15.00 - Function of CREATE AUTHORIZATION Requests - Teradata Database

Teradata Database SQL Data Definition Language Detailed Topics

Teradata Database
Programming Reference


The purpose of an authorization object is to specify the user context to use when running an external routine that performs operating system I/O operations (see “CREATE FUNCTION (External Form)/ REPLACE FUNCTION (External Form)” on page 240, “CREATE FUNCTION (Table Form)” on page 291, “CREATE METHOD” on page 403, “CREATE PROCEDURE (External Form)/ REPLACE PROCEDURE (External Form)” on page 422, and SQL External Routine Programming).

Authorization objects associate a user with an OS platform user ID. With an OS platform user ID, a user can log onto a Teradata Database node as a native operating system user and so be able to run external routines that perform OS‑level I/O operations.

You must create an authorization object for any external routine that has an EXTERNAL SECURITY clause as part of its definition. In particular, you must define authorization objects for the following users and situations:

  • A user who needs to run external routines that contain an INVOKER security clause.
  • A user who needs to be the definer of any external routine modules that contain the DEFINER external clause.
  • Without the appropriate authorization objects having been created, none of the external routines containing an EXTERNAL SECURITY clause can run. Attempts to execute the external routine return an exception message to the requestor and the call to the external routine aborts.

    When you submit a CREATE AUTHORIZATION statement, the system validates the values for the specified user variables. If the specified user object has not yet been created on all database nodes, then the statement fails and returns an error message to the requestor. CREATE AUTHORIZATION also fails if any of the other information you specified is not correct.

    The system permits only three failed attempts to create an authorization object. After three failed attempts, Teradata Database returns an appropriate error message to the requestor.

    This restriction is implemented to thwart malicious attempts to circumvent system security by submitting CREATE AUTHORIZATION statements in a program loop to iterate different combinations of user names and passwords.

    To make another attempt to perform the statement, you must first log off the system and then log back on. The DBA also has the option of activating access logging (see “BEGIN LOGGING” on page 154) on CREATE AUTHORIZATION to enable the tracking of suspicious attempts to perform it.