Teradata-to-Teradata and Teradata-to-Hive links support Kerberos Single Sign-On (Kerberos SSO) with the Advanced SQL Engine unconstrained delegation feature. Kerberos SSO allows QueryGrid queries to run with a single logon from the initiating Teradata system using the krb5 mechanism. No target credentials are required to be passed in either the connector properties or in the authorization object. A Kerberos token is delegated from the initiating Teradata system to the target system and imported on the target system using the GSSAPI to log on.
This feature comes with a new authentication mechanism, Kerberos SSO, in Hive and Teradata remote connectors.
Kerberos SSO Usage Considerations
- This feature is supported by Kerberos version 1.11 and later.
- This feature is supported by Advanced SQL Engine version 17.10 and later.
- This feature requires SLES 12 or later.
- The initiating Teradata and remote systems must be configured in the same Kerberos realm (cross-realm is exempt).
- The logon from the initiating Teradata system must be using the Kerberos mechanism.
- The dbscontrol flag ForwardCredential on the initiating Teradata system must be set to TRUE (default) to enable this feature in the database.
- The Kerberos ticket must be configured to be forwardable in the initiating system.
- Expiry or renewal of the token is not supported by QueryGrid.
- The connector diagnostic check is not supported when the authentication mechanism is Kerberos SSO.