3 Replies Latest reply on Dec 22, 2015 10:10 AM by rareddy

    Teiid - Security Domain configuration

    humourmind

      To make use of vault store, have created keystore to hold application sensitive info,

       

                        <datasource jndi-name="java:/Test_VDB" pool-name="Test_VDB" enabled="true">

                          <connection-url>jdbc:teiid:Test_VDB</connection-url>

                          <driver>teiid</driver>

                          <security>

                              <user-name>dvuser</user-name>

                              <password>${VAULT::ds_creds::mysql_creds::1}</password>

                          </security>

                      </datasource>


      I have created my data source configuration to my VDB like this. Ideally when I connect from a client, have to specify the url and the above username and password to connect to.

       

      But what happening is, there is an entry in the standalone-teiid.xml file,

       

      <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">

                      <authentication security-domain="teiid-security"/>

                  </transport>

       

      which binds teiid-jdbc to 31000.

       

      When I try to connect to VDB using the vault credentials, my request is blocked, rather if I try to connect using teiid-security credentials, it is going through. By doing so, whatever I configure as credentials in the data source definition is meaningless.

       

      How can I delegate my teiid-security to refer to the security aspects defined under datasource?

        • 1. Re: Teiid - Security Domain configuration
          van.halbert

          Humour,

           

          The datasource you have defined above and accessing Teiid using port 31000, are 2 different access points.   If you want to control the credentials from a client application, then that needs to be done using JAAS or a custom login module.   For which you can then change which security domain that the teiid transport is using.   The datasource defined above, is accessed by other applications in the same JVM.   This is often referred to as using embedded mode.

          • 2. Re: Teiid - Security Domain configuration
            humourmind

            Instead of authenticating based on teiid-security, is there anyway that the authentication can be offloaded to the security section of data sources? Similar to other data source authentication in EAP though JNDI and creds lookup?

            • 3. Re: Teiid - Security Domain configuration
              rareddy

              As Van indicated, you are trying two different types of auth

               

              1)  If your client is remote application, then the only possible way you supply the credentials is when you making the connection. i.e. supplying over the JDBC URL, if you are using JDBC.

               

              2) If you configured a data source configuration as shown above with JNDI name and VAULT store, that is ONLY for the in VM applications. i.e. if you have a web application, you can look up the JNDI name and grab the data source, and then get a connection on the data source without providing any credentials. In this case the configured credentials are used.

               

              So, it depends upon your client usage model. 

               

              Also, what is in "teiid-security" is a configuration for a JAAS based security domain, which will force any Teiid user to authenticate *against*, Where as what is in the "data-source" configuration, is credentials that authenticate user with Teiid's security-domain, but is not a security-domain. So, they serve two different purposes.

               

              HTH

               

              Ramesh..