This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Users in Management Console
Unlike database users, which you create on the Vertica database and then grant privileges and roles through SQL statements, you create MC users on the Management Console interface.
Unlike database users, which you create on the Vertica database and then grant privileges and roles through SQL statements, you create MC users on the Management Console interface. MC users are external to the database. Their information is stored on an internal database on the MC application/web server. Their access to both MC and to databases managed by MC is controlled by groups of privileges (also referred to as access levels). MC users are not system (Linux) users; they are entries in the MC internal database.
Permission group types
There are two types of permission groups on MC, those that apply to MC configuration and those that apply to database access:
-
MC configuration privileges are made up of roles that control what users can configure on the Management Console, such as modify MC settings, create and import Vertica databases, restart MC, create a Vertica cluster through the MC interface, and create and manage MC users.
-
MC database privileges are made up of roles that control what users can see or do on a Vertica database monitored by MC, such as view the database cluster state, query and session activity, monitor database messages and read log files, replace cluster nodes, and stop databases.
If you are using MC, you might want to allow one or more users in your organization to configure and manage MC, and you might want other users to have database access only. You can meet these requirements by creating MC users and granting them a role from each privileges group. See Creating an MC user for details.
MC user types
The following table describes the five types of role-based users on MC:
User Type |
Description |
SUPER Role (MC) |
The default superuser administrator (Linux account) who gets created when you install and configure MC and oversees all of MC. |
ADMIN Role (MC) |
Users who can configure all aspects of MC and control all databases managed by MC. |
MANAGER Role (MC) |
Users who can configure MC user settings and monitor all databases managed by MC. |
IT Role (MC) |
Users who can configure some aspects of MC user settings and monitor all databases managed by MC. |
NONE Role (MC) |
Users who cannot configure MC and have access to one or more databases managed by MC. |
For details about each role, see Configuration privileges.
You create users and grant them privileges (through roles) on the MC Settings page in the User management tab.
Creating users and choosing an authentication method
You create users and grant them privileges (through roles) on the MC Settings page. You can also choose how to authenticate their access to MC.
- To add users who are authenticated against the MC, click User Management
- To add users who are authenticated through your organization's LDAP repository, click Authentication
MC supports only one method for authentication, so if you choose MC, all MC users will be authenticated using their MC login credentials.
Default MC users
The MC super account is the only default user. The super or another MC administrator must create all other MC users.
See also
1 - Creating an MC user
MC provides two authentication schemes for MC users: LDAP or MC (internal).
MC provides two authentication schemes for MC users: LDAP or MC (internal). The method you choose when you configure MC is the method MC uses to authenticate all MC users. It is not possible to authenticate some MC users against LDAP and other MC users against credentials in the database through MC.
-
MC (internal) authentication. Internal user authorization is specific to MC itself. You create a user with a username and password combination. This method stores MC user information in an internal database on the MC application/web server, and encrypts passwords. Note that these MC users are not system (Linux) users; they are entries in the MC’s internal database.
-
LDAP authentication. All MC users—except for the MC super administrator, which is a Linux account—are authenticated based on search criteria against your organization's LDAP repository. MC uses information from LDAP for authentication purposes only and does not modify LDAP information. Also, MC does not store LDAP passwords but passes them to the LDAP server for authentication.
Instructions for creating new MC users are in this topic.
-
If you chose MC authentication, follow the instructions under Create a New User Authenticated by MC.
-
If you chose LDAP authentication, follow the instructions under Create a New User from LDAP.
See Configuring Management Console, Users in Management Console and LDAP authenticationfor more information.
Prerequisites
Before you create an MC user, ensure that:
-
You have created a database directly on the server or through the MC interface, or you imported an existing database cluster into the MC interface. See Managing database clusters.
-
You have created a database user account (source user) on the server, which has the privileges and/or roles you want to map to the new (target) MC user. See Creating a database user.
-
You know which MC privileges you want to grant to the new MC user. See Users, roles, and privileges.
-
You will be mapping the MC user to a Vertica DB user who has sysmonitor privileges assigned, or to the Vertica database super user. Without sysmonitor (or super user) privileges, the mapped MC user will not be able to view information in MC monitoring tables, and will not be able to load Kafka streaming data.
If you have not yet met the first two above prerequisites, you can still create new MC users; you just won't be able to map them to a database until after the database and target database user exist. To grant MC users database access later, see Granting database access to MC users.
Create a new user authenticated by MC
-
Sign in to MC as an administrator and navigate to MC Settings > User Management.
-
Click Add.
-
Enter the MC username.
Note
It is not necessary to give the MC user the exact same name as the database user account you'll map the MC user to in Step 7. What matters is that the source database user has privileges and/or roles similar to the database role you want to grant the MC user. The most likely scenario is that you map multiple MC users to a single database user account.
