User Permissions in Vantage | Teradata Package for Python - 17.00 - User Permissions in Vantage - Teradata Package for Python

Teradata® Package for Python User Guide

Product
Teradata Package for Python
Release Number
17.00
Release Date
November 2021
Content Type
User Guide
Publication ID
B700-4006-070K
Language
English (United States)

To operate and interact with Vantage with the Teradata Package for Python, the user must have a series of permissions granted. Otherwise, executing ML Engine analytic functions can result in SQL errors on the Python client that stem from inadequate database user permissions.

A database user must be granted in advance the following permissions by the Vantage database administrator before using the teradataml package.

  • GRANT EXECUTE FUNCTION ON SYSLIB TO user;
  • GRANT CONNECT THROUGH proxyuser TO PERMANENT user WITHOUT ROLE;
  • GRANT SELECT ON TD_SERVER_DB.coprocessor TO user;
  • GRANT INSERT ON TD_SERVER_DB.coprocessor TO user;
  • GRANT EXECUTE FUNCTION ON TD_SERVER_DB.coprocessor TO user;
  • GRANT CREATE SERVER ON TD_SERVER_DB TO user;
  • GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGEXECUTEFOREIGNQUERY TO user;
  • GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGINITIATOREXPORT TO user;
  • GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGINITIATORIMPORT TO user;
  • GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGREMOTEEXPORT TO user;
  • GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGREMOTEIMPORT TO user;
  • GRANT CTCONTROL ON user TO proxy_user.
The proxyuser is a suitable database proxy user for the analytic functions as determined by the database administrator.

Users must be granted the SELECT privilege to the following Data Dictionary views:

  • DBC.DatabasesV
  • DBC.TablesV
  • DBC.ColumnsV
  • DBC.UsersV
  • DBC.Indices
  • DBC.DBCInfoV

teradataml requires that the user has certain permissions on the user's default database or the initial default database specified using the database argument, or the temporary database when specified using temp_database_name.

These permissions allow the user to:
  • Create tables and views to save results of teradataml analytic functions;
  • Create views in the background for results of DataFrame APIs such as 'assign()', 'filter()', and so on, whenever the result for these APIs are accessed using a 'print()';
  • Create view in the background on the query passed to the 'DataFrame.from_query()' API.
It is expected that the user has the required permissions to create these objects in the database that will be used.

For views based on Vantage analytic functions, additional permissions may be required, which can be granted using:

GRANT EXECUTE FUNCTION ON SYSLIB ... WITH GRANT OPTION

For example:

A user named ALICE connects to a non-default database named TOM to run the NamedEntityFinder function.
>>> # Load example data.
>>> load_example_data("namedentityfinder", ['assortedtext_input', 'name_Find_configure'])
>>> # Create teradataml DataFrame objects.
>>> nameFind_configure = DataFrame.from_table("name_Find_configure")
>>> assortedtext_input = DataFrame.from_table("assortedtext_input")
>>> # Find entities using a configuration table containing model items.
>>> NamedEntityFinder_out = NamedEntityFinder(newdata = assortedtext_input,
                                              configure_table_data = nameFind_configure,
                                              text_column = 'content',
                                              accumulate = ['id', 'source'],
                                              entity_column = 'entity',
                                              model = 'all',
                                              show_entity_context = 0,
                                              newdata_sequence_column = 'id',
                                              configure_table_data_sequence_column='model_file')
 
teradatasql.OperationalError: [Version 17.0.0.2] [Session 37706] [Teradata Database] [Error 3523] An owner referenced by user does not have EXECUTE FUNCTION WITH GRANT OPTION access to SYSLIB.NamedEntityFinder.
In order for this to work, the database TOM needs a certain permission, which can be granted using:
GRANT EXECUTE FUNCTION ON SYSLIB TO TOM WITH GRANT OPTION;

To let the function create the output views, or for the user to access such created views, additional permissions may be required depending on which database is used and which object the view being created is based on, and can be granted using:

GRANT SELECT ... WITH GRANT OPTION

For Example:

A user named ALICE connects to a non-default database named TOM to run the NamedEntityFinder function.
>>> # Connect to the default database to load the example dataset.
>>> con = create_context(host="myhostname", username="myusername", password="mypassword")
>>> load_example_data("namedentityfinder", ['assortedtext_input', 'name_Find_configure'])
>>> # Reconnect to make sure all writes here on happen to the database specified using 'temp_database_name'.
>>> remove_context()
>>> con = create_context(host="myhostname", username="myusername", password="mypassword", temp_database_name="tom")
>>> # Create teradataml DataFrame objects.
>>> nameFind_configure = DataFrame.from_table("name_Find_configure")
>>> assortedtext_input = DataFrame.from_table("assortedtext_input")
>>> # Find entities using a configuration table containing model items.
>>> NamedEntityFinder_out = NamedEntityFinder(newdata = assortedtext_input,
                                              configure_table_data = nameFind_configure,
                                              text_column = 'content',
                                              accumulate = ['id', 'source'],
                                              entity_column = 'entity',
                                              model = 'all',
                                              show_entity_context = 0,
                                              newdata_sequence_column = 'id',
                                              configure_table_data_sequence_column='model_file')
 
teradatasql.OperationalError: [Version 17.0.0.2] [Session 37708] [Teradata Database] [Error 3523] An owner referenced by user does not have SELECT WITH GRANT OPTION access to alice.assortedtext_input.
In order for this to work, the following permission must be granted:
GRANT SELECT ON ALICE.assortedtext_input TO TOM WITH GRANT OPTION;
GRANT SELECT ON ALICE.name_Find_configure TO TOM WITH GRANT OPTION;