Priorities for Client Authentication Methods
You can associate one or more authentication methods to a connection or user. For a user who has multiple authentication methods, specify the order in which Vertica should try them. To do so, assign a priority to each authentication method using ALTER AUTHENTICATION. All priority values should be a non-negative INTEGER.
Higher values indicate higher priorities. Vertica tries to authenticate a user with an authentication method in order of priority from highest to lowest. For example:
- A priority of 10 is higher than a priority of 5.
- A priority 0 is the lowest possible value.
Vertica does not support authentication chaining where you can configure multiple authentication modules to identify a specific user. For example, chaining to try a password authentication method after an LDAP authentication method failed is not supported.
Priority Order for Authentication Methods
When you associate multiple authentication methods with a connection, Vertica prioritizes them in the following order. For more information or to view the priority of your existing authentication methods, see CLIENT_AUTH:
- Explicit priority set with ALTER AUTHENTICATION.
- The priority of the authentication method itself. These are evaluated in the following order:
- Reject
- GSS, LDAP, Ident
- Hash
- Trust
- The specificity of the netmask. Fewer zeros indicates greater specificity and therefore higher priority.
If there are two eligible methods with the same priority at one priority tier, Vertica evaluates the next priority tier to break the tie. For example: If GSS and Hash had the same explicit priority set with ALTER AUTHENTICATION, then Vertica would prioritize GSS, which, as a method, has an inherently higher authentication priority.
Authentication Attempts Using Multiple Methods
If there is only one authentication method associated with a user, Vertica uses that method to authenticate the login attempt.
If the administrator has associated multiple authentication methods with a given user or IP address , Vertica tries to authenticate as follows:
- If the highest priority authentication method is Ident and authentication fails, Vertica tries the next highest priority authentication method, regardless of what method it uses.
If the next attempt does not use Ident authentication and fails, the authentication process ends. However, if the next attempt uses Ident and fails, Vertica continues to the next highest priority method. This process continues until authentication is successful or a non-Ident authentication attempt fails.
- If the highest priority method is LDAP and authentication fails, Vertica searches for the next highest priority LDAP method. Authentication attempts continue until the authentication is successful, or there are no additional LDAP authentication methods that satisfy the connection criteria.
Note that if a user not found error occurs during LDAP authentication, the retry connection attempt initiates only if you set the ldap_continue parameter to yes.
- For all other authentication types, Vertica tries the highest priority authentication method associated with that user. If that authentication fails, the authentication process stops.
For example, suppose there are two client authentication methods associated with a user, as follows:
=> CREATE AUTHENTICATION auth_name1 METHOD 'hash' LOCAL; => GRANT AUTHENTICATION auth_name1 to user; => ALTER AUTHENTICATION auth_name1 PRIORITY 5; => CREATE AUTHENTICATION auth_name2 METHOD 'ident' LOCAL; => GRANT AUTHENTICATION auth_name2 to user; => ALTER AUTHENTICATION auth_name2 PRIORITY 10;
When user tries to connect to the database, Vertica first tries auth_name2 to authenticate because it has a higher priority. If that fails, Vertica tries auth_name1. If that fails, authentication fails.
Specifying Authentication Method Priority
To specify priorities for client authentication methods, use ALTER AUTHENTICATION. The priority value must be a non-negative INTEGER. Higher numbers indicate a higher priority. The default value, 0, is the lowest possible priority.
The syntax is:
ALTER AUTHENTICATION <name> ... PRIORITY <priority_value>;
If you do not specify a priority, or omit the <priority_value> when using ALTER AUTHENTICATION, Vertica sets the priority to 0.
DBADMIN and Authentication Priority
To allow the DBADMIN user to connect to the database at any time, Vertica recommends that you create an authentication method (LOCAL TRUST or LOCAL PASSWORD) with a very high priority, such as 10,000. Grant this method to the DBADMIN user, and set the priority using ALTER AUTHENTICATION.
With the high priority, this new authentication method supersedes any authentication methods you create for PUBLIC (which includes the DBADMIN user). Even if you make changes to PUBLIC authentication methods, the DBADMIN still has access.
For the DBADMIN user to be able to perform all Admintools functions, the DBADMIN must always be able to authenticate by LOCAL TRUST or LOCAL PASSWORD (the default for DBADMIN user). If you have changed DBADMIN user authentication from LOCAL TRUST or LOCAL PASSWORD, use the ALTER AUTHENTICATION statement to once again give the DBADMIN user LOCAL TRUST or LOCAL PASSWORD authentication.