7 Replies Latest reply on Nov 8, 2013 9:12 AM by rareddy

    Different security for different vdbs in teiid

    madhu.garimilla

      I have 2 independent vdbs deployed, VDB1 and VDB2. I would like to use a different LoginModule to connect to each of these VDBs so that i can expose specific set of models to specific type of users. I have defined security domains for each of these LoginModules like below.

       

      <security-domain name="vdb1-security" cache-type="default">

          <authentication>

              <login-module code="com.vdb1.security.VDB1LoginModule" flag="sufficient"/>

          </authentication>

      </security-domain>

       

      <security-domain name="vdb2-security" cache-type="default">

          <authentication>

              <login-module code="com.vdb2.security.VDB2LoginModule" flag="sufficient"/>

          </authentication>

      </security-domain>

       

      How do we define the transport in such case? If i define the transport like

       

      <transport name="jdbc" socket-binding="teiid-jdbc">

          <authentication security-domain="teiid-security,vdb1-security,vdb2-security"/>

      </transport>

       

      wouldn't it allow a user who has access only to vdb1, to connect to vdb2 also?

        • 1. Re: Different security for different vdbs in teiid
          shawkins

          > wouldn't it allow a user who has access only to vdb1, to connect to vdb2 also?

           

          Somewhat.  It depends on to what degree you are using data roles and what access they allow.  If your vdbs don't use data roles or allow any authenticated access, then yes access to that transport implies authenticated users to either domain will have access to both vdbs.  If you are using data roles and tie them in each vdb to the respective security domain, then access will be restricted more along the lines of what you want.

           

          However there isn't currently a simple feature to restrict the access by for example allowing only certain vdbs for a given transport or allowing certain security domains for a given vdb.  Either could be considered for enhancements though.

           

          Steve

          • 2. Re: Different security for different vdbs in teiid
            madhu.garimilla

            Thanks Steve for the reply.

             

            What i can relate from data roles to my use case is, It allows the user to connect to any vdb (here vdb1 or vdb2) but the actual access check will be performed only when the user is trying to access any model/table etc inside that vdb.

             

            I am making use of my own custom LoginModule for each vdb, which checks the security access on some backend system and allows a user to access. Since i am not using teiid-security-users.properties/teiid-security-roles.properties to configure my users/roles, How can i make use of data roles in my case?

            • 3. Re: Different security for different vdbs in teiid
              rareddy

              What i can relate from data roles to my use case is, It allows the user to connect to any vdb (here vdb1 or vdb2) but the actual access check will be performed only when the user is trying to access any model/table etc inside that vdb.

              That is correct, it will be only checked when user accesses one of the resources.

               

              I am making use of my own custom LoginModule for each vdb, which checks the security access on some backend system and allows a user to access. Since i am not using teiid-security-users.properties/teiid-security-roles.properties to configure my users/roles, How can i make use of data roles in my case?

              No different from default one, you define the data roles in the VDB.xml and write code based on the data role names defined in there. Then you can map data-role names to the "user-roles" from your security-domain also in vdb.xml or using any of the admin tools.

              • 4. Re: Different security for different vdbs in teiid
                madhu.garimilla

                Hi Ramesh,

                 

                If i have to handle it through data roles then making use of separate LoginModules for each VDB doesn't make any difference than having a single LoginModule as it allows even if user passes in atleast one security domain. So, I need to handle this outside my LoginModule. To proceed further, If i define a data role like this in my vdb.

                 

                <data-role name="RoleA">

                        <description>Allow all, except Delete</description>

                        <permission>

                            <resource-name>modelName.TableA</resource-name>

                            <allow-read>true</allow-read>

                        </permission>

                        <mapped-role-name>role1</mapped-role-name>

                </data-role>

                 

                Where should i map all my userids to user-role "role1" and How do i let teiid know about this user to role mapping so that Teiid can perform this role check automatically when a user tries to access a resource?

                • 5. Re: Different security for different vdbs in teiid
                  rareddy

                  Where should i map all my userids to user-role "role1" and How do i let teiid know about this user to role mapping so that Teiid can perform this role check automatically when a user tries to access a resource?

                  You do that in your LoginModule, see get roles method on it. You can also *configure* your LoginModule along with the default file based teiid-security-roles.properties. See example of it here Data Source Security - Teiid 8.6 (draft)

                   

                  How Teiid knows?, when user is authenticated against the security domain, the subject is assigned with credentials and roles, Teiid can read those and match up to the data role based on the "mapped-role-name" property.

                   

                  Ramesh

                  • 6. Re: Different security for different vdbs in teiid
                    madhu.garimilla

                    Hi Ramesh, I had put together the flow to achieve the desired functionality after going through the teiid wiki. please confirm is this going right?

                     

                    1. We need a LoginModule which extends UsersRolesLoginModule, which authenticates the user and attaches some roles. like below,

                     

                    @Override

                        public boolean commit() throws LoginException

                        {

                            Principal p = new MyPrincipal(this.username);

                            Group g= new Group() {

                              

                                @Override

                                public String getName() {

                                    return "Roles";

                                }

                              

                                @Override

                                public boolean removeMember(Principal user) {

                                    return false;

                                }

                              

                                @Override

                                public Enumeration<? extends Principal> members() {

                                    Vector<Principal> v = new Vector<Principal>();

                                      v.add(new MyPrincipal("CR.ADMIN"));  // This is the role defined in my security backend for the user

                                    return v.elements();

                                }

                              

                                @Override

                                public boolean isMember(Principal member) {

                                    return false;

                                }

                              

                                @Override

                                public boolean addMember(Principal user) {

                                    return false;

                                }

                            };

                            this.subject.getPrincipals().add(p); // here attaching username to subject

                            this.subject.getPrincipals().add(g); // here attaching role to subject

                          

                            return true;

                        }

                     

                    2. In standalone-teiid.xml, declare the security domain as

                      

                    <security-domain name="my-cfar-security" cache-type="default">

                        <authentication>

                            <login-module code="com.xxx.MyUsersRolesLoginModule" flag="required">

                            </login-module>

                        </authentication>

                    </security-domain>  

                      

                     

                    3. Then define the transport as

                     

                    <transport name="jdbc" socket-binding="teiid-jdbc">

                        <authentication security-domain="teiid-security,my-cfar-security,my-teiid-security"/>

                    </transport>

                     

                    4. I see in the teiid doc that, we also need to declare the below login module inside my security-domain.

                     

                    <login-module code="org.teiid.jboss.RoleBasedCredentialMapIdentityLoginModule" flag="required">

                        <module-option name="password-stacking" value="useFirstPass"/>

                        <module-option name="credentialMap" value="teiid-credentialmap.properties"/>

                    </login-module>

                     

                    We are not exposing user/password/role info in any .txt files. my user to role mapping is present in the external security. What should i place inside teiid-credentialmap.properties, i don't see this file under standalone/configuration? could you please provide a sample.

                    • 7. Re: Different security for different vdbs in teiid
                      rareddy

                      I d not think you need (4).