Configuring Splice Machine Authentication

    Learn about our products

This topic describes the mechanisms you can use in Splice Machine to authenticate users and how to configure the mechanism you choose to use, in these sections:

Supported Authentication Mechanisms

You can use one of the following authentication mechanisms, each of which is described below the table:

Authentication Mechanism Description
None Any user ID and password combination is allowed to connect to database.
Native

User IDs in a database table are validated against the corresponding, encrypted password.

This is the default authentication setting for Splice Machine installations.

KERBEROS

User IDs are validated against kerberos server.

LDAP

User IDs are validated against an existing LDAP service.

ENTERPRISE ONLY: This feature is available only for the Splice Machine Enterprise version of our On-Premise Database product.

You cannot use this feature with the Community editions of Splice Machine. For a list of the additional features available in the Enterprise edition, see our Splice Machine Editions page.

To obtain a license for the Splice Machine Enterprise Edition, please Contact Splice Machine Sales today.

Configuring Authentication

You configure Splice Machine authentication by adding or updating properties in your HBase configuration file; this is typically done during installation of Splice Machine, but you can modify your settings whenever you want. This section contains the following subsections:

Locating Your Configuration File

The following table specifies the platform-specific location of the configuration you need to update when changing your Splice Machine authentication properties:

Platform Configuration file to modify with your authentication properties
CDH hbase-site.xml
HDP Select the Custom HBase Configs option from the HBase configuration tab.
MapR

hbase-site.xml

Standalone version splicemachine/lib/splice-site.xml

Configure your authentication settings by adding or modifying properties in the configuration file.

Disabling Authentication

If you want to disable authentication for your Splice Machine database, you can set the authentication property to NONE.

Splice Machine strongly encourages you to not use an open database for production databases!

You can configure an open database that allows any user to authenticate against the database by setting your authentication properties as follows:

<property>
   <name>splice.authentication</name>
   <value>NONE</value>
</property>

Using Native Authentication

Native authentication is the default mechanism for Splice Machine; you don’t need to modify your configuration if you wish to use it. Native authentication uses the sys.sysusers table in the splice schema for configuring user names and passwords.

The default native authentication property settings are:

<property>
    <name>splice.authentication</name>
    <value>NATIVE</value>
</property>
<property>
    <name>splice.authentication.native.algorithm</name>
    <value>SHA-512</value>
</property>

You can use MD5, SHA-256, or SHA-512 for the value of the native.algorithm property; SHA-512 is the default value.

Switching to Native Authentication

If you are switching your authentication from to Native authentication from another mechanism (including NONE), there’s one additional step you need to take: you must re-initialize the credentials database (SYSUSERS table), by adding the following property setting to your configuration file:

<property>
    <name>splice.authentication.native.create.credentials.database</name>
    <value>true</value>
</property>

Using KERBEROS Authentication

Kerberos authentication in Splice Machine uses an external KDC server. Follow these steps to enable Kerberos authentication:

  1. Use KDC to create a new principal and generate a keytab file. For example:
    # kadmin.local
    addprinc -randkey jdoe@yourdomain.com
    
  2. Set the password for the new principal:
    # kadmin.local: cpw jdoe
    
    Enter password for principal "jdoe@yourdomain.com"
    
  3. Create keytab file jdoe.keytab:
    # kadmin.local: xst -k /tmp/jdoe.keytab jdoe@yourdomain.com
    
  4. Copy the keytab file to your region servers.

  5. Verify that you can successfully kinit with the new keytab file and access the hadoop file system on the region server node:
    $ kinit jdoe@yourdomain.com -kt /tmp/jdoe.keytab
    
  6. Configure kerberos authentication against the database by setting your authentication properties as follows:
    <property>
        <name>splice.authentication</name>
        <value>KERBEROS</value>
    </property>
    

    On Cloudera Manager, you can go to HBase Configuration and search for splice.authentication. Change the value to KERBEROS for both Client Configuration and Service Configuration and restart HBase.

