Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

User authentication rules

Written by
Updated at November 26, 2025

User authentication rules determine which users and from which addresses are allowed to connect to a cluster, as well as which databases they can access.

You have the following options:

Warning

The rule priority matches the order of rows: rules are read from top to bottom, and the first relevant rule applies. If authentication based on the first suitable rule fails, other rules are not applied.

Getting a list of rules

  1. Navigate to the folder dashboard and select Yandex MPP Analytics for PostgreSQL.
  2. Click the name of your cluster and open the  User authentication tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View a description of the command to get a list of rules:

    yc managed-greenplum hba-rules list --help

  2. Get a list of rules:

    yc managed-greenplum hba-rules list --cluster-id <cluster_ID>

    You can get the cluster ID with the list of clusters in the folder.

    Result:

    +----------+-----------------+-----+-------+-------------------------------------------+-------------+
| PRIORITY | CONNECTION TYPE | DB  | USER  |                  ADDRESS                  | AUTH METHOD |
+----------+-----------------+-----+-------+-------------------------------------------+-------------+
|        1 | HOST            | db1 | user1 | rc1a-no8u9mlr********.mdb.yandexcloud.net | MD5         |
+----------+-----------------+-----+-------+-------------------------------------------+-------------+

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.List method, e.g., via the following cURL request:

    curl \
    --request GET \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules'

    You can get the cluster ID with the list of clusters in the folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the HBARuleService.List call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Adding a rule

  1. Navigate to the folder dashboard and select Yandex MPP Analytics for PostgreSQL.

  2. Click the name of your cluster and open the  User authentication tab.

  3. Click Edit rules.

  4. Click  Add rule and specify its parameters:

    • Type: Connection type.
    • Database: Name of the database to connect to. You cannot specify system databases.
    • User: Name of the database user or user group. You cannot specify system users.
    • Address (CIDR/FQDN): Host FQDN or IP range in CIDR notation to connect to the database from.
    • Method: Authentication method.

    For more information about the parameters, see Authentication rule settings.

  5. To add another rule, click  Add rule.

  6. Click Save.

Note

The default rule is added automatically at the end of the list; it allows authentication for all users in all databases and from all hosts using the md5 method (password-based authentication).

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the add rule command:

    yc managed-greenplum hba-rules create --help

  2. Add the rule:

    yc managed-greenplum hba-rules create <rule_priority> \
    --cluster-id <cluster_ID> \
    --conn-type <interconnect_type> \
    --database <DB_name> \
    --user <username> \
    --address <address> \
    --auth-method <authentication_method>

    Where:

    • conn-type: Interconnect type. The possible values are host, hostssl, and hostnossl.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth-method: Authentication method. It can be either md5 or reject.

    For more information about the parameters, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Create method, e.g., via the following cURL request:

    curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules' \
    --data '{
                "hbaRule": {
                    "priority": "<rule_priority>",
                    "connectionType": "<interconnect_type>",
                    "database": "<DB_name>",
                    "user": "<username>",
                    "address": "<address>",
                    "authMethod": "<authentication_method>"
                }
            }'

    Where:

    • connectionType: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • authMethod: Authentication method. It can be either MD5 or REJECT.

    For more information about the parameters, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the HBARuleService.Create call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "hba_rule": {
                "priority": "<rule_priority>",
                "connection_type": "<interconnect_type>",
                "database": "<DB_name>",
                "user": "<username>",
                "address": "<address>",
                "auth_method": "<authentication_method>"
            }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Create

    Where:

    • connection_type: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth_method: Authentication method. It can be either MD5 or REJECT.

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Editing a rule

  1. Navigate to the folder dashboard and select Yandex MPP Analytics for PostgreSQL.

  2. Click the name of your cluster and open the  User authentication tab.

  3. Click Edit rules and update the rule parameters:

    • Type: Connection type.
    • Database: Name of the database to connect to. You cannot specify system databases.
    • User: Name of the database user or user group. You cannot specify system users.
    • Address (CIDR/FQDN): Host FQDN or IP range in CIDR notation to connect to the database from.
    • Method: Authentication method.

    For more information about the parameters, see Authentication rule settings.

  4. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the update rule command:

    yc managed-greenplum hba-rules update --help

  2. Update the rule:

    yc managed-greenplum hba-rules update <rule_priority> \
    --cluster-id <cluster_ID> \
    --conn-type <interconnect_type> \
    --database <DB_name> \
    --user <username> \
    --address <address> \
    --auth-method <authentication_method>

    Where:

    • conn-type: Interconnect type. The possible values are host, hostssl, and hostnossl.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth-method: Authentication method. It can be either md5 or reject.

    For more information about the parameters, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Update method, e.g., via the following cURL request:

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules' \
    --data '{
                "hbaRule": {
                    "priority": "<rule_priority>",
                    "connectionType": "<interconnect_type>",
                    "database": "<DB_name>",
                    "user": "<username>",
                    "address": "<address>",
                    "authMethod": "<authentication_method>"
                }
            }'

    Where:

    • connectionType: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • authMethod: Authentication method. It can be either MD5 or REJECT.

    For more information about the parameters, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the HBARuleService.Update call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "hba_rule": {
                "priority": "<rule_priority>",
                "connection_type": "<interconnect_type>",
                "database": "<DB_name>",
                "user": "<username>",
                "address": "<address>",
                "auth_method": "<authentication_method>"
            }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Update

    Where:

    • connection_type: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth_method: Authentication method. It can be either MD5 or REJECT.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  4. Check the server response to make sure your request was successful.

Changing rule priority

  1. Navigate to the folder dashboard and select Yandex MPP Analytics for PostgreSQL.
  2. Click the name of your cluster and open the  User authentication tab.
  3. Click Edit rules.
  4. Click for the rule and move it up or down.
  5. Click Save.

Deleting a rule

  1. Navigate to the folder dashboard and select Yandex MPP Analytics for PostgreSQL.
  2. Click the name of your cluster and open the  User authentication tab.
  3. Click Edit rules.
  4. Click for the rule and select Delete.
  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command for deleting a rule:

    yc managed-greenplum hba-rules delete --help

  2. Delete the rule:

     yc managed-greenplum hba-rules delete <rule_priority> \
     --cluster-id <cluster_ID>

You can get the cluster ID with the list of clusters in the folder.

You can find out the rule priority by requesting a list of all rules in the cluster.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Delete method, e.g., via the following cURL request:

    curl \
    --request DELETE \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRule/<rule_priority>'

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and set it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the HBARuleService.Delete call and send the following request, e.g., via gRPCurl:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "priority": "<rule_priority>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Delete

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  4. Check the server response to make sure your request was successful.

Greenplum® and Greenplum Database® are registered trademarks or trademarks of Broadcom Inc. in the United States and/or other countries.

Previous
Managing resource groups
Next
Monitoring and managing sessions and queries in the Command Center