16.20 - Teradata Server Software Enforcement of Trusted Sessions - Teradata Vantage NewSQL Engine

Teradata Vantage™ SQL Data Control Language

prodname
Teradata Database
Teradata Vantage NewSQL Engine
vrm_release
16.20
created_date
March 2019
category
Programming Reference
featnum
B035-1149-162K

It is assumed that applications that use the trusted sessions feature will submit both trusted and nontrusted requests. It is the application, and not Teradata Database, that knows which requests can be trusted and which cannot. Teradata Database just verifies that the SET QUERY_BAND request with a PROXYUSER is a trusted request if the logon user has the WITH TRUST_ONLY option set.

Server software enforces trusted requests by means of GRANT CONNECT THROUGH requests that set trusted users to have the TRUST_ONLY privilege. If you specify the WITH TRUST_ONLY option for a trusted user, Teradata Database validates that a request to set a Proxy User is trusted; otherwise, it aborts the request and returns an error to the requestor.

Suppose a middle tier application submits the following SET QUERY_BAND request with a PROXYUSER.

SET QUERY_BAND = 'PROXYUSER=client787';

The following outcomes are possible, depending on whether the request is trusted and what CONNECT THROUGH privileges have been granted to the application user that submits it.

IF the trusted user has … AND the Trusted flag of the Options parcel … THEN the request is …
been granted the TRUST_ONLY privilege is set to Y trusted.

SET QUERY_BAND … PROXYUSER requests are permitted.

  is set to N not trusted.

SET QUERY_BAND … PROXYUSER requests are aborted.

not been granted the TRUST_ONLY privilege is set to Y neither trusted nor not trusted.

Teradata Database ignores the setting of the flag.

  is set to N neither trusted nor not trusted.

Teradata Database ignores the setting of the flag.

This is the default setting.