Archives of the TeradataForum

Message Posted: Thu, 07 Jun 2012 @ 13:41:34 GMT

	<Prev	Next>		<<First	<Prev	Next>	Last>>

Hi,

Our team is exploring on setting up trusted sessions for middle tire applications. We are facing some issues in it and need some help regarding this. Here is our scenario and what we have done so far,

Our Setup

We have 3 App users which connect to Middle tire application using LDAP.

Middle tire application in turns logs on to Teradata via Perm user called "Eadmin" and allow these App users (as Proxys) to run SQLs. In normal circumstances, App users will be able to do everything on TD what all Eadmin can do. This is a security concern. In order to overcome this, Teradata introduced a concept of trusted session (Please correct me if I am wrong here in understanding this concept).

     App                App                App
     User 1             user 2             User3
        |                 |                 |
        |                 |                 |
     ---------------------------------------------
     |  Middle tire Application                  |
     |   (Perm TD user - Eadmin)                 |
     ---------------------------------------------
                        |
                        |
                        | Connection pooling via Perm TD User - Eadmin
                        |
     -------------------------------------
     |                                   |
     |  Teradata DB                      |
     |                                   |
     -------------------------------------

How Trusted sessions help

While using trusted sessions, the Middle tire application will first issue a "Set Query Band" statement for every App user before allowing him to run queries via its TD session. For example, if user 1 want to run SQL on Teradata, it will first connect to Middle tire application. Middle tire application will issue a below Queryband before allowing user1 to run queries,

     Set Queryband =`Proxyuser=user1;' for session;

This enables database to know that subsequent queries are from a proxy user "user1", not from Eadmin. In Database we have mapped a role for proxy user "user1" via

     GRANT CONNECT THROUGH Eadmin TO user1 WITH ROLE = user1_role .

So Teradata takes care of granting only user1_role to user1 (not the roles of Eadmin). This way user1 has restricted access and cannot do what Eadmin could.

Our Problem

In our case, we have issued "GRANT CONNECT" to user1 and user2 only. User 3 is not known to Teradata as a proxy user of Eadmin. But still, user3 is able to connect to Teradata and run SQL reports. When user 3 is not a defined as proxy user for Eadmin and does not have an associated "GRANT CONNECT role" , how is he able to connect. How can we restrict user3 from accessing TD.?

Please suggest if we are missing something here. Any help is greatly appreciated.

Regards,

Ravi Singh

	<Prev	Next>		<<First	<Prev	Next>	Last>>