Teradata Target Connector | Security Guidelines | QueryGrid - Teradata Target Connector Security Guidelines - Teradata QueryGrid

Teradata connectors support Trusted, TD2, LDAP, Kerberos, Kerberos SSO, and TDNEGO security mechanisms when acting as target connectors. The following considerations apply to each of the security mechanisms:

• Teradata® QueryGrid™ Components and Connectors Compatibility Matrix
• The username and password assigned and communicated from the initiator connector takes precedence over the one defined for the Teradata target connector properties.

  For example, if the Teradata initiator provides an authorization object, it takes precedence over security-related connector property settings. Defining these connector properties is optional. If, however, credentials are not provided by the initiator connector, a username and password must exist in its connector property settings.

• If changing credentials on the database for a QueryGrid user, you must also change the credentials on the connector. By not updating the connector credentials, old cached connections may allow queries to succeed that will later fail when the connections expire from the cache.
• An Administrator can define user mappings in the QueryGrid portlet if the initiator end user differs from the remote system end user. This is the user to which you have granted CONNECT THROUGH on the remote system.
• For user mapping, the local user submitting the query is mapped to the remote user that submits the query. User mapping applies as follows:
  • For a Teradata initiator connector, use user mapping when it is set up with DEFINER authorization provided that the local user submitting the query is the not the same as the authenticating user.
  • For a target connector, user mapping is applicable when set up with TRUSTED authentication mechanism and the remote user is not the same as the authenticating user.
  • For a target connector, user mapping is applicable for TD, TDNEGO, LDAP, or Kerberos authentication mechanisms when the Use Trusted connector property is set to true and the remote user is not the same as the authenticating user.

CREATE USER proxyuser AS PERM = 0 PASSWORD = password;
GRANT CONNECT THROUGH proxyuser TO PERMANENT target_end_user without role;
>> this target_end_user is the user that has access to objects that we will access from local system

The following property settings are required for Teradata target connectors using the Trusted security model.

The following property settings are required for Teradata target connectors using the TD2 security model.

You can configure Teradata target connectors to use LDAP authentication involving a username and password. This means that queries with a Teradata target can be submitted using the LDAP security mechanism to authenticate; for example, the Presto-to-Teradata connection supports LDAP. The following properties must be configured to use LDAP with Teradata target connectors.

Teradata Kerberos set up must be completed before configuring QueryGrid. The following property settings are required for Teradata target connectors using the Kerberos security model.

When configuring the TDNEGO authentication mechanism, the actual authentication mechanism is automatically determined by TDGSS without user involvement. Teradata recommends this process for the use case where the correct authentication mechanism to use is unknown. Set the authentication mechanism as TDNEGO and provide the credentials either in the authorization object or in the connector properties.

• TDNEGO Supported Authentication Mechanisms: TD2, LDAP, Kerberos, and Kerberos SSO
• Availability: On all supported client and server platforms
• Username and Password: Based on the chosen authentication mechanism

HTTPS/TLS connections are available with the Teradata JDBC driver 17.10.00.07 and compatible with the following databases:

• Teradata Advanced SQL Engine 17.10 and later
• Teradata Advanced SQL Engine 16.20.53.30 and later