Kerberos Single Sign-On | Teradata QueryGrid - Kerberos Single Sign-On - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

Product
Teradata QueryGrid
Release Number
2.19
Published
July 2022
Language
English (United States)
Last Update
2022-07-28
dita:mapPath
jpf1654813554544.ditamap
dita:ditavalPath
ft:empty
dita:id
B035-5991
lifecycle
previous
Product Category
Analytical Ecosystem

Teradata-to-Teradata and Teradata-to-Hive links support Kerberos Single Sign-On (Kerberos SSO) with the Advanced SQL Engine unconstrained delegation feature. Kerberos SSO allows QueryGrid queries to run with a single logon from the initiating Teradata system using the krb5 mechanism. No target credentials are required to be passed in either the connector properties or in the authorization object. A Kerberos token is delegated from the initiating Teradata system to the target system and imported on the target system using the GSSAPI to log on.

This feature comes with a new authentication mechanism, Kerberos SSO, in Hive and Teradata remote connectors.

Kerberos SSO Usage Considerations

  • This feature is supported by Kerberos version 1.11 and later.
  • This feature is supported by Advanced SQL Engine version 17.10 and later.
  • This feature requires SLES 12 or later.
  • The initiating Teradata and remote systems must be configured in the same Kerberos realm (cross-realm is exempt).
  • The logon from the initiating Teradata system must be using the Kerberos mechanism.
  • The dbscontrol flag ForwardCredential on the initiating Teradata system must be set to TRUE (default) to enable this feature in the database.
  • The Kerberos ticket must be configured to be forwardable in the initiating system.
  • Expiry or renewal of the token is not supported by QueryGrid.
  • The connector diagnostic check is not supported when the authentication mechanism is Kerberos SSO.