1 Reply Latest reply on Feb 5, 2019 9:53 AM by rareddy

    JDBC to Teiid with Keycloak

    mbank

      Hello,

       

      I used Teiid 10.2.1+Wildfly and dbeaver with teiid jdbc driver to access vdbs using teiid-securirty. Odata was working fine too.

       

      Now i configured teiid to use keycloak 4.8.3 for odata oauth2 authentication which is working fine.

       

      But when i try to connect with dbeaver now i can't login. It says:

       

      09:49:10,518 WARN  [org.teiid.SECURITY] (NIO3)  TEIID40011 Processing exception 'TEIID50072 The username "xxx" and/or password and/or payload token could not be authenticated by security domain keycloak.' for session null.  Exception type org.teiid.client.security.LogonException thrown from org.teiid.jboss.JBossSecurityHelper.authenticate(JBossSecurityHelper.java:152).: org.teiid.client.security.LogonException: TEIID50072 The username "mbank" and/or password and/or payload token could not be authenticated by security domain keycloak.

              at org.teiid.transport.LogonImpl.logon(LogonImpl.java:158)

              at org.teiid.transport.LogonImpl.logon(LogonImpl.java:123)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:498)

              at org.teiid.transport.ServerWorkItem.run(ServerWorkItem.java:83)

              at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:277)

              at org.teiid.transport.SocketClientInstance.processMessagePacket(SocketClientInstance.java:234)

              at org.teiid.transport.SocketClientInstance.receivedMessage(SocketClientInstance.java:219)

              at org.teiid.transport.SSLAwareChannelHandler.messageReceived(SSLAwareChannelHandler.java:211)

              at org.teiid.transport.SSLAwareChannelHandler.channelRead(SSLAwareChannelHandler.java:217)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)

              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)

              at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)

              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)

              at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293)

              at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)

              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)

              at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)

              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)

              at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)

              at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)

              at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:624)

              at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:559)

              at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:476)

              at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:438)

              at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)

              at java.lang.Thread.run(Thread.java:748)

      Caused by: javax.security.auth.login.LoginException: TEIID50072 The username "xxx" and/or password and/or payload token could not be authenticated by security domain keycloak.

              at org.teiid.jboss.JBossSecurityHelper.authenticate(JBossSecurityHelper.java:152)

              at org.teiid.jboss.JBossSecurityHelper.authenticate(JBossSecurityHelper.java:58)

              at org.teiid.services.SessionServiceImpl.createSession(SessionServiceImpl.java:203)

              at org.teiid.transport.LogonImpl.logon(LogonImpl.java:138)

              ... 34 more

       

      Can I use keycloack to authenticate jdbc connections to teiid? I guess i have to configure auth server, client and realm somewhere.

       

      Best regards
      Markus

        • 1. Re: JDBC to Teiid with Keycloak
          rareddy

          OAuth based authentication is not suitable for JDBC, thus once you configured the Keycloak for OData then JDBC stopped working. I am not entirely sure if this works, but you can try using two separate security domains for OData and JDBC. Maybe leave the default one for the JDBC and configure a VDB specific security domain one for Keycloak. See LoginModules · GitBook

           

          Ramesh..