หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
Salted Challenge Response Authentication Mechanism (SCRAM) is a password-based mutual authentication protocol. It's a challenge-response scheme that adds several levels of security and prevents password sniffing on untrusted connections. SCRAM supports storing passwords on the server in a cryptographically hashed form, which provides advanced security.
Note
To access an Azure Database for PostgreSQL flexible server by using the SCRAM method of authentication, your client libraries need to support SCRAM. For more information, see the list of drivers that support SCRAM.
SCRAM authentication adds extra computational load to your application servers, which need to compute the client proof for each authentication. You might reduce the performance overhead SCRAM introduces by limiting the number of connections in your application's connection pool (reducing chattiness in your application) or limiting the number of concurrent transactions that your client allows (bigger transactions). Test your workloads before migrating to SCRAM authentication.
Configure SCRAM authentication
Go to Parameters
To configure SCRAM authentication, access the Parameters page in the Azure portal:
- Sign in to the Azure portal.
- Go to your Azure Database for PostgreSQL flexible server.
- In the left-hand menu under Settings, select Parameters.
- Use the search box to find the parameters mentioned in the following steps.
Configuration steps
Change
password_encryptiontoSCRAM-SHA-256. Currently, Azure Database for PostgreSQL only supports SCRAM using SHA-256.
Allow
SCRAM-SHA-256as the authentication method.
Important
You can enforce SCRAM only authentication by selecting only the
SCRAM-SHA-256method. When you enforce this method, users with MD5 authentication can't connect to the server. Before you enforce SCRAM, make sure both MD5 andSCRAM-SHA-256are authentication methods until you update all user passwords toSCRAM-SHA-256. You can verify the authentication type for users by using the query mentioned in step 7.Save the changes. These properties are dynamic and don't require a server restart.
From your Azure Database for PostgreSQL flexible server client, connect to the Azure Database for PostgreSQL flexible server. For example,
psql "host=myPGServer.postgres.database.azure.com port=5432 dbname=postgres user=myDemoUser password=<password> sslmode=require" psql (12.3 (Ubuntu 12.3-1.pgdg18.04+1), server 12.6) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help.Verify the password encryption.
postgres=> show password_encryption; password_encryption --------------------- scram-sha-256 (1 row)Update the password for users.
postgres=> \password myDemoUser Enter new password: Enter it again: postgres=>Verify user authentication types by using the
azure_roles_authtype()function.postgres=> SELECT * from azure_roles_authtype(); rolename | authtype ---------------------------+----------- azuresu | NOLOGIN pg_monitor | NOLOGIN pg_read_all_settings | NOLOGIN pg_read_all_stats | NOLOGIN pg_stat_scan_tables | NOLOGIN pg_read_server_files | NOLOGIN pg_write_server_files | NOLOGIN pg_execute_server_program | NOLOGIN pg_signal_backend | NOLOGIN replication | NOLOGIN myDemoUser | SCRAM-256 azure_pg_admin | NOLOGIN srtest | SCRAM-256 sr_md5 | MD5 (14 rows)Connect from the client that supports SCRAM authentication to your server.
SCRAM authentication is also supported when connected to the built-in managed PgBouncer.