6 Replies Latest reply on Sep 9, 2010 5:52 PM by rareddy

    Teiid Datasources, JDBC Identity and Connection Pooling

    brentonc

      Is there a way to change the current security credentials of a Teiid JDBC Connection (i.e. without closing the connection)?  Or, alternatively, is there a way to send a different set of credentials with the JDBC statement to Teiid for Teiid to use in VDB authorization decisions which are be different from those credentials used to originally establish the datasource connection?

       

      This page hints at being able to send a ClientToken (http://community.jboss.org/wiki/TeiidJDBCConnectionProperties) which sounds promising but I don't see how/if that can be done with an existing connection.

       

      My reason for asking is that I would like to use Teiid's authorization capabilities in the VDB (role-based) which are based on the credentials associated with the JDBC Connection.  But without either of the above techniques this requires that a new JDBC Connection be opened for each new user that is to interact with Teiid.

       

      Ideally, I would like JBoss to be able to create a pool of JDBC Connections (using some generic username/password value) and then whenever the application gets a connection from the pool it would just set the 'runas' credentials which Teiid would use instead of the datasource credentials.

       

      Oracle's OCI has this type of capability (viz. http://93.95.100.75/docs/oracle10r2/java.101/b10979/oci_func.htm  Section 19.1.4), although obviously its not standard JDBC.

       

      thx in advance,

      Brenton

        • 1. Re: Teiid Datasources, JDBC Identity and Connection Pooling
          rareddy

          In prior releases of Teiid <=6.2, Teiid provided a client token based identity switching. However starting with Teiid 7.0,  Teiid uses JAAS based authentication and the previous techinique is no longer supported.

           

          Currently this is logged as feature request in Teiid JIRA. Please watch the JIRA and vote for it if you would like to bump up the priority of this feature.

           

          However Teiid does support pass through authentication starting from Teiid 7.1 release.

           

          Thanks

           

          Ramesh..

          • 2. Re: Teiid Datasources, JDBC Identity and Connection Pooling
            rareddy

            Brenton,

             

            I am not sure if your client application also resides in the same VM as the JBoss AS or not, i.e. if you are using Teiid with EJB or web-services etc in JBoss AS, if you are, then you can use the "local" connection to Teiid which works with out socket based communication, then making a new connection every time is not as expensive as from remote VMs.

             

            Ramesh..

            • 3. Re: Teiid Datasources, JDBC Identity and Connection Pooling
              brentonc

              Ramesh, thanks for the references and background.

               

              To answer your question; our target architecture is indeed multi-tiered.   The application components reside in their own VMs separate to a Teiid-dedicated VM.

               

              Pass-through authentication (https://jira.jboss.org/browse/TEIID-1048) looks like it can achieve what we need but as you point out its only for local (embedded) datasource use.  Thus, I expect we'll need to develop a proxy datasource which can be installed remotely and proxy the requests to a local instance.  Or alternatively locate the VDBs with each application's VM.

               

              Any thoughts on extending the Passthrough functionality to work with non-embedded datasource use?

               

              - Brenton

              • 4. Re: Teiid Datasources, JDBC Identity and Connection Pooling
                rareddy

                Sounds like your other VMs are also JBoss AS, so you must be using connection pools by JBoss JCA. If that is case, you can use different JBoss JCA Connection pooling strategies for creating your pool.  In particular check out "PoolBySubject".  I think this may satisfy your needs.

                 

                Look in this example for configuration sample.

                 

                Proxy strategy seems lot of work, as you need to stack your proxy data source on the local embedded one and provide all the remote communication framework, thus essentially developing proxy JDBC Driver. I would rather deploy my VDB locally every where, and look into scripts to keep these VDBs in sync in my cluster.

                 

                Let us if the above suggestion works, as I myself has not tried this before.

                 

                Thanks.

                 

                Ramesh..

                • 5. Re: Teiid Datasources, JDBC Identity and Connection Pooling
                  rareddy

                  Correction, the above "PoolBySubject" will not work as is. For this to work, you would need to provide your own JAAS module, that given incoming Subject, this module needs to figure out (or have a map of) the user-id and password for Teiid security domain and make connection using them. Thus making the AS think that pool is segregated by the subject.

                   

                  If you do not mind keeping passwords inside the application code see the "PoolByCRI" or "application-managed-security". That will work IMO.

                   

                  Ramesh..

                  • 6. Re: Teiid Datasources, JDBC Identity and Connection Pooling
                    rareddy

                    If you are not writing your own JAAS module but like to keep the pool segregated by the subject "PoolBySubject", here is some useful info.  http://community.jboss.org/docs/DOC-9350

                     

                    Also, my assumption above about "application-managed-security" will only work when you follow the above.