Modifying Authentication Records
To modify existing authentication records, you must first be connected to your database. The following examples show how to make changes to your authentication records. For more information see ALTER AUTHENTICATION.
Rename an Authentication Method
v_kerberos authentication method to
K5, and enable it. All users who have been associated with the
v_kerberos authentication method are now associated with the
K5 method granted instead.
=> ALTER AUTHENTICATION v_kerberos RENAME TO K5 ENABLE;
Specify a Priority for an Authentication Method
Specify a priority of 10 for
=> ALTER AUTHENTICATION K5 PRIORITY 10;
For more information see Priorities for Client Authentication Methods.
Change a Parameter
system_users parameter for
ident1 authentication to
=> CREATE AUTHENTICATION ident1 METHOD 'ident' LOCAL; => ALTER AUTHENTICATION ident1 SET system_users='root';
Change the IP address and specify the parameters for an LDAP authentication method named
In this example, you specify the bind parameters for the LDAP server. Vertica connects to the LDAP server, which authenticates the Vertica client. If the authentication succeeds, Vertica authenticates any users who have been granted the
Ldap1 authentication method on the designated LDAP server:
=> CREATE AUTHENTICATION Ldap1 METHOD 'ldap' HOST '172.16.65.196';
=> ALTER AUTHENTICATION Ldap1 SET host='ldap://172.16.65.177', binddn_prefix='cn=', binddn_suffix=',dc=qa_domain,dc=com';
Change the IP address, and specify the parameters for an LDAP authentication method named
Ldap1. Assume that Vertica does not have enough information to create the distinguished name (DN) for a user attempting to authenticate. Therefore, in this case, you must specify to use LDAP search and bind:
=> CREATE AUTHENTICATION LDAP1 METHOD 'ldap' HOST '172.16.65.196';
=> ALTER AUTHENTICATION Ldap1 SET host='ldap://172.16.65.177', basedn='dc=qa_domain,dc=com',binddn='cn=Manager,dc=qa_domain, dc=com',search_attribute='cn',bind_password='secret';
Change the Associated Method
localpwd authentication from trust to hash:
=> CREATE AUTHENTICATION localpwd METHOD 'trust' LOCAL; => ALTER AUTHENTICATION localpwd METHOD 'hash';
ALTER AUTHENTICATION validates the parameters you enter. If there are errors, it disables the authentication method that you are trying to modify.
Using the Administration Tools
The advantages of using the Administration Tools are:
- You do not have to connect to the database
- The editor verifies that records are correctly formed
- The editor maintains records so they are available to you to edit later
You must restart the database to implement your changes.
For information about using the Administration Tools to create and edit authentication records, see Creating Authentication Records.
Using the Client Authentication Configuration Parameter
The advantage of using the
ClientAuthentication configuration parameter is that the changes are implemented immediately across all nodes within the database cluster. You do not need to restart the database.
However, all the database nodes must be up and you must connect to the database before you set this parameter. Most importantly, this method does not verify that records are correctly formed and it does not maintain the records so you can modify them later.
New authentication records are appended to the list of existing authentication records. Because Vertica scans the list of records from top to bottom and uses the first record that matches the incoming connection, you might find your newly-added record does not have an effect if Vertica used an earlier record instead.
To configure client authentication through a connection parameter, use the
ALTER DATABASE statement:
=> ALTER DATABASE exampledb SET ClientAuthentication = 'connection type user name address method';
When you specify authentication records, make sure to adhere to the following guidelines:
- Fields that make up the record can be separated by white space or tabs
- Other than IP addresses and mask columns, field values cannot contain white space
The following example creates an authentication record for the trust method:
=> ALTER DATABASE exampledb SET ClientAuthentication = 'hostnossl dbadmin 0.0.0.0/0 trust';
The following example creates an authentication record for the LDAP method:
=> ALTER DATABASE exampledb SET ClientAuthentication = 'host all 10.0.0.0/8 ldap "ldap://summit.vertica.com;cn=;,dc=vertica,dc=com"';
The following example specifies three authentication records. In a single command, separate each authentication record by a comma:
=> ALTER DATABASE exampledb SET ClientAuthentication = 'hostnossl dbadmin 0.0.0.0/0 trust, hostnossl all 0.0.0.0/0 md5, local all trust';
To delete client authentication record, use DROP AUTHENTICATION. To use this approach, you have to be connected to your database.
To delete an authentication record for md5_auth use the following command:
=> DROP AUTHENTICATION md5_auth;
To delete an authentication record for a method that has been granted to a user, use the CASCADE keyword:
=> CREATE AUTHENTICATION localpwd METHOD 'password' LOCAL; => GRANT AUTHENTICATION localpwd TO jsmith; => DROP AUTHENTICATION localpwd CASCADE;