Configuring Kerberos Authentication

Kerberos authentication differs from user name/password authentication. Instead of authenticating each user to each network service, Kerberos uses symmetric encryption through a trusted third party, called the Key Distribution Center (KDC). In this environment, clients and servers validate their authenticity by obtaining a shared secret (ticket) from the KDC, after which clients and servers can talk to each other directly.

Vertica uses the GSS-API (Generic Security Services Application Programming Interface) to communicate with the Kerberos client. When you create an authentication method, specify that Vertica use the 'gss' method to authenticate with Kerberos, as in the following syntax:

=> CREATE AUTHENTICATION <method_name> METHOD 'gss' HOST <ip_address>;

Topics in this section describe how to configure the Vertica server and clients for Kerberos authentication. This section does not describe how to install, configure, or administer a Key Distribution Center.

To install the Kerberos 5 GSS-API distribution for your operating system, see the MIT Kerberos Distribution Page.

You must meet the following minimum requirements to use Kerberos authentication with the Vertica server and client drivers.

Kerberos Server

Your network administrator should have already installed and configured one or more Kerberos Key Distribution Centers (KDC), and the KDC must be accessible from every node in your Vertica Analytic Database cluster.

The KDC must support Kerberos 5 via GSSAPI. For details, see the MIT Kerberos Distribution Page.

Client Package

The Kerberos 5 client package contains software that communicates with the KDC server. This package is not included as part of the Vertica Analytics Platform installation. If the Kerberos 5 client package is not present on your system, you must download and install it on all clients and servers involved in Kerberos authentication (for example, each Vertica and each Vertica client), with the exception of the KDC itself.

Kerberos software is built into Microsoft Windows. If you are using another operating system, you must obtain and install the client package.

Refer to the Kerberos documentation for installation instructions, such as on the MIT website, including the MIT Kerberos Distribution page.

Client/Server Identity

Each client (users or applications that will connect to Vertica) and the Vertica server must be configured as Kerberos principals. These principals authenticate using the KDC.

Each client platform has a different security framework, so the steps required to configure and authenticate against Kerberos differ among clients. See the following topics for more information: