If a user tries to login using their credentials and the authentication fails, the user cannot login using other authentication methods. A simple example could be a user who was configured with hash authentication. Later, TLS authentication was introduced and granted to all users or in other words granted to the PUBLIC with higher priority. If certificates expire, users cannot login to the database which would disrupt day-to-day activities. This could also happen when LDAP or Ident Server is DOWN and so on.
From Vertica 12.x onwards, we support fall through authentication for many client authentication methods. You can allow authentication records to fall through the next record based on the order of priority. By default, fall through authentication is disabled for all client authentication records.
In this blog post, I will show you a sample of how ident authentication can fall through to hash when ident server is DOWN.
I have set up Ident Authentication for my Linux User named test and have set highest priority to it. Greater values indicate higher priorities.
verticadb=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
CREATE AUTHENTICATION
verticadb=> ALTER AUTHENTICATION v_ident SET system_users='test';
ALTER AUTHENTICATION
verticadb=> GRANT AUTHENTICATION v_ident TO test;
GRANT AUTHENTICATION
verticadb=> ALTER AUTHENTICATION v_ident PRIORITY 5;
ALTER AUTHENTICATIONHash authentication was already granted for user named test.
verticadb => select auth_name, auth_method,auth_parameters,auth_priority,is_fallthrough_enabled from client_auth where auth_name in ('userhash','v_ident');
auth_name | auth_method | auth_parameters | auth_priority | is_fallthrough_enabled
-----------+-------------+-------------------+---------------+------------------------
userhash | HASH | | 0 | False
v_ident | IDENT | system_users=test | 5 | False
(2 rows)Since ident has high priority, when test user logs in, ident authentication is used and as you can see it did not prompt for a password.
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
Welcome to vsql, the Vertica Analytic Database interactive terminal.
Type: \h or \? for help with vsql commands
\g or terminate with semicolon to execute query
\q to quit
verticadb=>In a general scenario, if fall through is not enabled when ident server is down, login fails for the user.
Let us stop ident server and login as test user.
[dbadmin@node1 ~]$ sudo service xinetd stop
Redirecting to /bin/systemctl stop xinetd.service
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
vsql: FATAL 2248: Authentication failed for username "test"
Now let’s enable fall through authentication for ident as a super user and try to login as test.
[dbadmin@node1 ~]$ vsql
verticadb=> ALTER AUTHENTICATION v_ident FALLTHROUGH;
ALTER AUTHENTICATION
verticadb=>
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
Password:
Welcome to vsql, the Vertica Analytic Database interactive terminal.
Type: \h or \? for help with vsql commands
\g or terminate with semicolon to execute query
\q to quit
verticadb=>
Now, login is successful, and it used HASH authentication since it prompted for a password.
Fall through authentication works only for scenarios where authentication parameters are the same. For example, gss cannot fall through to hash as to login using gss authentication user needs to pass KerberosHostname parameter.
For more information, refer to Authentication Method Compatibility Matrix in the Vertica documentation.
About the Author
Sruthi Anumula
Senior Database Support Engineer
