Vertica Analytics Platform Version 9.2.x Documentation

Security Parameters

Use these client authentication configuration parameters and general security parameters to configure security.

Parameters Description
DataSSLParams

Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:

  • An SSL certificate
  • The corresponding SSL private key
  • The SSL CA (Certificate Authority) certificate.

You cannot set this parameter if the EncryptSpreadComm parameter has not been set. Enabling this parameter requires a restart.

Example:

SELECT SET_CONFIG_PARAMETER('DataSSLParams',
'-----BEGIN CERTIFICATE-----ABC-----END CERTIFICATE-----,
-----BEGIN RSA PRIVATE KEY-----123-----END RSAPRIVATE KEY-----,
-----BEGIN CERTIFICATE-----ABC123-----END CERTIFICATE-----');

DefaultIdleSessionTimeout

Indicates a default session timeout value for all users where IDLESESSIONTIMEOUT is not set.

Example:

ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs';
DoUserSpecificFilteringInSysTables

Specifies whether a non-superuser can view details of another user, one of the following:

  • 0: Users can view details of other.
  • 1: Users can only view details about themselves.
EnableAllRolesOnLogin

Automatically enables all roles granted to a user on login, one of the following:

  • 0 (default): Do not automatically enable roles
  • 1: Automatically enable roles. With this setting, users do not need to run SET ROLE
EnabledCipherSuites

Specifies which SSL cipher suites to use for secure client-server communication.

Default Value:ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH

This setting excludes weaker cipher suites.

For a complete mapping of cipher suite names from JSSE to OpenSSL, see openssl.org.

EnableSSL

Enables SSL for the server, set to one of the following: 

  • 0 (default): Disable
  • 1: Enable

For example:

ALTER DATABASE DEFAULT SET EnableSSL = '1';

For details, see Implementing SSL.

EncryptSpreadComm

Enables encryption on the control channel. The value of this parameter is a string set to one of the following:

  • Empty
  • The value vertica indicates that upon restarting the database, it generates the spread encryption key for the cluster.
  • The value aws-kms|<key_name>, such as my_test_key indicates that upon restarting the database, it will fetch the named key from the KMS instead of generating its own.

Enabling this parameter requires a restart. If the parameter is empty, encryption will not occur.

Example:

SELECT SET_CONFIG_PARAMETER('EncryptSpreadComm', 'vertica');

GlobalHeirUsername

A string that specifies which user inherits objects after their owners are dropped. This setting ensures preservation of data otherwise lost.

Set this parameter to one of the following string values:

  • Empty string: Objects of dropped users are removed from the database.
  • username: Reassigns objects of dropped users to username. If username does not exist, Vertica creates that user and sets GlobalHeirUsername to it.
  • <auto> (default): Reassigns objects of dropped LDAP users to user dbadmin.

    Be sure to include the angle brackets < >.

See below for an example.

RequireFIPS

Specifies whether the FIPS mode is enabled or disabled. You cannot modify this parameter. The value of this parameter matches the contents of the file crypto.fips_enabled. On startup, Vertica automatically sets this parameter to one of the following.

0 - Disabled FIPS

1 - Enabled FIPS

For details, see Implement FIPS on the Server.

SecurityAlgorithm

Sets the algorithm for the function that hash authentication uses, one of the following:

  • MD5
  • SHA-512

For example:

ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

Default Value:'NONE'

SSLCA

Sets the SSL certificate authority. Include the contents of the certificate authority root.crt file, but exclude the file name. For example:

ALTER DATABASE DEFAULT SET SSLCA = 'contents of root.crt file';

SSLCertificate

Sets the SSL certificate. Include the contents of the server.crt file, but exclude the file name. If your SSL certificate is a certificate chain, set this parameter to the contents of from the top-most certificate of the certificate chain.

For example:

ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';

SSLPrivateKey

The server's private key, visible only to dbadmin users. This parameter is set to the contents of the server.key file; it excludes the file name. For example:

ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';

Examples

Set security parameter value GlobalHeirUsername:

=> \du
      List of users
 User name | Is Superuser
-----------+--------------
 Joe       | f
 SuzyQ     | f
 dbadmin   | t
(3 rows)

=> ALTER DATABASE DEFAULT SET PARAMETER GlobalHeirUsername='SuzyQ';
ALTER DATABASE
=>  \c - Joe
You are now connected as user "Joe".
=> CREATE TABLE t1 (a int);
CREATE TABLE

=> \c
You are now connected as user "dbadmin".
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
--------+------+-------+-------+---------
 public | t1   | table | Joe   |
(1 row)

=> DROP USER Joe;
NOTICE 4927:  The Table t1 depends on User Joe
ROLLBACK 3128:  DROP failed due to dependencies
DETAIL:  Cannot drop User Joe because other objects depend on it
HINT:  Use DROP ... CASCADE to drop the dependent objects too
=> DROP USER Joe CASCADE;
DROP USER
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
--------+------+-------+-------+---------
 public | t1   | table | SuzyQ |
(1 row)

See Also