1 Reply Latest reply on Oct 30, 2012 11:52 AM by rareddy

jboss 7 teiid 8 login module

gamvi01 Oct 29, 2012 4:06 PM

I want to enable authentication for teiid at datasource level.

<security-domain name="teiid-security" cache-type="default">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

</login-module>

</authentication>

</security-domain>

<security-domain name="chorus-teiid-security" cache-type="default">

<login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required"/>

</authentication>

</security-domain>

<security-domain name="chorus-login-security" cache-type="default">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">

<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

</login-module>

<login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="sufficient"/>

</authentication>

</security-domain>

</transport>

For our application during the boostrap process when we load the metadata as teiid needs connection to finish the bootstap process, it uses the default module UsersRolesLoginModule(which would authenticate using the admin credentials) and when the application launches up i want o use the loggedin user credentials to do the authentication where i want to use ChorusLoginModule.ChorusLoginModule extends javax.security.auth.spi.LoginModule. In this login module i authenticate using loggedin user and add tat princiapl to subject.

what is difference betwen having <authentication security-domain="chorus-login-security"/> vs <authentication security-domain="teiid-security,chorus-teiid-security"/>

One difference i know is :

chorus-login-security requires any of hte loginmodule to succeed . Once it succeeds it would switch to application. But would it throw any exception?

I jkeep seeing the below in my logs when i enable debug level. Is there any way i can configure UsersRolesLoginModule to be done only for the users i mention?

va.lang.String, class java.lang.String, class java.lang.String, class java.lang.String] of type PROCESSOR

19:24:20,009 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (Worker75_QueryProcessorQueue8529) Bad password for username=XXXXXXX

19:24:20,018 DEBUG [org.teiid.PROCESSOR] (Worker52_QueryProcessorQueue8202) Created intermediate sort buffer 3404

19:24:20,073 DEBUG [org.teiid.BUFFER_MGR] (Worker52_QueryProcessorQueue8202) Removing TupleBuffer: 3404

If we dont enable authention in standalone-teiid.xml but specify security domain in a ds file , (either ldap or jdbc) etc would that still make authentication to pass through login module and fetch me the princiapl at the place i need it ?

and should that datasource be defined as an XA datasource ?

1. Re: jboss 7 teiid 8 login module

rareddy Oct 30, 2012 11:52 AM (in response to gamvi01)

Vineela,

You can not define security domains that behave differently during the startup time vs after the startup time, unless you write your own security domain that has knowledge of the system lifecycle events, which way beyond the scope of this thread.

what is difference betwen having <authentication security-domain="chorus-login-security"/> vs <authentication security-domain="teiid-security,chorus-teiid-security"/>
One difference i know is :
chorus-login-security requires any of hte loginmodule to succeed . Once it succeeds it would switch to application. But would it throw any exception?
When you have multiple security domains specified like in "teiid-security,chorus-teiid-security", during the authentication, if user-name is supplied with out domain qualification, then each of the security domain is consulted until the access is granted. If user name contains domain qualification, then that perticular security domain is consulted. For example,

if you have two users "john", and "jane" and both can be authenticated any domain

- if user name is "john", the session manager first consults "teiid-secuirty" first and grant him the access, if the access is denied in this domain the next security domain will be tried.
- if user name "jane@chorus-teiid-security", then session manager will only consult "chorus-teiid-security" secuirty domain. It will not consult "teiid-security".

If we dont enable authention in standalone-teiid.xml but specify security domain in a ds file , (either ldap or jdbc) etc would that still make authentication to pass through login module and fetch me the princiapl at the place i need it ?
and should that datasource be defined as an XA datasource ?
You can NOT define security domain in the DS file, it does not make any difference whether you define your credentials inside the standalone-teiid.xml or ds file. XA or local has nothing to do with security, they define the transactionlity of the source.

Dynamic VDB and data source level security do not play nice interms of getting the metadata during the startup. Since you are using the custom translator anyway, my suggestion is to use define two different data sources, one for the user and one for the metadata load, and through some smart use of delegation class and custom coding get the right connection object during the metadata load. I know you guys build custom translators, do you also write custom connectors? if yes, then you can bury logic between them.

If not sure if there is good alternative we can provide..
Actions