-
1. Re: Kerberos integration
cristiano.nicolai Sep 29, 2010 10:59 PM (in response to cristiano.nicolai)I had a look at ODBC sources and looks like the only auth type available is plain text with option to use SSL or not.
I'm wondering that the next step will be support auth with md5, according to the following sources:
ODBCServerRemote
enum AuthenticationType {CLEARTEXT, MD5};ODBCServerRemoteImpl
// TODO: implement MD5 auth type
I still investigating JDBC, as long JAAS is supported I'm imagining that I can use JGSS-API to integrate my clients and make use of identity as describe in http://community.jboss.org/thread/155741
-
2. Re: Kerberos integration
rareddy Sep 30, 2010 10:50 AM (in response to cristiano.nicolai)Have you looked at integration with JBoss Negotiation? That seems to be the prescribed way in JBoss AS. I have not tried myself, so please let us know how it works out.
As per ODBC, the ODBC driver that Teiid uses is from PostgresSQL, so there is no of flexibility for client side modifications. If there is anything that can be done transparently in server side, that is possible.
If you are looking this authentication scheme at data sources only, then the above link you provided is useful. There is little more work we did for that, see https://jira.jboss.org/browse/TEIID-1265
Keep us posted.
Thanks.
Ramesh..
-
3. Re: Kerberos integration
cristiano.nicolai Oct 2, 2010 4:12 AM (in response to rareddy)Thanks Ramesh.
For PostgreSQL ODBC, Kerberos authentication is supported since version 08.01.0100, according to this release notes: http://psqlodbc.projects.postgresql.org/release.html. As I can see at ODBCClientRemote looks like some methods there need to be implemented to provide this feature.
JDBC driver also need to be extended to support Kerberos and SPNEGO in the client side, PostgreSQL JDBC driver also has support for this, maybe can be a good point to start looking.
From now I'm using kerberos to authenticate both JDBC and ODBC clients through my security domains with the following config:
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storePass">true</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<!-- property files can found under conf/props directory -->
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/teiid-security-users.properties</module-option>
<module-option name="rolesProperties">props/teiid-security-roles.properties</module-option>
</login-module>I'm using Jboss Negotiation to provide Kerberos/SPNEGO for my web applications, but this project uses SPNEGO over http, so I cant reuse it for the same security domain. My next step will be to put this web applications to use a data source from Teeid and propagate the user from the web tier against data roles.
-
4. Re: Kerberos integration
rareddy Oct 4, 2010 11:54 AM (in response to cristiano.nicolai)Cristiano,
Thank you for the info. Very useful, I am going to give it try for the below configuration.
My next step will be to put this web applications to use a data source from Teeid and propagate the user from the web tier against data roles.
Teiid supports Passthrough authentication, so the above is possible. Check out "Teiid Security" chapter in "Teiid Admin guide". The doc is not online yet, but in 7.2 alphaX release bundle you will find the .pdf file for it.
Thanks.
Ramesh..
-
5. Re: Kerberos integration
cristiano.nicolai Oct 5, 2010 9:38 PM (in response to rareddy)Thanks Ramesh,
I made some tests and is working for the 2 scenarios that I test.
1- Local data source, deployed in the same JbossAS 5.1 with Teiid 7.1
* sample-ds.xml
<xa-datasource>
<jndi-name>jdbc/TeiidDS</jndi-name>
<xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
<xa-datasource-property name="DatabaseName">SampleVDB</xa-datasource-property>
<xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
<track-connection-by-tx>true</track-connection-by-tx>
<isSameRM-override-value>false</isSameRM-override-value>
<no-tx-separate-pools />
<!-- pool and other JBoss datasource properties -->
<check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
<security-domain>TeiidDSRealm</security-domain>
</xa-datasource>* login-config.xml
<application-policy name="TeiidDSRealm">
<authentication>
<login-module code="org.jboss.resource.security.CallerIdentityLoginModule" flag="required">
<module-option name="userName">na</module-option>
<module-option name="password"></module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=XATxCM,name=jdbc/TeiidDS</module-option>
</login-module>
</authentication>
</application-policy>2- Remote datasource, deployed in another JbossAS 5.1
* sample-ds.xml
<xa-datasource>
<jndi-name>jdbc/TeiidDS</jndi-name>
<xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
<xa-datasource-property name="DatabaseName">SampleVDB</xa-datasource-property>
<xa-datasource-property name="serverName">serverIP</xa-datasource-property>
<xa-datasource-property name="portNumber">31000</xa-datasource-property>
<track-connection-by-tx>true</track-connection-by-tx>
<isSameRM-override-value>false</isSameRM-override-value>
<no-tx-separate-pools />
<!-- pool and other JBoss datasource properties -->
<check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
<security-domain>TeiidDSRealm</security-domain>
</xa-datasource>* login-config.xml
Exactly the same from previous sample.
I hope this is useful.
-
6. Re: Kerberos integration
rareddy Oct 5, 2010 10:40 PM (in response to cristiano.nicolai)Cristiano,
Thanks you. This is good.
Recently I have added similar configuration/documentation to the "Admin Guide" in the "LoginModules" section in 7.1.x branch as part of TEIID-1265. It will be part of 7.2 release. However, my main concern there was to use separate authentication at sources that are used by Teiid than that of the Teiid data source.
In scenario (2), how are you accessing the remote TeiidDS from your web app? Do you have the web app in the remove VM too?
Ramesh..
-
7. Re: Kerberos integration
cristiano.nicolai Oct 5, 2010 10:53 PM (in response to rareddy)Ramesh,
I made a simple web app with JAAS security enable. I just write a basic servlet that lookup the TeiidDS and execute some querys to test authorization. As I'm using Kerberos at Teiid security domain my thought is that as long I can provide user and pass from my local server via some JAAS callback (TeiidDSRealm does that) it will work fine to authenticate in the remote Teiid server. I tried this in the local server using both Krb5LoginModule or UsersRolesLoginModule and worked fine.
-
8. Re: Kerberos integration
rareddy Oct 5, 2010 11:23 PM (in response to cristiano.nicolai)Are you saying that your JAAS callback works remotely over the wire between two VMs?
-
9. Re: Kerberos integration
cristiano.nicolai Oct 6, 2010 12:02 AM (in response to rareddy)No, what I'm saying is that JAAS in the local server has the ability to provide user and pass to connect to the Teiid data source. This Teiid DataSource needs to authenticate this user against the security domain that Teiid is configured in the remote server. So, as long my user/pass are valid in both domains (local JAAS and remote Teiid), everything works fine.
-
10. Re: Kerberos integration
rareddy Oct 6, 2010 12:18 PM (in response to cristiano.nicolai)Thanks, that makes sense.
Ramesh..