7 Replies Latest reply on Jan 9, 2012 12:23 PM by rareddy

Role Based Credential Map for fine grained data roles

boss248 Jan 6, 2012 12:10 AM

I have imported two databases in my VDB and I've configured two different roles (admin and manager) and also used the "Mapped Role Names" feature to map the the vdb role to a role I've set up in JBoss using JAAS with DatabaseServerLoginModule. The idea is to have a servlet that requires authentication for urls mapped by /admin/* to execute a query in Teiid using the admin role only for users with the correct privilege. The JAAS in in Jboss works fine, but now I have problems with creating the TeiidDataSource.

For starters, I refactored the JDBCClient to execute my query in my servlet. I also added the following to the teiid-jboss-beans.xml:

<application-policy xmlns="urn:jboss:security-beans:1.0" name="teiid-security">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">

<module-option name = "unauthenticatedIdentity">guest</module-option>

<module-option name = "dsJndiName">java:/exampleDS</module-option>

<module-option name = "principalsQuery">SELECT password FROM user WHERE userid=?</module-option>

<module-option name = "rolesQuery">SELECT roleid, 'Roles' FROM role WHERE userid=?</module-option>

</login-module>

<login-module code="org.teiid.jboss.RoleBasedCredentialMapIdentityLoginModule" flag="required">

<module-option name = "password-stacking">useFirstPass</module-option>

<module-option name="credentialMap">props/teiid-credentialmap.properties</module-option>

<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=defaultDS</module-option>

</login-module>

</authentication>

</application-policy>

My questions are

1) How do I connect to the TeiidDataSource (i.e. which username and password do I use)?

2) I'm not sure which *-ds file I put the <security-domain>teiid-security</security-domain> xml node in. Does it go in both of the -ds files that were used for the import into the VDB?

3) Does my jboss-web.xml file still use the old security-domain (i.e. I was using java:/jaas/exampleDomain)

4) Does the RoleBasedCredentialMapIdentityLoginModule referenced within teiid-jboss-beans use the defaultDS managedConnectionFactory?

thanks.

1. Re: Role Based Credential Map for fine grained data roles

rareddy Jan 6, 2012 12:00 PM (in response to boss248)
Boss248,

You may be going about accomplishing this wrong. You do not need "RoleBasedCredentialMapIdentityLoginModule" at all. This module is designed for users to control the login credentials of the data sources they are using for their VDB based on the user logged in. i.e typically either data sources (defined using -ds.xml files) have a same user/password for all users logged into your web application, however if you do not want that, then one option is to use the same credentials as logged in user at the data source level. "RoleBasedCredentialMapIdentityLoginModule" module takes this to next level, where you can define map of roles to credentials, such that it uses the role of the logged in (web app) user is used to look up credentials that are used at the data source. This way you can use different credentials at data source.

Now, to your use case, it is much more simpler.

1) Configure your web-app to use basic auth/form auth whatever you need using the JAAS. (Remove what you have in the teiid-jboss-beans.xml file). Ignore that you are using the Teiid for moment.
2) Define roles in this JAAS domain configured, that can to be mapped to VDB data roles and map them on VDB.
3) When you define the Teiid as data source to your Web App, use "LocalConnection" and define "PassthroughAuthentication" authentication by adding
<xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
What this is saying, since both your Web App and Teiid in same VM, you are bypassing the additional security check for the Teiid and using the credentials of the user who is already logged in the context of the Teiid connection request.

Hope this helps. Let us know if you have questions.

Ramesh..
1 of 1 people found this helpful
Actions
2. Re: Role Based Credential Map for fine grained data roles

boss248 Jan 6, 2012 2:46 PM (in response to rareddy)

Thanks for your reply. I made the changes but now I get this error:

14:40:07,772 WARN [PROCESSOR] Processing exception 'User <user@teiid-security> is not entitled to action <READ> for 1 or more of the groups/elements/procedures.' for request JMtYWGNwuVsJ.0. Exception type org.teiid.api.exception.query.QueryValidatorException thrown from org.teiid.dqp.internal.process.Request.validateWithVisitor(Request.java:335). Enable more detailed logging to see the entire stacktrace.
14:40:07,803 ERROR [STDERR] org.teiid.jdbc.TeiidSQLException: User <user@teiid-security> is not entitled to action <READ> for 1 or more of the groups/elements/procedures.

