Discretionary Access Control Security Issues with Trusted Sessions - Teradata Vantage

Teradata® VantageCloud Lake
Deployment
VantageCloud
Edition
Lake
Product
Teradata Vantage
Published
January 2023
ft:locale
en-US
ft:lastEdition
2024-12-11
dita:mapPath
phg1621910019905.ditamap
dita:ditavalPath
pny1626732985837.ditaval
dita:id
phg1621910019905

Trusted sessions work with middle tier applications that submit SQL requests to Vantage for end users. If a middle-tier application allows end users submit SQL requests directly (called injected SQL), an end user can use SET QUERY_BAND to switch the active session identity and role set to a proxy user who has discretionary access control privileges that user is not intended to have, a potential security breach.

This security issue does not apply to trusted sessions when Vantage enforces row-level security for a table. For more information, see Query Bands, Trusted Sessions, and Row-Level Security.

To prevent end users from changing the active session identity, the DBA can require that every SET QUERY_BAND requests submitted by a trusted user that set or remove a proxy user be a trusted request.

The DBA follows these steps:

  1. Grant the CONNECT THROUGH WITH TRUST_ONLY privilege to the trusted user (see GRANT CONNECT THROUGH).

    The trusted user must designate as trusted any SET QUERY_BAND request to set or remove a proxy user, or Vantage rejects the request.

  2. Using available APIs, have applications designate an SQL request to be trusted or not trusted.

    When an application submits a SET QUERY_BAND request to set the ProxyUser, the application can designate the request as trusted.

    When an application submits SQL requests created or modified by an end user, the application can designate the requests as not trusted, to prevent the client from injecting a SET QUERY_BAND request to change the proxy user or proxy role.

    There is no SQL method for upgrading a request to the trusted designation.

When you either commit or roll back a transaction, Vantage removes both its query band and any proxy user who has been set with a query band for that transaction. This cannot be controlled by the TrustOnly flag. Therefore, use session query bands when you want to use trusted sessions.

The following table shows the behavior of SET QUERY_BAND requests associated with TrustOnly flag settings.

TrustOnly Flag Setting How SET QUERY_BAND Request that Sets or Updates Proxy User Can Be Performed
N (default) Trusted or not trusted.
Y Trusted only.

The following table shows how a procedure that submits a SET QUERY_BAND request becomes trusted or not trusted.

SET QUERY_BAND Context SET QUERY_BAND Request
SQL procedure Trusted if invoked by trusted CALL request.

Not trusted if invoked by CALL request that is not trusted.
External procedure Trusted if Trusted flag in Options parcel is set to Y.

Not trusted if Trusted flag in Options parcel is set to N.