Creating Authorization Objects for a DATALAKE - Teradata Vantage

Apache Iceberg and Delta Lake Open Table Format on VantageCloud Lake Getting Started

Deployment
VantageCloud
Edition
Lake
Product
Teradata Vantage
Published
December 2024
ft:locale
en-US
ft:lastEdition
2025-01-03
dita:mapPath
bsr1702324250454.ditamap
dita:ditavalPath
pny1626732985837.ditaval
dita:id
bsr1702324250454

The DATALAKE object requires two Authorization objects to be specified in the <auth-list> – one for the Catalog connection, and one for the Storage connection. The CREATE AUTHORIZATION DDL can be used to create the authorization objects. The AUTHORIZATION object holds the AWS credentials i.e. the access key id (user) and access secret key (password) of the service principal that’s trying to access services and resources in AWS. It is possible that the Storage & Catalog credentials are the same (For example: when IAM Roles are used for Amazon Glue/S3). In that case, the same Authorization object can be used for the Catalog and Storage Authorization definitions.

For more details on the CREATE AUTHORIZATION DDL, see CREATE AUTHORIZATION and REPLACE AUTHORIZATION Examples.

Syntax

CREATE AUTHORIZATION [ database_name. | user_name. ] authorization_name
      [ AS [ DEFINER | INVOKER ] TRUSTED ]
        USER ‘<username>’
        PASSWORD ‘<password>’
The password is stored encrypted and is never seen as a clear text.

Example: Creating a Simplified Authorization

Creating DATALAKE now supports simplified authorization which implies that no security constraints (INVOKER or DEFINER) need to be mentioned. This object is available for use for any user/database provided that are granted proper privileges. This is the recommended approach when creating Authorizations.

  • GRANT and REVOKE statements will be used to support EXECUTE privilege on Authorization objects that were created without an external security type (INVOKER, DEFINER, TRUSTED).
  • CREATE DATALAKE is enhanced to refer to an authorization object without a security type INVOKER TRUSTED, DEFINER TRUSTED or TRUSTED.
  • If the data lake is using simplified Authorization objects, the user must have EXECUTE privileges on the data lake catalog and Storage Authorization objects.
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
#CREATE A SIMPLIFIED AUTHORIZATION +---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
CREATE AUTHORIZATION user1.simplfied_auth 
USER '<User Name>' 
PASSWORD '<Password>'; 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
#GRANT Execute privilege on Auth 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
grant execute on user1.simplfied_auth to user2 with grant option; 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
#Iceberg Example : CREATE DATALAKE with Simplified Authorization 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
CREATE DATALAKE catalog_glue 
EXTERNAL SECURITY CATALOG user1.simplfied_auth, 
EXTERNAL SECURITY STORAGE user1.simplfied_auth 
USING 
storage_location ('<Storage Location>') 
storage_region ('us-west-2') 
catalog_type ('glue') 
TABLE_FORMAT iceberg; 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
#Delta Lake Example : CREATE DATALAKE with Simplified Authorization 
+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+-
            
CREATE DATALAKE catalog_unity 
EXTERNAL SECURITY CATALOG user1.simplfied_auth, 
EXTERNAL SECURITY STORAGE user1.simplfied_auth 
USING 
catalog_location ('<Catalog Location>') 
storage_location ('<Storage Location>') 
storage_region ('us-west-2') 
unity_catalog_name_('unity_db') 
storage_account_name ('storageacct') 
tenant_id ('391c8c4c-6a3a-40fd-ab98-226b6baa5155') 
catalog_type ('unity') 
TABLE_FORMAT deltalake;

Example: Creating an AWS Assume Role Authorization

The AUTHORIZATION object holds the IAM role of the service principal that’s trying to access services and resources in AWS. This service principal must have STS: AssumeRole permission defined in the Trust Relationship of the IAM Role. As a best practice, it's recommended to use an Assume Role Policy with an external ID to enhance the security of the IAM role.

CREATE AUTHORIZATION assume_role_aws 
USING 
AUTHSERVICETYPE 'ASSUME_ROLE' 
ROLENAME 'IAM_role_literal' 
EXTERNAL_ID 'ARN_external_id_literal';

Example: Creating an Azure Active Directory Service Principal Authorization

The Authorization object for Azure contains the Azure Active Directory service principal client id (user) and the Azure Active Directory service principal client secret key(password). For Azure, managed Active Directory is recommended for Unity catalog and ADLS Gen2 storage access.

CREATE AUTHORIZATION iceberg_invoker_unity 
AS INVOKER TRUSTED  
-- Azure AD service principal client id 
USER '0123abc-678-1234-abcd-123456789' 
-- Azure AD service principal client secret key 
PASSWORD 'abcdefg!.hijklmn.opqsrtst';