17.10 - CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - SQL Data Definition Language Syntax and Examples

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Programming Reference
Publication ID
B035-1144-171K
Language
English (United States)
database_name
user_name
Optional name of a database or user other than the current or default in which the authorization being defined or replaced is to be contained.
authorization_name
A name for the authorization so you can specify the authorization in an external routine definition or function mapping.
The name of an authorization object must conform to object naming rules. For information about naming database objects, see Teradata Vantage™ - SQL Fundamentals, B035-1141.
The following rules apply to authorization names:
  • Authorizations belong to the database or user in which they are created and are not valid in other databases or users. For information about using authorization objects with the Script Table Operator, see Teradata Vantage™ - SQL Operators and User-Defined Functions, B035-1210.
  • An authorization object name must be unique within its containing database or user.
  • An authorization object name cannot begin with a digit.
  • An authorization object name cannot be an SQL keyword.
DEFINER
Specify DEFINER to share an authorization object with multiple users of the database in which it resides. You can create the authorization in any database.
DEFAULT
An optional keyword modifier for the DEFINER keyword that associates this authorization with all external routines that do not specify the authorization name in the EXTERNAL SECURITY DEFINER clause of the following statements.
You can assign only one default DEFINER object per database. All others must have specific definer names.
INVOKER
Specify INVOKER to allow exclusive access by a user. You must create the authorization in the database of the current user.
TRUSTED
Required keyword.
user_name
A clause that specifies a string literal that is the name of the database user to whom this authorization is being assigned.
Public buckets (or public containers) in external object stores such as Amazon S3, Azure Blob storage, or Google Cloud Storage, do not require credentials for access. To create an authorization for these, use an empty string delimited by single quotes: ''
password
A clause that specifies a string literal that is the name of the operating system platform password assigned to user_name.
For AWS, AZURE, and GCP, password can have at most 4096 bytes.
The password is used to authenticate the user when the secure server process is created. Best practices suggest that any session that uses this statement should be set up to use the encrypted transport protocol. See Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100.
Public buckets (or public containers) in external object stores such as Amazon S3, Azure Blob storage, or Google Cloud Storage, do not require credentials for access. To create an authorization for these, use an empty string delimited by single quotes: ''
While it is never desirable for a password to be typed in the clear, it only becomes an issue when you enter your password using an interface such as BTEQ. The issue becomes moot if you are prompted to enter your password by an application that requests the information in a secure manner such as a GUI or World Wide Web interface that displays ASTERISK characters to represent the password as it is typed. This is the recommended practice for all security conscious sites.

The following table shows the supported credentials for USER and PASSWORD:

System/Scheme USER PASSWORD
AWS Access Key ID Access Key Secret
Azure / Shared Key Storage Account Name Storage Account Key
Azure Shared Access Signature (SAS) Storage Account Name Account SAS Token
Google Cloud (S3 interop mode) Access Key ID Access Key Secret
Google Cloud (native) Client Email Private Key
On-premises object stores Access Key ID Access Key Secret
Public access object stores <empty string>

Enclose the empty string in single straight quotes: USER ''

<empty string>

Enclose the empty string in single straight quotes: PASSWORD ''

Amazon Identity and Access Management (IAM) is an alternative to using an access key and password to secure S3 buckets.