Client authentication
Authentication records and their associated methods define what credentials a user/client application must provide to access the database. For example, the hash authentication method requires users to provide a password, while the oauth authentication method requires users to provide an access token.
Client authentication overview
Vertica uses the following procedure to authenticate users:
-
If a client attempts to authenticate as the dbadmin from a local connection (that is, on the same node as the database):
-
If the dbadmin does not have a password, Vertica authenticates the client with the
trustmethod. -
If the dbadmin has a password, Vertica authenticates the client with the
hashmethod.
-
-
If a client attempts to authenticate as a database user that does not have a password, and the only authentication records defined are the defaults, then Vertica authenticates the client with the
trustmethod. For details, see Implicit authentication. -
If a client specifies the credentials for a particular authentication method, Vertica filters for granted authentication records that use that method, skipping higher priority authentication records (except TRUST, which is not skippable). However, if the client sends credentials that correspond with an authentication record that they do not have, Vertica uses the record with the highest priority.
-
If a client attempts to authenticate as a user that has a password and an authentication record, then Vertica attempts to authenticate the client with that record. If more than one authentication record exists for the user or role, Vertica chooses the one with the highest priority.
Note
Typically, if no custom authentication records were defined with CREATE AUTHENTICATION, the default authentication records take effect (unless they were deliberately dropped by the dbadmin), and clients are authenticated with thepasswordmethod. -
If the client fails to authenticate with the chosen authentication method and authentication fallthrough is enabled, Vertica attempts to authenticate the client with the authentication with the next highest priority. Otherwise, the client is rejected.
-
Otherwise, no authentication records exist and the default authentication records have been dropped; no users (other than the dbadmin from a local connection) can access the database.
Authentication management
Users with the DBADMIN role can perform the following authentication tasks:
-
Create authentication records.
-
Drop an authentication record from the database.
-
Define parameters required by the following authentication methods:
-
Grant (assign) or revoke an authentication record to a user.
-
Use ALTER AUTHENTICATION to:
-
Enable/disable authentication methods.
-
Define a default authentication method to be used if a user has not been assigned a specific authentication method. To assign this as a default authentication method, use GRANT (authentication) to grant it to the PUBLIC role.
-
Change authentication record priority.
-
Enable fallthrough authentication.
-
In this section
- Default authentication records
- Configuring client authentication
- Fallthrough authentication
- Authentication filtering
- Implicit authentication
- Dbadmin authentication access
- Creating authentication records
- Modifying authentication records
- Authentication record priority
- Viewing information about client authentication records
- Enabling and disabling authentication methods
- Granting and revoking authentication methods
- Hiding database usernames
- Hash authentication
- Ident authentication
- Kerberos authentication
- LDAP authentication
- OAuth 2.0 authentication
- TLS authentication