15.00 - External Security Clause - Teradata Database

Teradata Database SQL Data Definition Language Detailed Topics

prodname
Teradata Database
vrm_release
15.00
category
Programming Reference
featnum
B035-1184-015K

External Security Clause

This clause is mandatory for all methods that perform operating system I/O. Failing to specify this clause for a method that performs I/O can produce unpredictable results and even cause the database, if not the entire system, to reset.

Note that authorization_name is an optional Teradata extension to the ANSI SQL:2011 standard.

When a method definition specifies EXTERNAL SECURITY DEFINER, then that method executes:

  • Under the OS user associated with the specified external authorization using the context of that user.
  •  

    IF the method runs in this mode …

    THEN the OS user must be …

    protected

    tdatuser, which must be a member of the tdatudf OS group.

    secure

    an OS user assigned to an authorization name using the CREATE AUTHORIZATION statement (see “CREATE AUTHORIZATION/ REPLACE AUTHORIZATION” on page 206).

    The specified OS user must belong to the tdatudf OS group.

  • The external security authorization associated with the method must be contained within the same database as the method (see “CREATE AUTHORIZATION/ REPLACE AUTHORIZATION” on page 206).
  • The following rules apply.

  • If you do not specify an authorization name, then you must create a default DEFINER authorization name before a user attempts to execute the method (see “CREATE AUTHORIZATION/ REPLACE AUTHORIZATION” on page 206).
  • If you have specified an authorization name, then an authorization object with that name must be created before the you can execute the method (see “CREATE AUTHORIZATION/ REPLACE AUTHORIZATION” on page 206).
  • The system returns a warning message to the requestor when no authorization name exists at the time the method is being created.