3 Replies Latest reply on Feb 18, 2015 1:46 PM by rareddy

    Using KeyCloak as the Teiid JDBC LoginModule

    jstrathern

      Hello Teiid Community,

      I am trying to use JBoss KeyCloak as the LoginModule for Teiid through JDBC, but experiencing issues with Teiid not knowing how to authenticate. I am trying to connect using the Teiid MS SQL Server Translator, with login users and passwords i know are authenticated through KeyCloak and/ the database.

       

      For details, firstly the KeyCloak security domain is defined in standalone-dsds.xml:

      <security-domain name="keycloak">
                          <authentication>
                              <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required" module="org.keycloak.keycloak-jboss-adapter-core"/>
                          </authentication>
      </security-domain>
      

      Above is the method defined to create the security domain, with the additional module defined for the login-module. I added this as a response to similar issues on this forum where users encountered the same authentication issue, but it did not resolve the issue.

       

      After this, i also ensure i defined the KeyCloak module for Teiid-JDBC:

      <subsystem xmlns="urn:jboss:domain:teiid:1.0">
                  ...
                  <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
                      <authentication security-domain="keycloak"/>
                  </transport>
      ...
      

       

      However, as a result, whenever i try to connect with JDBC, i get the follow stack trace:

       

      Caused by: org.teiid.net.ConnectionException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.net.socket.SocketServerConnection.selectServerInstance(SocketServerConnection.java:139)
        at org.teiid.net.socket.SocketServerConnection.<init>(SocketServerConnection.java:92)
        at org.teiid.net.socket.SocketServerConnectionFactory.getConnection(SocketServerConnectionFactory.java:312)
        at org.teiid.jdbc.SocketProfile.connect(SocketProfile.java:54)
        ... 11 more
      Caused by: org.teiid.client.security.LogonException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:149)
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:117)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.teiid.transport.ServerWorkItem.run(ServerWorkItem.java:87)
        at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:274)
        at org.teiid.transport.SocketClientInstance.processMessagePacket(SocketClientInstance.java:207)
        at org.teiid.transport.SocketClientInstance.receivedMessage(SocketClientInstance.java:193)
        at org.teiid.transport.SSLAwareChannelHandler.messageReceived(SSLAwareChannelHandler.java:212)
        at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
        at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
        at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:555)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
        at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:107)
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312)
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:88)
        at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
      Caused by: javax.security.auth.login.LoginException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:74)
        at org.teiid.services.SessionServiceImpl.createSession(SessionServiceImpl.java:170)
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:134)
        ... 35 more
      

       

      What changes can I make to allow Teiid to use the KeyCloak LoginModule? As far as i can tell with the stack trace, it doesnt appear to be hitting the KeyCLoak LoginModule code, instead experiencing issues in Teiid code.

       

      Thanks,

      Joe

        • 1. Re: Using KeyCloak as the Teiid JDBC LoginModule
          rareddy

          Joe,

           

          Did you add the module "org.keycloak.keycloak-jboss-adapter-core"? Basically what you did is what is needed to configure. Does Keycloak login module take userid/password?


          Also you wrote " firstly the KeyCloak security domain is defined in standalone-dsds.xml", did you start the server using "standalone.sh -c standalone-dsds.xml"?


          Ramesh..

          • 2. Re: Using KeyCloak as the Teiid JDBC LoginModule
            jstrathern

            Ramesh,

             

            Yes, the keycloak-jboss-adapter-core module is located in the module folder of the JBoss install.

            Additionally, it does take userid and password. We are using it successfully in other areas deployed on JBoss, the problem seems limited to Teiid/JDBC at the moment.

             

            I can confirm the server is started using the correct jboss standalone file as well.

             

            Thanks,

            Joe

            • 3. Re: Using KeyCloak as the Teiid JDBC LoginModule
              rareddy

              Joe,

               

              If you want to attach your standalone.xml file, I can take a look, otherwise I can't seem to think why that would be the case.


              Ramesh..