Externalize authorization

Vertica isn't operated in a vacuum. Most of your clients (if not all) will have network security systems with sophisticated management capabilities. Having very limited linkage to authorization data stored outside the database means that it has to be constantly replicated and synchronized. The basic external client authentication support is start, but much more is needed. See other ideas around broader Kerberos support and user security groups.

Comments

  • We do support LDAP authentication; we've found that most of our customers who want to integrate into an existing standard authentication infrastructure are using some flavor of LDAP. It's true, though, that while we support LDAP authn, we don't support LDAP authz. And we don't have broad support for systems other than password-based LDAP auth. If you could describe your particular needs in more detail, especially if they go beyond mapping LDAP groups to Vertica roles automatically, that'd be helpful.
  • Authorization is the key point for us. We want Kerberos-based authentication because we don't want there to be an explicit trust between the database server and the client computer. The Kerberos protocol ensures protection for this. However, in a multi-tenant environment with a large number of users, being able to externalise authorization massively reduces secondary costs of using Vertica. A native Windows integration is ideal, closely followed with an LDAP integration (to Active Directory), preferably with hierarchical group expansion, but several alternatives are viable (in our order of preference): * Windows Kerberos ticket decoding (see http://msdn.microsoft.com/en-us/library/cc237917.aspx and http://msdn.microsoft.com/en-us/library/cc233855.aspx) as this doesn't require a secondary contact with Active Directory * LDAP directory lookup based on Kerberised authentication * Claims based authorization * Unix-style networked groups (NIS) * Unix-style local groups (not ideal, in a grid environment, but still an option) Ultimately, our goal is to have transparent integration into a secure Windows+Vertica environment, with one authentication and authorisation store (AD), one communication method (Kerberos) and local privilege assignments (to groups/roles) in Vertica. The goal would be for this to then seemlessly integrate with SSIS, SQL Server, .NET code and other Windows-based applications.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file