External Security Clause - Advanced SQL Engine - Teradata Database

SQL Data Definition Language Detailed Topics

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
June 2020
Language
English (United States)
Last Update
2021-01-24
dita:mapPath
jpx1556733107962.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1184
lifecycle
previous
Product Category
Teradata Vantage™

This clause is mandatory for all methods that perform operating system I/O. Failing to specify this clause for a method that performs I/O can produce unpredictable results and even cause the database, if not the entire system, to reset. See CREATE AUTHORIZATION and REPLACE AUTHORIZATION.

Note that authorization_name is an optional Teradata extension to the ANSI SQL:2011 standard.

When a method definition specifies EXTERNAL SECURITY DEFINER, then that method executes:
  • Under the OS user associated with the specified external authorization using the context of that user.
    IF the method runs in this mode … THEN the OS user must be …
    protected tdatudf, which must be a member of the tdatudf OS group.
    secure an OS user assigned to an authorization name using the CREATE AUTHORIZATION statement.

    The specified OS user must belong to the tdatudf OS group.

  • The external security authorization associated with the method must be contained within the same database as the method.
The following rules apply.
  • If you do not specify an authorization name, then you must create a default DEFINER authorization name before a user attempts to execute the method.
  • If you have specified an authorization name, then an authorization object with that name must be created before the you can execute the method.

    The system returns a warning message to the requestor when no authorization name exists at the time the method is being created.