2.10 - Teradata Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

prodname
Teradata QueryGrid
vrm_release
2.10
created_date
September 2019
category
Administration
Configuration
Installation
User Guide
featnum
B035-5991-099K
Teradata connectors support Trusted, TD2, LDAP, and Kerberos security mechanisms when acting as target connectors. The following considerations apply to each of the security mechanisms:
  • The username and password assigned and communicated from the initiator connector takes precedence over the one defined for the Teradata target connector properties.

    For example, if the Teradata initiator provides an authorization object, it takes precedence over security-related connector property settings. Defining these connector properties is optional. If, however, credentials are not provided by the initiator connector, a username and password must exist in its connector property settings.

  • An Administrator can define user mappings in the QueryGrid portlet if the initiator end user differs from the remote system end user. This is the user to which you have granted CONNECT THROUGH on the remote system.
  • For user mapping, the local user submitting the query is mapped to the remote user that submits the query. User mapping applies as follows:
    • For a Teradata initiator connector, user mapping can be used when it is set up with DEFINER authorization such that the local user submitting the query is the not the same as the authenticating user.
    • For a target connector, user mapping is applicable when it is set up with the TRUSTED authentication mechanism and the remote user is not the same as the authenticating user.

Trusted

Trusted User or Service Accounts are a proxy user that act on behalf of the local user. You configure trusted sessions by granting CONNECT THROUGH privileges to proxy user or permanent end user. To do this perform the following steps on the remote system:

CREATE USER proxyuser AS PERM = 0 PASSWORD = password;
GRANT CONNECT THROUGH proxyuser TO PERMANENT target_end_user without role;
>> this target_end_user is the user that has access to objects that we will access from local system
The following property settings are required for Teradata target connectors using the Trusted security model.
Setting Description
Authentication Mechanism Set to Trusted.
Username Set to the proxy user name.
Password Set to the password for proxy user.

TD2

The following property settings are required for Teradata target connectors using the TD2 security model.
Setting Description
Authentication Mechanism Set to TD2.
Username Set to the authorization user name.
Password Set to the password for the authorized user.

LDAP

You can configure Teradata target connectors to use LDAP authentication involving a username and password. This means that queries with a Teradata target can be submitted using the LDAP security mechanism to authenticate; for example, the Presto-to-Teradata connection supports LDAP. The following properties must be configured to use LDAP with Teradata target connectors.
Setting Description
Authentication Mechanism Set to LDAP.
Username Set to the LDAP directory user name.
Password Set to the password for the user.

For detailed information about how to configure Teradata target connectors to use LDAP authentication, refer to the Orange Book: User Authentication and Directory Integration.

Kerberos

Teradata Kerberos set up must be completed before configuring QueryGrid. The following property settings are required for Teradata target connectors using the Kerberos security model.
Setting Description
Authentication Mechanism Set to Kerberos.
Username Set to the Kerberos principal name.
Password Set to the password for the Kerberos principal name.

QueryGrid authenticates a principal using a password.

Realm Set to the Kerberos realm.

For more information, see Teradata Connector and Link Properties.