Configuring Splice Machine Authentication

    Learn about our products

This topic describes the mechanisms you can use in Splice Machine to authenticate users and how to configure the mechanism you choose to use, in these sections:

Supported Authentication Mechanisms

You can use one of the following authentication mechanisms, each of which is described below the table:

Authentication Mechanism Description
None Any user ID and password combination is allowed to connect to database.
Native

User IDs in a database table are validated against the corresponding, encrypted password.

This is the default authentication setting for Splice Machine installations.

LDAP

User IDs are validated against an existing LDAP service.

ENTERPRISE ONLY: This feature is available only for the Splice Machine Enterprise version of our On-Premise Database product.

You cannot use this feature with the Community editions of Splice Machine. For a list of the additional features available in the Enterprise edition, see our Splice Machine Editions page.

To obtain a license for the Splice Machine Enterprise Edition, please Contact Splice Machine Sales today.

Configuring Authentication

You configure Splice Machine authentication by adding or updating properties in your HBase configuration file; this is typically done during installation of Splice Machine, but you can modify your settings whenever you want. This section contains the following subsections:

Locating Your Configuration File

The following table specifies the platform-specific location of the configuration you need to update when changing your Splice Machine authentication properties:

Platform Configuration file to modify with your authentication properties
CDH hbase-site.xml
HDP Select the Custom HBase Configs option from the HBase configuration tab.
MapR

hbase-site.xml

Standalone version splicemachine/lib/splice-site.xml

Configure your authentication settings by adding or modifying properties in the configuration file.

Disabling Authentication

If you want to disable authentication for your Splice Machine database, you can set the authentication property to NONE.

Splice Machine strongly encourages you to not use an open database for production databases!

You can configure an open database that allows any user to authenticate against the database by setting your authentication properties as follows:

<property>
   <name>splice.authentication</name>
   <value>NONE</value>
</property>

Using Native Authentication

Native authentication is the default mechanism for Splice Machine; you don’t need to modify your configuration if you wish to use it. Native authentication uses the sys.sysusers table in the splice schema for configuring user names and passwords.

The default native authentication property settings are:

<property>
    <name>splice.authentication</name>
    <value>NATIVE</value>
</property>
<property>
    <name>splice.authentication.native.algorithm</name>
    <value>SHA-512</value>
</property>

You can use MD5, SHA-256, or SHA-512 for the value of the native.algorithm property; SHA-512 is the default value.

Switching to Native Authentication

If you are switching your authentication from to Native authentication from another mechanism (including NONE), there’s one additional step you need to take: you must re-initialize the credentials database (SYSUSERS table), by adding the following property setting to your configuration file:

<property>
    <name>splice.authentication.native.create.credentials.database</name>
    <value>true</value>
</property>

Using LDAP Authentication

LDAP authentication in Splice Machine uses an external LDAP server.

LDAP authentication is available only with a Splice Machine Enterprise license; you cannot use LDAP authentication with the Community version of Splice Machine.

To obtain a license for the Splice Machine Enterprise Edition, please Contact Splice Machine Sales today.

To use LDAP with Splice Machine, you must:

  • Contact us to obtain a license key from Splice Machine.

  • Enable Enterprise features by adding your Splice Machine license key to your HBase configuration file as the value of the splicemachine.enterprise.key property, as shown below.

  • Make sure that a user with name splice has been created in the LDAP server.

  • Add the Splice Machine LDAP properties in your HBase configuration file, along with the license key property. Note that you may need to set splice.authentication properties in both service and client HBase configuration files:

LDAP Property Settings

These are the property settings you need to configure:

<property>
   <name>splicemachine.enterprise.key</name>
   <value><your-Splice-Machine-license-key></value>
</property>
<property>
   <name>splice.authentication</name>
   <value>LDAP</value>
</property>
<property>
   <name>splice.authentication.ldap.server</name>
   <value><ldap://servername-ldap.yourcompany.com:389></value>
</property>
<property>
   <name>splice.authentication.ldap.searchAuthDN</name>
   <value><cn=commonName,ou=Users,dc=yourcompany,dc=com></value>
</property>
<property>
   <name>splice.authentication.ldap.searchAuthPW</name>
   <value><yourpassword</span></value>
</property>
<property>
   <name>splice.authentication.ldap.searchBase</name>
   <value>ou=Users,dc=yourcompany,dc=com</value>
</property>
<property>
   <name>splice.authentication.ldap.searchFilter</name>
   <value>&lt;(&amp;(objectClass=*)(uid=%USERNAME%))&gt;</value>
</property>

Notes about the LDAP property values:

  • Specify the location of your external LDAP server host in the splice.authentication.ldap.server property on port 389.
  • The ldap.searchAuthDN property is the security principal:

    • This is used to create the initial LDAP context (aka its connection to a specific DN).
    • It must have the authority to search the user space for user DNs.
    • The cn= is the common name of the security principal.
  • The ldap.searchAuthPW property specifies password Splice Machine should use to perform the DN search.
  • The ldap.searchBase property specifies the root DN of the point in your hierarchy from which to begin a guest or anonymous search for the user’s DN.
  • The ldap.searchFilter property specifies the search filter to use to determine what constitutes a user while searching for a user DN

Connecting with JDBC and LDAP

You can then use our JDBC driver to connect to your database with LDAP authentication, using a connection string similar to this:

jdbc:splice://localhost:1527/splicedb;user=yourName;password=yourPswd