  7. On the region server, start Splice Machine (sqlshell.sh), and create a matching user name in your database:
    splice> call SYSCS_UTIL.SYSCS_CREATE_USER( 'jdoe', 'jdoe' );
    
  8. Grant privileges to the new user. For example, here we grant all privileges to user jdoe on a table named myTable:
    splice> GRANT ALL PRIVILEGES ON Splice.myTable to jdoe;
    
  9. Connect through JDBC with the principal and keytab values. For example:
    splice> CONNECT  'jdbc:splice://localhost:1527/splicedb;principal=jdoe@SPLICEMACHINE.COLO;keytab=/tmp/user1.keytab';
    

Using LDAP Authentication

LDAP authentication in Splice Machine uses an external LDAP server.

LDAP authentication is available only with a Splice Machine Enterprise license; you cannot use LDAP authentication with the Community version of Splice Machine.

To obtain a license for the Splice Machine Enterprise Edition, please Contact Splice Machine Sales today.

To use LDAP with Splice Machine, you must:

  • Contact us to obtain a license key from Splice Machine.

  • Enable Enterprise features by adding your Splice Machine license key to your HBase configuration file as the value of the splicemachine.enterprise.key property, as shown below.

  • Make sure that a user with name splice has been created in the LDAP server.

  • Add the Splice Machine LDAP properties in your HBase configuration file, along with the license key property. Note that you may need to set splice.authentication properties in both service and client HBase configuration files:

LDAP Property Settings

These are the property settings you need to configure:

<property>
   <name>splicemachine.enterprise.key</name>
   <value><your-Splice-Machine-license-key></value>
</property>
<property>
   <name>splice.authentication</name>
   <value>LDAP</value>
</property>
<property>
   <name>splice.authentication.ldap.server</name>
   <value><ldap://servername-ldap.yourcompany.com:389></value>
</property>
<property>
   <name>splice.authentication.ldap.searchAuthDN</name>
   <value><cn=commonName,ou=Users,dc=yourcompany,dc=com></value>
</property>
<property>
   <name>splice.authentication.ldap.searchAuth.password</name>
   <value><yourpassword</span></value>
</property>
<property>
   <name>splice.authentication.ldap.searchBase</name>
   <value>ou=Users,dc=yourcompany,dc=com</value>
</property>
<property>
   <name>splice.authentication.ldap.searchFilter</name>
   <value>&lt;(&amp;(objectClass=*)(uid=%USERNAME%))&gt;</value>
</property>

Notes about the LDAP property values:

  • Specify the location of your external LDAP server host in the splice.authentication.ldap.server property on port 389.
  • The ldap.searchAuthDN property is the security principal:

    • This is used to create the initial LDAP context (aka its connection to a specific DN).
    • It must have the authority to search the user space for user DNs.
    • The cn= is the common name of the security principal.
  • The ldap.searchAuth.password property specifies password Splice Machine should use to perform the DN search.
  • The ldap.searchBase property specifies the root DN of the point in your hierarchy from which to begin a guest or anonymous search for the user’s DN.
  • The ldap.searchFilter property specifies the search filter to use to determine what constitutes a user while searching for a user DN

Authenticating With an LDAP Group

To use a LDAP GROUP, you must create a Splice Machine database user for that group. You can then assign privileges to that user, and everyone belonging to the LDAP GROUP will gain those privileges.

For example, given an LDAP GROUP named test_devel:

splice> call syscs_util.syscs_create_user('test_devel', 'test_devel');
Statement executed.
splice> create schema test_devel_schema;
0 rows inserted/updated/deleted
splice> create role test_devel_role;
0 rows inserted/updated/deleted
splice> grant all privileges on schema test_devel_schema to test_devel_role;
0 rows inserted/updated/deleted
splice> grant cdl_devl_role to test_devel;
0 rows inserted/updated/deleted

Now we can connect as user testuser, who belongs to the test_devel LDAP Group:

splice> connect 'jdbc:splice://localhost:1527/splicedb;user=testuser;password=testpswd';
splice> create table test_devel_schema.t1(a int);
0 rows inserted/updated/deleted
splice> insert into test_devel_schema.t1 values (10), (20), (30);
3 rows inserted/updated/deleted
splice> select * from test_devel_schema.t1;
A
-----------
10
20
30

3 rows selected

Connecting with JDBC and LDAP

You can then use our JDBC driver to connect to your database with LDAP authentication, using a connection string similar to this:

jdbc:splice://localhost:1527/splicedb;user=yourName;password=yourPswd