Prior to Vertica 12.0.x, if a user failed to log in with a some authentication method, they could not attempt to log in again with some other method. For example, if a user used failed to log in with hash authentication, they could not attempt to log in with LDAP in the same connection attempt. Another example is TLS authentication. If the users’ certificates expire, they would be locked out of the database until they were either granted a different authentication record with higher priority or given new certificates. This could also occur with LDAP and Ident.
To address this, Vertica 12.0.x and above support fallthrough authentication for most client authentication methods, which allow certain methods to fall through the next authentication record (determined by record priority), allowing the user to try again. This feature is disabled by default for new authentication records.
The following example demonstrates how an Ident authentication record can fall through to a hash authentication record when the Ident server is down.
Create an Ident authentication record “v_ident” for the Linux user “test,” give it the highest priority, and then grant it to the test user. Greater values indicate higher priorities. Fallthrough authentication is disabled for this record:
verticadb=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
CREATE AUTHENTICATION
verticadb=> ALTER AUTHENTICATION v_ident SET system_users='test';
ALTER AUTHENTICATION
verticadb=> GRANT AUTHENTICATION v_ident TO test;
GRANT AUTHENTICATION
verticadb=> ALTER AUTHENTICATION v_ident PRIORITY 5;
ALTER AUTHENTICATIONThis user also has the “userhash” authentication record:
verticadb => select auth_name, auth_method,auth_parameters,auth_priority,is_fallthrough_enabled from client_auth where auth_name in ('userhash','v_ident');
auth_name | auth_method | auth_parameters | auth_priority | is_fallthrough_enabled
-----------+-------------+-------------------+---------------+------------------------
userhash | HASH | | 0 | False
v_ident | IDENT | system_users=test | 5 | False
(2 rows)Because has v_ident has a higher priority, Vertica attempts to authenticate the user using that record:
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
Welcome to vsql, the Vertica Analytic Database interactive terminal.
Type: \h or \? for help with vsql commands
\g or terminate with semicolon to execute query
\q to quit
verticadb=>However, if the Ident server is down, the user cannot log in. The “v_ident” record has fallthrough authentication disabled, so if the user fails to authenticate with it, they are rejected completely; the “userhash” record is never used. Here, we stop the Ident service and attempt to log in:
[dbadmin@node1 ~]$ sudo service xinetd stop
Redirecting to /bin/systemctl stop xinetd.service
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
vsql: FATAL 2248: Authentication failed for username "test"
To fix this, enable fallthrough authentication for “v_ident.” The first attempt to log in (by just running “vsql”) fails, so Vertica falls through to the “userhash” authentication record, which prompts for a password:
[dbadmin@node1 ~]$ vsql
verticadb=> ALTER AUTHENTICATION v_ident FALLTHROUGH;
ALTER AUTHENTICATION
verticadb=>
[dbadmin@node1 ~]$ su test
Password:
bash-4.2$ vsql
Password:
Welcome to vsql, the Vertica Analytic Database interactive terminal.
Type: \h or \? for help with vsql commands
\g or terminate with semicolon to execute query
\q to quit
verticadb=>
Not all authentication records can fall through to each other. For details on fallthrough compatibility, see Fallthrough authentication in the Vertica documentation.
About the Author
Sruthi Anumula
Senior Database Support Engineer
