Authentication record priority
Each authentication record has a priority. If a user is granted more than one authentication record, Vertica attempts to authenticate the user with the authentication record with the highest priority and rejects the user if authentication fails.
Determining authentication priority
The following factors contribute to an authentication record's priority, as reflected in the CLIENT_AUTH system table:
=> SELECT auth_name, auth_method, auth_priority, method_priority, address_priority FROM client_auth;
auth_name | auth_method | auth_priority | method_priority | address_priority
---------------+-------------+---------------+-----------------+------------------
ldap_auth | LDAP | 5 | 5 | 96
hash_auth | HASH | 5 | 2 | 126
tls_auth | TLS | 0 | 5 | 96
oauth_auth | OAUTH | 0 | 5 | 96
gss_auth | GSS | 0 | 5 | 96
trust_auth | TRUST | 0 | 0 | 96
reject_auth | REJECT | 0 | 10 | 96
(7 rows)
Note
Greater values indicate higher priorities. For example:
-
A priority of 10 is higher than a priority of 5.
-
A priority 0 is the lowest possible value.
Priorities are divided into tiers and listed in order of importance; in the event of a tie at one priority tier, Vertica checks the next priority tier. For example, if a user had both ldap
and hash
authentication records with an auth_priority
of 5, Vertica would attempt to use the ldap
authentication record because it has a greater method_priority
value:
-
auth_priority
: The priority explicitly set with ALTER AUTHENTICATION (default: 0). -
method_priority
: The priority specific to the authentication method. These priorities are as follows:-
trust
: 0 -
hash
: 2 -
ldap
: 5 -
tls
: 5 -
oauth
: 5 -
gss
: 5 -
reject
: 10
-
-
address_priority
: The priority for IP address specified inHOST [ TLS | NO TLS ] '
host-ip-address
'
. This priority is determined by the size of the netmask of the address; fewer zeros indicate greater specificity, and therefore higher priority.LOCAL
has the lowest priority: 0.
Setting authentication priority
To set authentication priority:
=> ALTER AUTHENTICATION authentication_name PRIORITY value;