Upgrading Client Authentication

Perform this task only if you are upgrading from a pre-7.1 version.

Vertica 7.1.0 changed the storage location for the client authentication records from the vertica.conf file to the database catalog. When you upgrade from an earlier version, client authentication records in the vertica.conf file are converted and inserted into the database catalog. Vertica updates the catalog information on all nodes in the cluster.

Authentication is not enabled after upgrading. As a result, all users can connect to the database. However, if they have a password, they must enter it.

After upgrading, perform the following steps to make sure that client authentication is configured correctly and enabled for use with a running database:

  1. Review the client authentication methods that Vertica created during the upgrade by querying the following system tables:

    System table Contains information about...
    CLIENT_AUTH Client authentication methods that Vertica created for your database during the upgrade.
    CLIENT_AUTH_PARAMS Parameters that Vertica defined for GSS, Ident, and LDAP authentication methods.
    USER_CLIENT_AUTH An authentication method that you associate with a specific database user through the GRANT (Authentication) statement.
  2. Review the vertica.log file to see which authentication records Vertica was not able to create during the upgrade.
  3. Create required records as needed with CREATE AUTHENTICATION.
  4. After the upgrade, enable all defined authentication methods. For each method, enter an ALTER AUTHENTICATION statement:

    => ALTER AUTHENTICATION auth-method-name ENABLE;
  5. If you use LDAP over SSL/TLS, you must define the new parameters:

    • tls_reqcert
    • tls_cacert

    To do so, use ALTER AUTHENTICATION as follows:

    => ALTER AUTHENTICATION Ldap1 SET host='ldaps://abc.dc.com', binddn_prefix='CN=',
    binddn_suffix=',OU=Unit2,DC=dc,DC=com', basedn='dc=DC,dc=com',
    tls_cacert='/home/dc.com.ca.cer', tls_reqcert='never';
  6. Create an authentication method (LOCAL TRUST or LOCAL PASSWORD) with a very high priority such as 10,000. Grant this method to the DBADMIN user, and set the priority using ALTER AUTHENTICATION. For example:

    => CREATE AUTHENTICATION dbadmin_default TRUST LOCAL;
    => ALTER AUTHENTICATION dbadmin_default PRIORITY 10000;

    With its high priority, this new authentication method supersedes any authentication methods you create for PUBLIC. Even if you make changes to PUBLIC authentication methods, the DBADMIN user can connect to the database at any time.