2.06 - Teradata Target Connector Security Guidelines

2.06 - Teradata Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

Product

Teradata QueryGrid

Release Number

2.06

Published

September 2018

Language

English (United States)

Last Update

2018-11-26

dita:mapPath

blo1527621308305.ditamap

dita:ditavalPath

ft:empty

Teradata connectors support Trusted, TD2, LDAP, and Kerberos security mechanisms when acting as target connectors. The following considerations apply to each of the security mechanisms:

The username and password assigned and communicated from the initiator connector takes precedence over the one defined for the Teradata target connector properties.
For example, if the Teradata initiator provides an authorization object, it takes precedence over security-related connector property settings. Defining these connector properties is optional. If, however, credentials are not provided by the initiator connector, a username and password must exist in its connector property settings.
An Administrator can define user mappings in the QueryGrid portlet if the initiator end user differs from the remote system end user. This is the user to which you have granted CONNECT THROUGH on the remote system.
For user mapping, the local user submitting the query is mapped to the remote user that submits the query. User mapping applies as follows:
- For a Teradata initiator connector, user mapping can be used when it is set up with DEFINER authorization such that the local user submitting the query is the not the same as the authenticating user.
- For a target connector, user mapping is applicable when it is set up with the TRUSTED authentication mechanism and the remote user is not the same as the authenticating user.

Trusted

Trusted User or Service Accounts are a proxy user that act on behalf of the local user. You configure trusted sessions by granting CONNECT THROUGH privileges to proxy user or permanent end user. To do this perform the following steps on the remote system:

CREATE USER proxyuser AS PERM = 0 PASSWORD = password;
GRANT CONNECT THROUGH proxyuser TO PERMANENT target_end_user without role;
>> this target_end_user is the user that has access to objects that we will access from local system

The following property settings are required for Teradata target connectors using the Trusted security model.

Setting	Description
Authentication Mechanism	Set to Trusted.
Username	Set to the proxy user name.
Password	Set to the password for proxy user.

TD2

The following property settings are required for Teradata target connectors using the TD2 security model.

Setting	Description
Authentication Mechanism	Set to TD2.
Username	Set to the authorization user name.
Password	Set to the password for the authorized user.

LDAP

You can configure Teradata target connectors to use LDAP authentication involving a username and password. This means that queries with a Teradata target can be submitted using the LDAP security mechanism to authenticate; for example, the Presto-to-Teradata connection supports LDAP. The following properties must be configured to use LDAP with Teradata target connectors.

Setting	Description
Authentication Mechanism	Set to LDAP.
Username	Set to the LDAP directory user name.
Password	Set to the password for the user.

For detailed information about how to configure Teradata target connectors to use LDAP authentication, refer to the Orange Book: User Authentication and Directory Integration.

Kerberos

Teradata Kerberos set up must be completed before configuring QueryGrid. The following property settings are required for Teradata target connectors using the Kerberos security model.

Setting	Description
Authentication Mechanism	Set to Kerberos.
Username	Set to the Kerberos principal name.
Password	Set to the password for the Kerberos principal name. QueryGrid authenticates a principal using a password.
Realm	Set to the Kerberos realm.

For more information, see Teradata Connector and Link Properties.