10 Replies Latest reply on Oct 6, 2010 12:18 PM by rareddy

    Kerberos integration

    cristiano.nicolai

      Hi guys,

       

      I started to do some research and I would like to know if Teiid support Kerberos/SPNEGO authentication over JAAS in all communication methods (JDBC, ODBC and Admin ). In case not for some type, is it a big effort or already planned to support?

       

      Thanks

        • 1. Re: Kerberos integration
          cristiano.nicolai

          I had a look at ODBC sources and looks like the only auth type available is plain text with option to use SSL or not.

           

          I'm wondering that the next step will be support auth with md5, according to the following sources:

           

          ODBCServerRemote
              enum AuthenticationType {CLEARTEXT, MD5};

           

          ODBCServerRemoteImpl

               // TODO: implement MD5 auth type

           

           

          I still investigating JDBC, as long JAAS is supported I'm imagining that I can use JGSS-API to integrate my clients and make use of identity as describe in http://community.jboss.org/thread/155741

          • 2. Re: Kerberos integration
            rareddy

            Have you looked at integration with JBoss Negotiation? That seems to be the prescribed way in JBoss AS. I have not tried myself, so please let us know how it works out.

             

            As per ODBC, the ODBC driver that Teiid uses is from PostgresSQL, so there is no of flexibility for client side modifications. If there is anything that can be done transparently in server side, that is possible.

             

            If you are looking this authentication scheme at data sources only, then the above link you provided is useful. There is little more work we did for that, see https://jira.jboss.org/browse/TEIID-1265

             

            Keep us posted.

             

            Thanks.

             

            Ramesh..

            • 3. Re: Kerberos integration
              cristiano.nicolai

              Thanks Ramesh.

               

              For PostgreSQL ODBC, Kerberos authentication is supported since version 08.01.0100, according to this release notes: http://psqlodbc.projects.postgresql.org/release.html. As I can see at ODBCClientRemote looks like some methods there need to be implemented to provide this feature.

               

              JDBC driver also need to be extended to support Kerberos and SPNEGO in the client side, PostgreSQL JDBC driver also has support for this, maybe can be a good point to start looking.

               

              From now I'm using kerberos to authenticate both JDBC and ODBC clients through my security domains with the following config:

               

                        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                            <module-option name="storePass">true</module-option>
                         </login-module>
                          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                              <!-- property files can found under conf/props directory -->
                              <module-option name="password-stacking">useFirstPass</module-option>
                              <module-option name="usersProperties">props/teiid-security-users.properties</module-option>
                              <module-option name="rolesProperties">props/teiid-security-roles.properties</module-option>
                          </login-module>

               

              I'm using Jboss Negotiation to provide Kerberos/SPNEGO for my web applications, but this project uses SPNEGO over http, so I cant reuse it for the same security domain. My next step will be to put this web applications to use a data source from Teeid and propagate the user from the web tier against data roles.

              • 4. Re: Kerberos integration
                rareddy

                Cristiano,

                 

                Thank you for the info. Very useful, I am going to give it try for the below configuration.

                My next step will be to put this web applications to use a data source from Teeid and propagate the user from the web tier against data roles.

                Teiid supports Passthrough authentication, so the above is possible. Check out "Teiid Security" chapter in "Teiid Admin guide". The doc is not online yet, but in 7.2 alphaX release bundle you will find the .pdf file for it.

                 

                Thanks.

                 

                Ramesh..

                • 5. Re: Kerberos integration
                  cristiano.nicolai

                  Thanks Ramesh,

                   

                  I made some tests and is working for the 2 scenarios that I test.

                       1- Local data source, deployed in the same JbossAS 5.1 with Teiid 7.1

                                 * sample-ds.xml

                   

                                      <xa-datasource>
                                           <jndi-name>jdbc/TeiidDS</jndi-name>
                                          <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
                                          <xa-datasource-property name="DatabaseName">SampleVDB</xa-datasource-property>
                                          <xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
                                          <track-connection-by-tx>true</track-connection-by-tx>
                                          <isSameRM-override-value>false</isSameRM-override-value>
                                          <no-tx-separate-pools />
                                          <!-- pool and other JBoss datasource properties -->
                                          <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
                                          <security-domain>TeiidDSRealm</security-domain>
                                  </xa-datasource>

                   

                                 * login-config.xml        

                   

                                  <application-policy name="TeiidDSRealm">
                                 <authentication>
                                    <login-module code="org.jboss.resource.security.CallerIdentityLoginModule" flag="required">
                                      <module-option name="userName">na</module-option>
                                      <module-option name="password"></module-option>
                                      <module-option name="managedConnectionFactoryName">jboss.jca:service=XATxCM,name=jdbc/TeiidDS</module-option>
                                   </login-module>
                                  </authentication>
                                  </application-policy>

                   

                       2- Remote datasource, deployed in another JbossAS 5.1

                                   * sample-ds.xml

                                   <xa-datasource>
                                    <jndi-name>jdbc/TeiidDS</jndi-name>
                                    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
                                    <xa-datasource-property name="DatabaseName">SampleVDB</xa-datasource-property>
                                    <xa-datasource-property name="serverName">serverIP</xa-datasource-property>
                                    <xa-datasource-property name="portNumber">31000</xa-datasource-property>
                                    <track-connection-by-tx>true</track-connection-by-tx>
                                     <isSameRM-override-value>false</isSameRM-override-value>
                                    <no-tx-separate-pools />
                                    <!-- pool and other JBoss datasource properties -->
                                     <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
                                    <security-domain>TeiidDSRealm</security-domain>
                                </xa-datasource>

                                *    login-config.xml   

                                        Exactly the same from previous sample.

                     

                     

                     

                    I hope this is useful.

                    • 6. Re: Kerberos integration
                      rareddy

                      Cristiano,

                       

                      Thanks you. This is good.

                       

                      Recently I have added similar configuration/documentation to the "Admin Guide" in the "LoginModules" section in 7.1.x branch as part of TEIID-1265. It will be part of 7.2 release. However, my main concern there was to use separate authentication at sources that are used by Teiid than that of the Teiid data source.

                       

                      In scenario (2), how are you accessing the remote TeiidDS from your web app? Do you have the web app in the remove VM too?

                       

                      Ramesh..

                      • 7. Re: Kerberos integration
                        cristiano.nicolai

                        Ramesh,

                         

                         

                        I made a simple web app with JAAS security enable. I just write a basic servlet that lookup the TeiidDS and execute some querys to test authorization. As I'm using Kerberos at Teiid security domain my thought is that as  long I can provide user and pass from my local server via some JAAS callback (TeiidDSRealm does that)  it will work fine to authenticate in the remote Teiid server.  I tried this in the local server using both Krb5LoginModule or UsersRolesLoginModule and worked fine.

                        • 8. Re: Kerberos integration
                          rareddy

                          Are you saying that your JAAS callback works remotely over the wire between two VMs?

                          • 9. Re: Kerberos integration
                            cristiano.nicolai

                            No, what I'm saying is that JAAS in the local server has the ability to provide user and pass to connect to the Teiid data source. This Teiid DataSource needs to authenticate this user against the security domain that Teiid is configured in the remote server. So, as long my user/pass are valid in both domains (local JAAS and remote Teiid), everything works fine.

                            • 10. Re: Kerberos integration
                              rareddy

                              Thanks, that makes sense.


                              Ramesh..