Client authentication

Implementing strong security programs provides Vertica users the assurance that access to sensitive information is closely guarded.

Implementing strong security programs provides Vertica users the assurance that access to sensitive information is closely guarded. Vertica uses several approaches to manage data access. The database server uses client authentication to establish the identity of the requesting client and determines whether that client is authorized to connect to the Vertica server using the supplied credentials.

Encrypting client-server communication

Vertica uses Transport Layer Security (TLS) to establish a secure connection between the client machine and the server. Configure TLS to:

  • Authenticate the server so the client can confirm the server's identity. Vertica supports mutual authentication in which the server can also confirm the identity of the client. This authentication helps prevent "man-in-the-middle" attacks.

  • Encrypt data sent between the client and database server to significantly reduce the likelihood that the data can be read if the connection between the client and server is compromised.

  • Verify that data sent between the client and server has not been altered during transmission.

For details see TLS protocol.

Authentication management

Users with the DBADMIN can manage the following authentication tasks:

  • Assign a specific authentication method to a user using GRANT (authentication).

  • Use ALTER AUTHENTICATION to:

    • Enable/disable authentication methods.

    • Define a default authentication method to be used if a user has not been assigned a specific authentication method.

    • Define parameters required by LDAP, Ident, and Kerberos authentication methods.

  • Revoke a user's authentication record using REVOKE Authentication. This user now uses the default authentication.

  • Delete an authentication record from the database using DROP AUTHENTICATION. Any users assigned the dropped record now use the default authentication method.

For details about managing authentication records, see:

See Implementing client authentication.

User authorization

Database users should have access to just the database resources they need to perform their required tasks. For example, some users need to query only specific sets of data. To prevent unauthorized access to additional data, you can limit their access to just the data that they need to run their queries. Other users should be able to read the data but not be able to modify or insert new data. Still other users might need more permissive access, including the right to create and modify schemas, tables, and views, or grant other users access to database resources.

For information on controlling data access, see the following: