In some environments, it might be necessary to restrict a specific database user so they can only connect from a limited set of IP addresses for security or compliance purposes.

This KB outlines how to safely configure pg_hba.conf to enforce such restrictions without impacting connectivity for other users.

Greenplum Database follows the PostgreSQL behavior for client authentication defined in the pg_hba.conf file. Each record in this file specifies which users can connect, from where and using what authentication method.

1. Define allow rules for the specific user

Add explicit entries in the pg_hba.conf to permit access only from the approved IP addresses:

host    all     <username>  <allowed_ip1>/32   md5
host    all     <username>  <allowed_ip2>/32   md5

Replace <username> with the actual database username and <allowed_ipX> with the specific IPs from which the user should be allowed to connect.

2. Reject all other IPs for that user

After the allowed entries, add a reject rule for that user to deny connections from any other IP address:

host    all     <username>  0.0.0.0/0   reject

This ensures that the user can only connect from explicitly allowed IPs. The reject method stops the connection attempt even if a broader allow rule exists later in the file.

This rule only applies to the specified user and does not impact other users.

3. Reload Configuration

After updating the pg_hba.conf file, reload the configuration for changes to take effect:

gpstop -u