from the value of the PriorityId parameter of any existing record. When you modify or delete a record, you must also modify or delete the value of the PriorityId parameter for this record.

HbaItem.N.Address String Yes 0.0.0.0/0

The IP addresses from which the specified users can access the specified databases. If you set this parameter to 0.0.0.0/0, the specified users are allowed to access the specified databases from all IP addresses.

HbaItem.N.User String Yes ldapuser

The user who is allowed to access the specified databases. You must specify the user that is used to log on to the RDS instance. If you specify multiple users, separate the usernames with commas (,).

HbaItem.N.Method String Yes ldap

The authentication method. Valid values:

  • trust
  • reject
  • scram-sha-256
  • md5
  • password
  • gss
  • sspi
  • ldap
  • radius
  • cert
  • pam
HbaItem.N.Option String No ldapserver=Private IP address of the ECS instance ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=Username of the administrator user of the AD domain controller,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="Password of the administrator user of the AD domain controller" ldapsearchattribute="sAMAccountName"

Optional. The value of this parameter varies based on the value of the HbaItem.N.Method parameter. In this topic, LDAP is used as an example. You must specify this parameter. For more information, see Authentication Methods.

Response parameters

Parameter Type Example Description
RequestId String 458E0781-C46C-55F5-A0E5-1DD284B28A3F

The ID of the request.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=ModifyPGHbaConfig
&DBInstanceId=pgm-bp1lymyn1v3ifjyj
&OpsType=add
&HbaItem.1.Address=0.0.0.0/0
&HbaItem.1.Database=all
&HbaItem.1.Method=ldap
&HbaItem.1.PriorityId=2
&HbaItem.1.Type=host
&HbaItem.1.User=ldapuser
&HbaItem.1.Option=ldapserver=172.16.XX.XX ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=pgadmin,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="test_123456" ldapsearchattribute="sAMAccountName"

Description of the sample request

When you use an HTTPS request, you must encode the URL.

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyPGHbaConfigResponse>
    <RequestId>458E0781-C46C-55F5-A0E5-1DD284B28A3F</RequestId>
</ModifyPGHbaConfigResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "458E0781-C46C-55F5-A0E5-1DD284B28A3F"
}

Error codes

HTTP status code Error code Error message Description
400 MinorVersionNotSupport The current database minor version does not support the operation. The error message returned because the operation is not supported by the minor engine version that is run by the instance.
400 InvalidDBInstanceName.NotFound The specified DB instance name does not exist. The error message returned because the name of the instance cannot be found.
400 IncorrectDBInstanceType Current DB instance type does not support this operation. The error message returned because this operation is not supported when the instance is in the current state.
403 IncorrectDBInstanceState Current DB instance state does not support this operation. The error message returned because this operation is not supported when the instance is in the current state.
404 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the instance is locked.

For a list of error codes, visit the API Error Center.