Authentication record priority
Each authentication record has a priority. If a user is granted more than one authentication record, Vertica attempts to authenticate the user with the authentication record with the highest priority and rejects the user if authentication fails.
There are two ways to authenticate with a record other than that with the highest priority:
-
Fallthrough authentication: If authentication fails, Vertica attempts to authenticate the client with the record with the next highest priority.
-
Authentication filtering: Clients can send the credentials required for a particular authentication method to authenticate with a record that uses that method.
Determining authentication priority
The following factors contribute to an authentication record's priority, as reflected in the CLIENT_AUTH system table:
=> SELECT auth_name, auth_method, auth_priority, method_priority, address_priority FROM client_auth;
auth_name | auth_method | auth_priority | method_priority | address_priority
---------------+-------------+---------------+-----------------+------------------
ldap_auth | LDAP | 5 | 5 | 96
hash_auth | HASH | 5 | 2 | 126
tls_auth | TLS | 0 | 5 | 96
oauth_auth | OAUTH | 0 | 5 | 96
gss_auth | GSS | 0 | 5 | 96
trust_auth | TRUST | 0 | 0 | 96
reject_auth | REJECT | 0 | 10 | 96
(7 rows)
Note
Greater values indicate higher priorities. For example:
-
A priority of 10 is higher than a priority of 5.
-
A priority 0 is the lowest possible value.
Priorities are divided into tiers and listed in order of importance; in the event of a tie at one priority tier, Vertica checks the next priority tier. For example, if a user had both ldap and hash authentication records with an auth_priority of 5, Vertica would attempt to use the ldap authentication record because it has a greater method_priority value:
-
auth_priority: The priority explicitly set with ALTER AUTHENTICATION (default: 0). -
method_priority: The priority specific to the authentication method. These priorities are as follows:-
trust: 0 -
hash: 2 -
ldap: 5 -
tls: 5 -
oauth: 5 -
gss: 5 -
reject: 10
-
-
address_priority: The priority for IP address specified inHOST [ TLS | NO TLS ] 'host-ip-address'. This priority is determined by the size of the netmask of the address; fewer zeros indicate greater specificity, and therefore higher priority.LOCALhas the lowest priority: 0.
Setting authentication priority
To set authentication priority:
=> ALTER AUTHENTICATION authentication_name PRIORITY value;