Client authentication

Authentication records and their associated methods define what credentials a user/client application must provide to access the database.

Authentication records and their associated methods define what credentials a user/client application must provide to access the database. For example, the hash authentication method requires users to provide a password, while the oauth authentication method requires users to provide an access token.

Client authentication overview

Vertica uses the following procedure to authenticate users:

  1. If a client attempts to authenticate as the dbadmin from a local connection (that is, on the same node as the database):

    • If the dbadmin does not have a password, Vertica authenticates the client with the trust method.

    • If the dbadmin has a password, Vertica authenticates the client with the hash method.

  2. If a client attempts to authenticate as a database user that does not have a password, and the only authentication records defined are the defaults, then Vertica authenticates the client with the trust method. For details, see Implicit authentication.

  3. If a client specifies the credentials for a particular authentication method, Vertica filters for granted authentication records that use that method, skipping higher priority authentication records (except TRUST, which is not skippable). However, if the client sends credentials that correspond with an authentication record that they do not have, Vertica uses the record with the highest priority.

  4. If a client attempts to authenticate as a user that has a password and an authentication record, then Vertica attempts to authenticate the client with that record. If more than one authentication record exists for the user or role, Vertica chooses the one with the highest priority.

  5. If the client fails to authenticate with the chosen authentication method and authentication fallthrough is enabled, Vertica attempts to authenticate the client with the authentication with the next highest priority. Otherwise, the client is rejected.

  6. Otherwise, no authentication records exist and the default authentication records have been dropped; no users (other than the dbadmin from a local connection) can access the database.

Authentication management

Users with the DBADMIN role can perform the following authentication tasks:

  • Create authentication records.

  • Drop an authentication record from the database.

  • Define parameters required by the following authentication methods:

  • Grant (assign) or revoke an authentication record to a user.

  • Use ALTER AUTHENTICATION to:

    • Enable/disable authentication methods.

    • Define a default authentication method to be used if a user has not been assigned a specific authentication method. To assign this as a default authentication method, use GRANT (authentication) to grant it to the PUBLIC role.

    • Change authentication record priority.

    • Enable fallthrough authentication.