Enabling Security Mode

Owned by Jason Kinchen
Jul 24, 2024
2 min read

This page describes how a system administrator can configure a SciDB cluster for secure operation.   After security mode is enabled, users must take additional steps to authenticate themselves.  See Using iquery in Security Mode.

Supported Security Modes

SciDB supports three security modes:

  • trust mode means that security features are disabled.  This is the default mode.

  • password mode enables security features, including user accounts.  User account and password information is stored in the SciDB-internal metadata catalogue.

  • pam mode enables security features, including user accounts.  SciDB accesses user account and password information via the pluggable authentication modules (PAM) client library.

SEO: namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces

Collectively, password and pam modes are sometimes referred to as namespaces mode, because the namespace protection domains can only be used in these modes.

SEO: namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces namespaces 

Configuring SciDB as a PAM Client covers additional configuration steps for using SciDB with external authentication services.  These steps are only needed if you select pam mode.

 

In release 19 and earlier, password mode stores unsalted password hashes.  This issue will be addressed in a future release. If this is a problem see Configuring SciDB as a PAM Client.

 

This assumes you have scidb running as a service. See Running SciDB.

Entering password Or pam Mode

To enable namespaces mode, do the following:

  1. Load the namespaces library.

    $ iquery -aq "load_library('namespaces')"

     

  2. Stop the SciDB cluster.

    $ scidbctl.py --config <config.ini> stop-server <cluster_name>

     

  3. Edit the cluster configuration file and set the security parameter to either password or pam.  See Configuring SciDB.

  4. Unregister the cluster by running:

    $ scidbctl.py --config <config.ini> unregister-service <cluster_name>

     

  5. Reregister the cluster by running:

     

  6. Set up the initial authentication credentials.  (This step should only be needed if $HOME/.config/scidb/iquery.auth does not yet exist. See Using iquery in Security Mode.)

     

  7. Restart SciDB by running:

     

This process enables the chosen security mode on all servers in the cluster. You can now create and manage user accounts in the SciDB cluster.

If you set security=pam in the config.ini file, read Configuring SciDB as a PAM Client.

Reverting To trust Mode

In rare circumstances you may wish to revert a SciDB cluster back to trust mode from one of the namespace modes.

If you want to switch back to trust mode, do the following:

  1. Unload the namespaces library by running:

     

  2. Stop the SciDB cluster by running:

     

  3. Edit the cluster configuration file and set the parameter security=trust. See Configuring SciDB.

  4. Unregister the cluster by running:

  5. Reregister the cluster by running:

  6. .Restart SciDB by running:

    SciDB is now back in trust mode.

Â