What’s New in Vertica 9.0: Security and Authentication

This blog post was authored by Phil Molea.

Multi-realm Support

Vertica 9.0 introduces multi-realm support for Kerberos authentication. This allows you to assign a different realm so that users from another realm can authenticate to Vertica.

At times, customers may store users in a protected directory server (AD or Linux KDC) for their trusted realm. In this case, they are reluctant to add service principals to the realm or export keytabs from the realm.

This results in the customer having to set up another KDC with a different realm. This causes two issues:

• Vertica rejects logins which present tickets from users in other realms
• Vertica-HDFS integration does not understand multiple realms

The implementation of multi-realm support eliminates these issues.

Using Multi-realm Support

Vertica provides multi-realm support for Kerberos authentication using the SET param=value parameter in ALTER AUTHENTICATION with REALM as the parameter: => ALTER AUTHENTICATION krb_auth_users set REALM='USERS.COM'; => ALTER AUTHENTICATION krb_auth_realmad set REALM='REALM_AD.COM'; Mutli-realm support applies to GSS authentication types only. You can have one realm per authentication method. If you have multiple authentication methods, each can have its own realm: => SELECT * FROM client_auth; auth_oid | auth_name | is_auth_enabled | auth_host_type | auth_host_address | auth_method | auth_parameters | auth_priority ---------+-----------+-----------------+----------------+-------------------+-------------+-----------------+----------------- 45035996 | krb001 | True | HOST | 0.0.0.0/0 | GSS | realm=USERS.COM | 0 45035997 | user_auth | True | LOCAL | | TRUST | | 1000 45035737 | krb002 | True | HOST | 0.0.0.0/0 | GSS | realm=REALM_AD.COM | 1