-
Let MC generate a password or create one by clicking Edit password. If LDAP has been configured, the MC password field will not appear.
-
Optionally enter the user's e-mail address.
-
Select an MC configuration permissions level. See Configuration privileges. Your choice in this field also fills in the appropriate User API Key value.
-
Next to the DB access levels section, click Add to grant this user database permissions.
-
Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).
-
Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.
-
Database password. Enter the password to the database user account (not this username's password).
-
Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.
-
Click OK to close the Add permissions dialog box.
-
If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.
-
Leave the user's Status as enabled (the default). If you need to prevent this user from accessing MC, select disabled.
-
Click Add User to finish.
Create a new LDAP-authenticated user
When you add a user from LDAP on the MC interface, options on the Add a new user dialog box are slightly different from when you create users without LDAP authentication. Because passwords are store externally (LDAP server) the password field does not appear. An MC administrator can override the default LDAP search string if the user is found in another branch of the tree. The Add user field is pre-populated with the default search path entered when LDAP was configured.
-
Sign in to MC and navigate to MC Settings > User management.
-
Click Add and provide the following information:
-
LDAP user name.
-
LDAP search string.
-
User attribute, and click Verify user.
-
User's email address.
-
MC configuration role. NONE is the default. See Configuration privileges for details.
-
Database access level. See Database privileges for details.
-
Accept or change the default user's Status (enabled).
-
Click Add user.
If you encounter issues when creating new users from LDAP, you'll need to contact your organization's IT department.
How MC validates new users
After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.
If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.
See also
2 - Managing MC users
You manage MC users through the following pages on the Management Console interface:.
You manage MC users through the following pages on the Management Console interface:
Who manages users
The MC superuser administrator (SUPER Role (MC)) and users granted ADMIN role (MC) manage all aspects of users, including their access to MC and to MC-managed databases.
Users granted IT Role (MC) can enable and disable user accounts. For more information, see Users, roles, and privileges and Users in Management Console.
Editing an MC user's information follows almost the same steps as creating a new user, except that you select an existing user and click Edit. The user's information will be pre-populated, so that you can edit and save it.
The only user account you cannot alter or remove from the MC interface is the MC super account.
For details about each user type, see Configuration privileges.
You can change the following user properties:
-
MC password
-
Email address. This field is optional. If the user is authenticated against LDAP, the email field is pre-populated with that user's email address if one exists.
-
Configuration privileges role
-
Database privileges role
You can also change a user's status (enable/disable access to MC) and delete users.
About user names
After you create and save a user, you cannot change that user's MC user name, but you can delete the user account and create a new user account under a new name. The only thing you lose by deleting a user account is its audit activity, but MC immediately resumes logging activity under the user's new account.
3 - Granting database access to MC users
If you did not grant an MC user a database-level role when you created the user account, you can do so in the User Management tab in MC Settings.
If you did not grant an MC user a database-level role when you created the user account, you can do so in the User Management tab in MC Settings.
Granting the user an MC database-level role associates the MC user with a database user's privileges and ensures that the MC user cannot do or see anything not allowed by the privileges set up for the user account on the server database. When that MC user logs in to MC, his or her MC privileges for database-related activities are compared to that user's privileges on the database itself. Only when the user has both MC privileges and corresponding database privileges will the operations be exposed in the MC interface.
Prerequisites
Before you grant database access to an MC user, see the prerequisites in Creating an MC user.
Grant a database-level role to an MC user
-
Log in to Management Console as an administrator and navigate to MC Settings > User management.
-
Select an MC user and click Edit.
-
Verify the Configuration privileges are what you want them to be. NONE is the default.
-
Next to the DB access levels section, click Add and provide the following database access credentials:
-
Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).
-
Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.
-
Database password. Enter the password to the database user account (not this username's password).
-
Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.
-
Click OK to close the Add permissions dialog box.
-
If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.
-
Optionally change the user's Status (enabled is the default).
-
Click Save.
How MC validates new users
After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.
If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.
4 - Managing MC user passwords
MC user passwords must be different from the username and must contain at least one of each of the following character types:.
MC user passwords must be different from the username and must contain at least one of each of the following character types:
Configurable password requirements
You can configure additional password requirements by navigating to Home > MC Settings > Configuration > MC Password configuration settings.
Parameter |
Settings |
Minimum password length |
The minimum number of characters required in a password.
-
Minimum: 8 (default)
-
Maximum: 30
|
Security questions
When a user creates an MC account, they must set security questions. If a user forgets their password, they can reset their password by answering these questions. These answers:
- must only contain letters, numbers, and spaces
- must be between 2 and 30 characters in length, inclusive
- are case insensitive