Creating an MC User
MC provides two authentication schemes for MC users: LDAP or MC (internal). The method you choose when you configure MC is the method MC uses to authenticate all MC users. It is not possible to authenticate some MC users against LDAP and other MC users against credentials in the database through MC.
- MC (internal) authentication. Internal user authorization is specific to MC itself. You create a user with a username and password combination. This method stores MC user information in an internal database on the MC application/web server, and encrypts passwords. Note that these MC users are not system (Linux) users; they are entries in the MC’s internal database.
- LDAP authentication. All MC users—except for the MC super administrator, which is a Linux account—are authenticated based on search criteria against your organization's LDAP repository. MC uses information from LDAP for authentication purposes only and does not modify LDAP information. Also, MC does not store LDAP passwords but passes them to the LDAP server for authentication.
Instructions for creating new MC users are in this topic.
- If you chose MC authentication, follow the instructions under Create a New User Authenticated by MC.
- If you chose LDAP authentication, follow the instructions under Create a New User from LDAP.
Before you create an MC user, ensure that:
- You have created a database directly on the server or through the MC interface, or you imported an existing database cluster into the MC interface. See Managing Database Clusters.
- You have created a database user account (source user) on the server, which has the privileges and/or roles you want to map to the new (target) MC user. See Creating a Database User.
- You know which MC privileges you want to grant to the new MC user. See About MC Privileges and Roles.
You will be mapping the MC user to a Vertica DB user who has sysmonitor privileges assigned, or to the Vertica database super user. Without sysmonitor (or super user) privileges, the mapped MC user will not be able to view information in MC monitoring tables, and will not be able to load Kafka streaming data.
If you have not yet met the first two above prerequisites, you can still create new MC users; you just won't be able to map them to a database until after the database and target database user exist. To grant MC users database access later, see Granting Database Access to MC Users.
Create a New User Authenticated by MC
- Sign in to MC as an administrator and navigate to MC Settings > User Management.
- Click Add.
Enter the MC username.
It is not necessary to give the MC user the exact same name as the database user account you'll map the MC user to in Step 7. What matters is that the source database user has privileges and/or roles similar to the database role you want to grant the MC user. The most likely scenario is that you map multiple MC users to a single database user account.
- Let MC generate a password or create one by clicking Edit password. If LDAP has been configured, the MC password field will not appear.
- Optionally enter the user's e-mail address.
- Select an MC configuration permissions level. See MC Configuration Privileges. Your choice in this field also fills in the appropriate User API Key value.
Next to the DB access levels section, click Add to grant this user database permissions.
- Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).
- Database username. Enter an existing database user name or, if the database is running, click the ellipsis […] to browse for a list of database users, and select a name from the list.
- Database password. Enter the password to the database user account (not this username's password).
- Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.
- Click OK to close the Add permissions dialog box.
- If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See Completing the MC Certificates Wizard.
- Leave the user's Status as enabled (the default). If you need to prevent this user from accessing MC, select disabled.
- Click Add User to finish.
Create a New LDAP-authenticated User
When you add a user from LDAP on the MC interface, options on the Add a new user dialog box are slightly different from when you create users without LDAP authentication. Because passwords are store externally (LDAP server) the password field does not appear. An MC administrator can override the default LDAP search string if the user is found in another branch of the tree. The Add user field is pre-populated with the default search path entered when LDAP was configured.
- Sign in to MC and navigate to MC Settings > User management.
Click Add and provide the following information:
- LDAP user name.
- LDAP search string.
- User attribute, and click Verify user.
- User's email address.
- MC configuration role. NONE is the default. See MC Configuration Privileges for details.
- Database access level. See MC Database Privileges for details.
- Accept or change the default user's Status (enabled).
- Click Add user.
If you encounter issues when creating new users from LDAP, you'll need to contact your organization's IT department.
How MC Validates New Users
After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.
If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.