Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

User authentication rules

Written by
Updated at June 15, 2026

User authentication rules determine which users from which addresses are allowed to connect to a cluster, as well as which databases they can access.

You can:

Warning

The rule priority matches the order of rows: rules are read from top to bottom, and the first relevant rule applies. If authentication based on the first suitable rule fails, other rules do not apply.

Getting a list of rules

  1. Open the folder dashboard.
  2. Navigate to Yandex MPP Analytics for PostgreSQL.
  3. Click the cluster name and open the  User authentication tab.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the command for getting a list of rules:

    yc managed-greenplum hba-rules list --help

  2. Get a list of rules:

    yc managed-greenplum hba-rules list --cluster-id <cluster_ID>

    You can get the cluster ID with the list of clusters in the folder.

    Result:

    +----------+-----------------+-----+-------+-------------------------------------------+-------------+
| PRIORITY | CONNECTION TYPE | DB  | USER  |                  ADDRESS                  | AUTH METHOD |
+----------+-----------------+-----+-------+-------------------------------------------+-------------+
|        1 | HOST            | db1 | user1 | rc1a-no8u9mlr********.mdb.yandexcloud.net | MD5         |
+----------+-----------------+-----+-------+-------------------------------------------+-------------+

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.List method, e.g., via the following cURL request:

    curl \
    --request GET \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the HBARuleService.List method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Adding a rule

  1. Open the folder dashboard.

  2. Navigate to Yandex MPP Analytics for PostgreSQL.

  3. Click the cluster name and open the  User authentication tab.

  4. Click Edit rules.

  5. Click  Add rule and specify its settings:

    • Type: Connection type.
    • Database: Name of the database to connect to. You cannot specify system databases.
    • User: Name of the database user or user group. You cannot specify system users.
    • Address (CIDR/FQDN): Host FQDN or IP range in CIDR notation to connect to the database from.
    • Method: Authentication method.

    For more information about the parameters, see Authentication rule settings.

  6. To add another rule, click  Add rule.

  7. Click Save.

Note

The default rule is added automatically at the end of the list; it allows authentication for all users in all databases and from all hosts using the md5 method (password-based authentication).

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the add rule command:

    yc managed-greenplum hba-rules create --help

  2. Add the rule:

    yc managed-greenplum hba-rules create <rule_priority> \
    --cluster-id <cluster_ID> \
    --conn-type <interconnect_type> \
    --database <DB_name> \
    --user <username> \
    --address <address> \
    --auth-method <authentication_method>

    Where:

    • conn-type: Interconnect type. The possible values are host, hostssl, and hostnossl.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth-method: Authentication method. It can be either md5 or reject.

    For more information, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Create method, e.g., via the following cURL request:

    curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules' \
    --data '{
                "hbaRule": {
                    "priority": "<rule_priority>",
                    "connectionType": "<interconnect_type>",
                    "database": "<DB_name>",
                    "user": "<username>",
                    "address": "<address>",
                    "authMethod": "<authentication_method>"
                }
            }'

    Where:

    • connectionType: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • authMethod: Authentication method. It can be either MD5 or REJECT.

    For more information, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the HBARuleService.Create method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "hba_rule": {
                "priority": "<rule_priority>",
                "connection_type": "<interconnect_type>",
                "database": "<DB_name>",
                "user": "<username>",
                "address": "<address>",
                "auth_method": "<authentication_method>"
            }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Create

    Where:

    • connection_type: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth_method: Authentication method. It can be either MD5 or REJECT.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Editing a rule

  1. Open the folder dashboard.

  2. Navigate to Yandex MPP Analytics for PostgreSQL.

  3. Click the cluster name and open the  User authentication tab.

  4. Click Edit rules and update the rule settings:

    • Type: Connection type.
    • Database: Name of the database to connect to. You cannot specify system databases.
    • User: Name of the database user or user group. You cannot specify system users.
    • Address (CIDR/FQDN): Host FQDN or IP range in CIDR notation to connect to the database from.
    • Method: Authentication method.

    For more information about the parameters, see Authentication rule settings.

  5. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the update rule command:

    yc managed-greenplum hba-rules update --help

  2. Update the rule:

    yc managed-greenplum hba-rules update <rule_priority> \
    --cluster-id <cluster_ID> \
    --conn-type <interconnect_type> \
    --database <DB_name> \
    --user <username> \
    --address <address> \
    --auth-method <authentication_method>

    Where:

    • conn-type: Interconnect type. The possible values are host, hostssl, and hostnossl.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth-method: Authentication method. It can be either md5 or reject.

    For more information, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Update method, e.g., via the following cURL request:

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRules' \
    --data '{
                "hbaRule": {
                    "priority": "<rule_priority>",
                    "connectionType": "<interconnect_type>",
                    "database": "<DB_name>",
                    "user": "<username>",
                    "address": "<address>",
                    "authMethod": "<authentication_method>"
                }
            }'

    Where:

    • connectionType: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • authMethod: Authentication method. It can be either MD5 or REJECT.

    For more information, see Authentication rule settings.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the HBARuleService.Update method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "hba_rule": {
                "priority": "<rule_priority>",
                "connection_type": "<interconnect_type>",
                "database": "<DB_name>",
                "user": "<username>",
                "address": "<address>",
                "auth_method": "<authentication_method>"
            }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Update

    Where:

    • connection_type: Interconnect type. The possible values are HOST, HOSTSSL, and HOSTNOSSL.
    • address: Host FQDN or IP range in CIDR notation to connect to the database from.
    • auth_method: Authentication method. It can be either MD5 or REJECT.

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  4. View the server response to make sure your request was successful.

Change the rule priority

  1. Open the folder dashboard.
  2. Navigate to Yandex MPP Analytics for PostgreSQL.
  3. Click the cluster name and open the  User authentication tab.
  4. Click Edit rules.
  5. Click for your rule and move it up or down.
  6. Click Save.

Deleting a rule

  1. Open the folder dashboard.
  2. Navigate to Yandex MPP Analytics for PostgreSQL.
  3. Click the cluster name and open the  User authentication tab.
  4. Click Edit rules.
  5. Click for your rule and select Delete.
  6. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the command for deleting a rule:

    yc managed-greenplum hba-rules delete --help

  2. Delete the rule:

     yc managed-greenplum hba-rules delete <rule_priority> \
     --cluster-id <cluster_ID>

You can get the cluster ID with the list of clusters in the folder.

You can find out the rule priority by requesting a list of all rules in the cluster.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the HBARule.Delete method, e.g., via the following cURL request:

    curl \
    --request DELETE \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>/hbaRule/<rule_priority>'

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the HBARuleService.Delete method, e.g., via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/hba_rule_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "priority": "<rule_priority>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.greenplum.v1.HBARuleService.Delete

    You can get the cluster ID with the list of clusters in the folder.

    You can find out the rule priority by requesting a list of all rules in the cluster.

  4. View the server response to make sure your request was successful.

Previous
Managing resource groups
Next
Using the command center