Creating Authentication Records
You can manage client authentication records using vsql commands. To use these statements, you must be connected to the database.
Important: You cannot modify client authentication records using the Administration Tools. The Administration Tools interface allows you to modify the contents of the vertica.conf
file. However, Vertica ignores any client authentication information stored in that file.
When you create authentication records using CREATE AUTHENTICATION, specify the following information.
What you need to specify | Description |
---|---|
Authentication method name | A name that you define for Vertica use. |
Authentication type |
The type of authentication Vertica should use to validate the user or client attempting to connect:
|
Access method |
|
Host IP address |
IP address or range of IP addresses from which the user or application tries to connect. This can be an IPv4 address or an IPv6 address. For more information, see IPv4 and IPv6 for Client Authentication. |
The following examples show how to create authentication records that are stored in the catalog. When you create an authentication record using CREATE AUTHENTICATION, Vertica automatically enables it.
This example shows you how to create an authentication method named localpwd
to authenticate users who are trying to log in from a local host using a password:
=> CREATE AUTHENTICATION localpwd METHOD 'hash' LOCAL;
This example shows you how to create an authentication method named v_ldap
that uses LDAP over TLS to authenticate users logging in from the host with the IPv4 address 10.0.0.0/23:
=> CREATE AUTHENTICATION v_ldap METHOD 'ldap' HOST TLS '10.0.0.0/23';
This example shows you how to create an authentication method named v_kerberos
to authenticate users that are trying to connect from any host in the networks 2001:0db8:0001:12xx:
=> CREATE AUTHENTICATION v_kerberos METHOD 'gss' HOST '2001:db8:1::1200/56';
This example shows you how to create an authentication method named, RejectNoSSL
, that rejects users from any IP address that are trying to authenticate without SSL/TLS:
=> CREATE AUTHENTICATION RejectNoSSL_IPv4 METHOD 'reject' HOST NO TLS '0.0.0.0/0'; --IPv4 => CREATE AUTHENTICATION RejectNoSSL_IPv6 METHOD 'reject' HOST NO TLS '::/0'; --IPv6