/
Enabling Security Mode

Enabling Security Mode

Owned by Jason Kinchen
Feb 16, 2021

Security modes are only supported in SciDB Enterprise Edition.

This page describes how a system administrator can configure a SciDB cluster for secure operation.

Supported Security Modes

SciDB supports three security modes:

  • trust mode means that security features are disabled.  This is the default mode, used by SciDB Community Edition installations.
  • password mode enables security features, including user accounts.  User account and password information is stored in the SciDB-internal metadata catalogue.

  • pam mode enables security features, including user accounts.  SciDB accesses user account and password information via the pluggable authentication modules (PAM) client library.

Collectively, password and pam modes are sometimes referred to as namespaces mode, because the namespace protection domains can only be used in these modes.

Configuring SciDB as a PAM Client covers additional configuration steps for using SciDB with external authentication services.  These steps are only needed if you select pam mode.

In release 19 and earlier, password mode stores unsalted password hashes.  This issue will be addressed in a future release. If this is a problem see Configuring SciDB as a PAM Client.


This assumes you have scidb running as a service. See Running SciDB.

Entering password Or pam Mode

To enable namespaces mode, do the following:

  1. Load the namespaces library.

    $ iquery -aq "load_library('namespaces')"

  2. Stop the SciDB cluster.

    $ scidbctl.py --config <config.ini> stop-server <cluster_name>
  3. Edit the cluster configuration file and set the security parameter to either password or pam.  See Configuring SciDB.

  4. Unregister the cluster by running:

    $ scidbctl.py --config <config.ini> unregister-service <cluster_name>

  5. Reregister the cluster by running:

    $ scidbctl.py --config <config.ini> register-service <cluster_name>

  6. Restart SciDB by running:

    $ scidbctl.py --config <config.ini> start-server <cluster_name>

This process enables the chosen security mode on all servers in the cluster. You can now create and manage user accounts in the SciDB cluster.

If you set security=pam in the config.ini file, read Configuring SciDB as a PAM Client.

Reverting To trust Mode

In rare circumstances you may wish to revert a SciDB cluster back to trust mode (that is, Community Edition mode) from one of the namespace modes.

When a cluster reverts to trust mode, array data stored in non-public namespaces is no longer accessible but still occupies storage space.  Before reverting to trust mode, move any array data you wish to save to the public namespace, and remove any remaining arrays in private namespaces.

If you revert to trust mode and then return to either password or pam mode, array data in private non-public namespaces will become accessible again.  However, this procedure is not recommended.

If you want to switch back to trust mode, do the following:

  1. Unload the namespaces library by running:

    $ iquery -aq "unload_library('namespaces')"

  2. Stop the SciDB cluster by running:

    $ scidbctl.py --config <config.ini> stop-server <cluster_name>

  3. Edit the cluster configuration file and set the parameter security=trust. See Configuring SciDB.

  4. Unregister the cluster by running:

    $ scidbctl.py --config <config.ini> unregister-service <cluster_name>

  5. Reregister the cluster by running:

    $ scidbctl.py --config <config.ini> register-service <cluster_name>

  6. Restart SciDB by running:

    $ scidbctl.py --config <config.ini> start-server <cluster_name>

    SciDB is now back in trust mode.