Vantage Component Security - Teradata Vantage

Configuring Teradata Vantage™ After Installation
Product
Teradata Vantage
Release Number
1.1
Published
July 2019
Language
English (United States)
Last Update
2019-10-11
dita:mapPath
qyu1559916244734.ditamap
dita:ditavalPath
jsj1481748799576.ditaval
dita:id
B700-4014
lifecycle
previous
Product Category
Analytical Ecosystem
Software
Teradata Vantage
Vantage Component Security Overview
Advanced SQL Engine See the rest of this section (starting at Vantage Security Overview) for an overview of Advanced SQL Engine security.
Machine Learning Engine
  • Access to Teradata Machine Learning Engine analytic functions is controlled by permissions on the coprocessor foreign server object and by permissions on individual function mappings.
  • Users on Machine Learning Engine are automatically provisioned on first access:
    • Users are automatically given their own private schema
    • Data is not shared between users on Machine Learning Engine
    • Data does not persist within the Machine Learning Engine

See Teradata Vantage™ User Guide, B700-4002.

QueryGrid
  • HTTPS based connections to QueryGrid Manager (TLSv1.2)
  • Communication policies can be defined at different security levels for data transfers between the initiating connector (the connector starting the query) and the target connector (the connector receiving the query). Security levels can be set for authentication, integrity, and encryption
  • Fabric supports encryption over the wire
  • Fabric communications between Advanced SQL Engine and Machine Learning Engine are authenticated
  • Fabric supports LAN and WAN communication policies
    • LAN Policy – Enables key based authentication, credentials are encrypted using AES-128 encryption standard
    • WAN Policy – Enables key based authentication, both credentials and data are encrypted using AES-256 encryption standard
  • Permissions in Viewpoint restrict the users who can modify the QueryGrid configuration

See Teradata® QueryGrid™ Installation and User Guide, B035-5991.
Viewpoint
  • Connections to portlets are secured using HTTPS (TLSv1.2)
  • Authentication and encryption (with certificates) enabled for Viewpoint services:
    • DCS, ActiveMQ, Postgres, tdNotification
  • External users are managed by connected LDAP servers:
    • LDAP authentication and group authorization
  • Enhanced password controls for local users
  • Automatic log off after a period of inactivity
  • Portlet access is controlled at different levels by setting permissions for Viewpoint users:
    • Global, Role, User
  • Role-based permissions are applied for different categories of users
  • Access logging

See Teradata® Viewpoint User Guide, B035-2206.
AppCenter
  • AppCenter uses the corporate LDAP directory for user authentication to AppCenter, and also supports LDAP domains.
  • In AppCenter, a role is assigned to each user that is imported from LDAP. User roles determine privileges. The roles are:
    • Standard users, Admins, Root users
  • App and script permissions control access to an app or script
  • Job Results Privacy settings control access to an app or script job result
  • Support for configuring scripts with service accounts
  • Integration with Service Mesh
  • Appctl encrypt/decrypt functionality for charts
  • Single sign-on (SSO) mechanism using JSON Web Tokens

See Teradata® AppCenter User Guide, B035-1111.

Kubernetes/Docker Containerized Vantage components deployed in hardened Kubernetes pods:
  • Disabled deployment of Kubernetes Dashboard
  • Removed all unneeded objects
  • Pod Security Groups implemented
  • Roles and RoleBindings implemented to support Pod security policies
  • Tightened permissions on local Kube account
  • Disable anonymous access to the Kubelet
  • Insecure bind address is removed on all masters
  • Audit policies created on all masters