About Data Mover Security - Teradata Data Mover

Teradata Data Mover User Guide

Product
Teradata Data Mover
Release Number
16.00
Published
December 2016
Language
English (United States)
Last Update
2018-03-29
dita:mapPath
rdo1467305237457.ditamap
dita:ditavalPath
ft:empty
dita:id
B035-4101
lifecycle
previous
Product Category
Analytical Ecosystem

Data Mover provides configuration parameters that control how security permissions are used. When security management is enabled, the access privileges available to a user for the daemon and for individual jobs depend on the security settings designated. If security management is not enabled, a Viewpoint user can perform any operation on any job in the Data Mover portlet.

Security Configuration Parameters

You can set the following security configuration parameters in the configuration.xml file you generate using the list_configuration command.
Parameter Description
job.useSecurityMgmt Determines whether security management is used. When set to true, the security framework is enabled, and the two security parameters below apply. The default is false.
job.securityMgmtLevel Determines the level of security management. The valid choices are daemon and job. The default is job.
job.allowCommandLineUser Determines whether the daemon always allows command line requests when the security level is set to daemon. When set to true, the command line does not enforce security checking even if security is enabled for the portlet. The default is false.

The following concepts apply to security management.

User Profiles

When a user logs onto the Data Mover portlet, a user profile is authorized. The user profile contains one user name and a list of roles to which the user belongs. The user profile determines what actions the user can do, depending on whether global or job level permissions apply.

Daemon-Level Permissions

When the job.useSecurityMgmt parameter is set to daemon, daemon-level permissions are used. A user profile is checked for its daemon read, execute, and write permissions. If the user name or any role of a user profile has a permission (read, execute, or write), the user profile has the permission. The permission applies to all jobs on the daemon.

Job-Level Permissions

When the job.useSecurityMgmt parameter is set to job, both the daemon and the job level permissions are evaluated. A user profile has permission on a specific job only if the user profile has that daemon permission and the job level permission on that job. If the user name or any role of a user profile has a job-level permission (read, execute, or write), permission is granted to the user profile for that particular job.

Read, write, execute permissions are assessed independently of each other. For example, a user or role has execute permissions for a job only if that user or role has execution permission at both the daemon level and at the job level. The same applies to read and write permissions. If a user profile contains multiple roles, the user profile is granted permissions if one role has daemon permissions and another has job level permissions.

Command-Line Use by Viewpoint Users

When security management is enabled, Viewpoint users can be authenticated to use the Data Mover command line interface. The Viewpoint host name and port must be configured in the daemon.properties file, as shown in this snippet:
# Purpose: The hostname or IP address for the ViewPoint Authentication server.
# Default: http://localhost
viewpoint.url=http://localhost
# Purpose: The port number for the ViewPoint Authentication server.
# Default: 80
viewpoint.port=80 
The Viewpoint server used for authentication must be the only Viewpoint server monitoring this daemon. Monitoring the same daemon on more than one Viewpoint server is not supported and could create authentication and job permission issues. This restriction applies regardless of whether security management is currently enabled on the daemon or not.

If the Viewpoint Authentication server has HTTPS enabled, you can set the following if you want to authenticate via HTTPS instead: viewpoint.url to https://localhost and viewpoint.port to 443.

The Data Mover daemon makes the web services call to authenticate the user. The HTTP based service call URL is in this format: http://hostname: port /ws/security/rolesForCurrentUser.

Viewpoint authentication is only available with the Viewpoint 14.10 release or greater. If the user is using a Viewpoint server release prior to 14.10, the authentication will not work. In such cases, users will need to access the command line using the super user (dmcl_admin) logon.