Security Guide
1. Introduction to Vector Security
Security Features
Level of Security
Understanding Vector Security Mechanisms
Directory and File Permissions
User Authentication
Remote Users
Installation Passwords
The ingvalidpw Utility
DBMS Authentication
Authorization Identifiers
Subject Privileges
Object Permissions
Security Alarms
Security Auditing
Database Procedures
Data at Rest Encryption
2. Authorizing User Access
Types of Vector Users
How to Establish User Access
Users and Profiles
Working with User Objects
Create a New User with Accessdb
User Expiration Date
User Password
Authorize Multiple Users with SQLscript
Working with Profile Objects
Example of Using a Profile
Default Profile
Groups and Roles
Groups
Working with Group Objects
Example: Creating, Altering, and Dropping a Group using SQL Statements
Groups and Permissions
Roles
Working with Role Objects
Example: Creating, Altering, and Dropping a Role using SQL Statements
Roles and Permissions
3. Assigning Privileges and Granting Permissions
Subject Privileges
Auditor Privilege
Related Information
Change_Password Privilege
Createdb Privilege
Maintain_Audit Privilege
Related Information
Maintain_Locations Privilege
Maintain_Users Privilege
Related Information
Operator Privilege
Security Privilege
Trace Privilege
Unmask Privilege
Sets of Privileges Associated with a Session
Object Permissions
Working with Grants
Object Ownership and Granting Object Permissions
The GRANT Statement
Database Grants
How Database Permissions for a Session are Determined
Database Grant Examples
Table and View Grants
Table Grant Examples
Procedure Grants
Database Event Grants
Role Grants
How Grants Restrict Data Access
Grant Overhead
Multiple Permission Checks
How Privileges for a Session Are Determined
Access to Tables, Views, or Procedures and the Authorization Hierarchy
Access to Databases and the Authorization Hierarchy
How Database Privileges for a Session Are Determined
Dbmsinfo--View Permissions for Current Session
Example: Return the Value of Query Row Limit for Current Session
4. Implementing Security Auditing
Security Alarms
Working with Security Alarm Objects
How to Implement a Security Alarm
Security Alarm Example
Security Auditing
Audit Focus
How to Enable Security Auditing
How to Verify Security Auditing Levels
Security Auditing Configuration Parameters
Security Audit Statements
Security Audit Levels for Users and Roles
Changes to Security Audit Status During a Session
Access to the Security Audit Log
Registering the Security Audit Log File
Querying the Registered Virtual Table
Obtain the Current Audit File Name
5. Controlling Access through Database Procedures
Database Procedures
Working with Procedure Objects
How to Implement a Database Procedure
Database Procedure Example
Access Control through Database Procedures
6. Using Data at Rest Encryption
What Is Data at Rest Encryption?
How Encryption Works
The Power of Encryption
Transparent vs. Function-based Encryption
Transparent Column Encryption
Access Enabled for New Tables
Create an Encrypted Table
Enable Access to Encrypted Data
Disable Access to Encrypted Data
Change the Passphrase
Function-based Encryption (Application-level Encryption)
Encryption Information Displayed with HELP TABLE
How to Compute the Width of Encrypted Data
Data at Rest Encryption Restrictions
Implications of Data Encryption for Database Design and Operations
Understanding SALT
Encryption and Copydb/Unloaddb Considerations
Optimizedb Considerations for Data at Rest Encryption
Log Records and Passphrases
Encryption and Partitioned Tables
7. Using Column Masking
Column Masking
Column Masking Example
8. Using Secure Communications Encryption with AES
AES Security Mechanism
Configure AES Encryption (Ingres Net and GCA Remote Access)
INGRES Mechanism Configuration for Encryption
AES Security Mechanism Configuration
Configure AES Encryption (JDBC and .NET)
9. Vector in Secure Hadoop
Running VectorH on a Kerberos-enabled Cluster
Kerberos TGT Requirements for Installation
Kerberos Dialog During Pre-installation
Kerberos Dialog during HDFS Setup
Kerberos-related Configuration Parameters
Kerberos keytab File Synchronization
Reconfigure Kerberos Settings on All Nodes
Managing Kerberos TGT at Runtime
runkstart.sh--Control the Kerberos Daemon
Disable Automatic Kerberos TGT Management
Native and Kerberos Security Support on MapR
Secure MapR
MapR and Kerberos
Authentication During Installation on MapR
10. Configuring Vector to Use Kerberos
In This Chapter
Kerberos
Kerberos Configuration in the Enterprise
Kerberos Configuration Files--Configure Kerberos for Vector
The Vector Service Principal--Authorize Client Connections
hostname
realm
Prerequisite Kerberos Software on Windows
How to Configure Vector to Use Kerberos
iisukerberos Command--Perform Basic Kerberos Configuration
Vector Configuration Options for Kerberos
Basic Configuration for Kerberos
mechanisms Parameter--Specify Dynamic Mechanism
domain Parameter--Specify Domain Name
remote_mechanism Parameter--Configure Client in a Homogeneous Kerberos Environment
vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment
Encryption Parameters--Enable Kerberos Encryption
How Name Server Delegation Works
Set Delegation
Service Principal Host Name Resolution
How to Configure Kerberos to Authenticate against Active Directory on Windows
11. Using VectorH with Hadoop Security Systems
Requirements
Configuring VectorH for Use with Apache Knox
Understanding the Connections
Configure LDAP Authentication Using PAM
Define a JDBC Connection
CountryList.java
Configuring VectorH for Use with Apache Ranger
Access to HDFS
Access to YARN
Kerberos and YARN
A. Securely Managing Amazon S3 Credentials
How to Securely Manage S3 Credentials
Glossary
Security Guide
Glossary
This site works best with JavaScript enabled