16.20 - High-Level Process for Trusted Sessions - Teradata Database - Teradata Vantage NewSQL Engine

Teradata Vantage™ SQL Data Definition Language Detailed Topics

Product
Teradata Database
Teradata Vantage NewSQL Engine
Release Number
16.20
Release Date
March 2019
Content Type
Programming Reference
Publication ID
B035-1184-162K
Language
English (United States)

The following event sequence outlines the general process stages undertaken to use a trusted session.

  1. The security administrator creates CONNECT THROUGH privileges for an appropriate trusted_user:permanent | application_user pair using a GRANT CONNECT THROUGH request (see “GRANT CONNECT THROUGH” in Teradata Vantage™ SQL Data Control Language, B035-1149).
  2. The middle tier application creates a connection pool to Teradata Database.
  3. The application end user authenticates itself to the middle tier application and requests a service to submit a query to Teradata Database.

    The method by which the application end user authenticates itself to the middle tier application is not described here because its authentication is the responsibility of the application, not of Teradata Database.

  4. The middle tier application establishes a connection within the connection pool.
  5. The middle tier application sets the active session identity and role for the application end user by submitting an appropriate SET QUERY_BAND request to Teradata Database.
  6. Teradata Database verifies that the application end user has been granted trusted session access through the middle tier application database connection.
  7. The middle tier application submits an SQL request to Teradata Database on behalf of the application end user.
  8. Teradata Database verifies the privileges for the request based on the active roles defined for the application end user.
  9. Teradata Database returns the result set to the middle tier application, which then forwards the result set to the application end user.
  10. Teradata Database records the identity of the application end user in any rows inserted into Access Log and Database Query Log tables as appropriate.
    IF the end user makes its connection as this kind of proxy user … THEN its identity is logged using this name as specified for the CONNECT THROUGH privilege used to make the trusted session …
    application application name.
    permanent permanent user name.

    See “GRANT CONNECT THROUGH” in Teradata Vantage™ SQL Data Control Language, B035-1149 for the definitions of application and permanent users.

  11. The middle tier application returns the connection it had withdrawn to the connection pool.
  12. The following housekeeping activities occur when either the session is terminated or Teradata Database receives a Cleanup parcel (flavor 80).
    • The proxy user is discarded.
    • Any session query bands are discarded.
    • Any transaction query bands are discarded.