Implementing strong security programs provides Vertica users the assurance that access to sensitive information is closely guarded. Vertica uses several approaches to manage data access.
The database server uses client authentication to establish the identity of the requesting client and determines whether that client is authorized to connect to the Vertica server using the supplied credentials.
Encrypting Client-Server Communication
Vertica uses Transport Layer Security (TLS) to establish a secure connection between the client machine and the server. Configure SSL/TLS to:
- Authenticate the server so the client can confirm the server's identity. Vertica supports mutual authentication in which the server can also confirm the identity of the client. This authentication helps prevent "man-in-the-middle" attacks.
- Encrypt data sent between the client and database server to significantly reduce the likelihood that the data can be read if the connection between the client and server is compromised.
- Verify that data sent between the client and server has not been altered during transmission.
For details see TLS Protocol.
Users with the DBADMIN can manage the following authentication tasks:
- Create authentication records using CREATE AUTHENTICATION.
Configure client authentication so that the DBADMIN user can always access the database locally. If a problem occurs with the authentication that blocks all users from logging in, the DBADMIN user needs access to correct the problem.
- Assign a specific authentication method to a user using GRANT (Authentication).
- Use ALTER AUTHENTICATION to:
- Enable/disable authentication methods.
- Define a default authentication method to be used if a user has not been assigned a specific authentication method.
- Define parameters required by LDAP, Ident, and Kerberos authentication methods.
- Revoke a user's authentication record using REVOKE Authentication. This user now uses the default authentication.
- Delete an authentication record from the database using DROP AUTHENTICATION. Any users assigned the dropped record now use the default authentication method.
For details about managing authentication records, see:
- dbadmin Authentication Access
- Creating Authentication Records
- Enabling and Disabling Authentication Methods
- Granting and Revoking Authentication Methods
- Modifying Authentication Records
See Implementing Client Authentication.
Database users should have access to just the database resources they need to perform their required tasks. For example, some users need to query only specific sets of data. To prevent unauthorized access to additional data, you can limit their access to just the data that they need to run their queries. Other users should be able to read the data but not be able to modify or insert new data. Still other users might need more permissive access, including the right to create and modify schemas, tables, and views, or grant other users access to database resources.
For information on controlling data access, see the following:
- Database Users in Database Users and Privileges
- Database Roles to grant users access to a set of privileges.
- Access Policies to limit user's from viewing data from a specific table.