this is my teiid-ds.xml file:
<datasources>
<xa-datasource>
    <jndi-name>jdbc/TEIID-DS</jndi-name>
    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
    <xa-datasource-property name="DatabaseName">CountryVDB</xa-datasource-property>
    <xa-datasource-property name="serverName">localhost</xa-datasource-property>
    <xa-datasource-property name="portNumber">31000</xa-datasource-property>
    <xa-datasource-property name="user">user</xa-datasource-property>
    <xa-datasource-property name="password">user</xa-datasource-property>
    <xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
    <track-connection-by-tx>true</track-connection-by-tx>
    <isSameRM-override-value>false</isSameRM-override-value>
    <no-tx-separate-pools />

    
    <min-pool-size>5</min-pool-size>
    <max-pool-size>10</max-pool-size>
</xa-datasource>
</datasources>

My web.xml and jboss-web.xml are configured as well:
web.xml:
<resource-ref>
<res-ref-name>jdbc/TEIID-DS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>

jboss-web.xml:
<resource-ref>
        <res-ref-name>jdbc/TEIID-DS</res-ref-name>
        <jndi-name>java:/jdbc/TEIID-DS</jndi-name>
</resource-ref>

TeiidServlet:
private static Connection getDataSourceConnection {
        Context initContext = new InitialContext();
        Context envContext = (Context)initContext.lookup("java:/comp/env");
        DataSource ds = (DataSource)envContext.lookup("jdbc/TEIID-DS");
        return ds.getConnection();
}

etc..
Actions
3. Re: Role Based Credential Map for fine grained data roles

rareddy Jan 9, 2012 8:20 AM (in response to boss248)

Boss248,

The above simply indicating that the user does not have READ access. If this user does not have read access on that resource that is expected.

Ramesh..
Actions
4. Re: Role Based Credential Map for fine grained data roles

boss248 Jan 9, 2012 11:43 AM (in response to rareddy)

I figured out the problem - I had to edit teiid-jboss-beans.xml and set the securityDomains attribute to the same name as my security domain specified in jboss-web.xml for jaas and it worked.
Actions
5. Re: Role Based Credential Map for fine grained data roles

boss248 Jan 9, 2012 11:50 AM (in response to boss248)

BTW, my other error was not setting the local connection configuration correctly in my datasource file for the vdb (teiid-ds.xml). Instead of:
<datasources>
<xa-datasource>
    <jndi-name>jdbc/TEIID-DS</jndi-name>
    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
    <xa-datasource-property name="DatabaseName">CountryVDB</xa-datasource-property>
    <xa-datasource-property name="serverName">localhost</xa-datasource-property>
    <xa-datasource-property name="portNumber">31000</xa-datasource-property>
    <xa-datasource-property name="user">user</xa-datasource-property>
    <xa-datasource-property name="password">user</xa-datasource-property>
    <xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
    <track-connection-by-tx>true</track-connection-by-tx>
    <isSameRM-override-value>false</isSameRM-override-value>
    <no-tx-separate-pools />

    
    <min-pool-size>5</min-pool-size>
    <max-pool-size>10</max-pool-size>
</xa-datasource>
</datasources>

I removed the portNumber and serverName property and also set the min pool size to 0 as follows:

<datasources>
<xa-datasource>
    <jndi-name>jdbc/TEIID-DS</jndi-name>
    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
    <xa-datasource-property name="DatabaseName">CountryVDB</xa-datasource-property>
    <xa-datasource-property name="user">user</xa-datasource-property>
    <xa-datasource-property name="password">user</xa-datasource-property>
    <xa-datasource-property name="PassthroughAuthentication">true</xa-datasource-property>
    <track-connection-by-tx>true</track-connection-by-tx>
    <isSameRM-override-value>false</isSameRM-override-value>
    <no-tx-separate-pools />

    
    <min-pool-size>0</min-pool-size>
    <max-pool-size>10</max-pool-size>
</xa-datasource>
</datasources>

Thanks for your help!
Actions
6. Re: Role Based Credential Map for fine grained data roles

rareddy Jan 9, 2012 12:01 PM (in response to boss248)

Cool, yes LocalConnection means no remote, thus no host or port configuration.
Actions
7. Re: Role Based Credential Map for fine grained data roles

rareddy Jan 9, 2012 12:23 PM (in response to boss248)

Passthrough documentation here http://docs.jboss.org/teiid/7.6.0.Final/admin-guide/en-US/html/custom_security.html#d0e507
Actions

Go to original post