Providing Security for User-Written External Routines - Analytics Database - Teradata Vantage

SQL Data Definition Language Detailed Topics

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-10-04
dita:mapPath
vuk1628111288877.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
jbg1472252759029
lifecycle
latest
Product Category
Teradata Vantage™

Authorization definitions permit users to issue operating system I/O calls from within an external routine. The ANSI SQL:2011 specification collectively refers to user-written non-SQL modules as external routines.

Vantage requires any external routine that performs operating system I/O to run in protected mode as a separate process than runs under an explicitly specified user ID. See Protected and Unprotected Execution Modes. Authorization objects provide a flexible, yet robust, scheme for providing the authorizations required by these external routines without exposing the system to these potential problems.

The principal difference between an external routine running in protected mode (or in secure mode is that when an external routine runs in protected mode, it always runs as the OS user tdatuser, while an external routine that runs in secure mode can run as any OS user you want to associate with an external authorization. While tdatuser has no special privileges, an OS user associated with an external authorization can have any privileges on OS files you want to assign to it. All that is required is that the OS user with special privileges be specified in the EXTERNAL SECURITY clause of the SQL definition for the external routine associated with it.