4 Replies Latest reply on Jul 28, 2014 12:47 PM by Mark Addleman

    Teiid & single sign on?

    Mark Addleman Master

      We're looking to implement a cross domain security solution, aka SSO.  A typical case would be that user logs into some security domain, USER_DOMAIN and issues query SELECT * FROM A where source A is in a different security domain.  As a rough implementation plan, I'm thinking:

      1. Teiid & JBoss configured normally for the USER_DOMAIN
      2. Configure JBoss JAAS modules for each source domain
      3. Have some table that maps model & source name to the approproate JAAS login context name
      4. A delegating translate wrapping all translators which intercepts queries, for each query:
        1. Obtains the target source's security domain <-- black magic happens here
        2. Does the necessary JAAS LoginContext dance with a headless JAAS callback handler <-- some magic happens here but I don't think it's deeply magical
        3. Wraps Teiid's ExecutionContext with a delegating object to provide the new Subject/user id.
      5. The delegated translator's getConnection (hopefully) continues to work by virtue of picking up the appropriate subject/userid from the execution context

       

      I'm concerned about step 3.1, obviously.  I can't find a way to map a given execution context to the VDB's model and source name.  First, what do you think of this approach in general?  Second, what are your thoughts re step 3.1?

        • 1. Re: Teiid & single sign on?
          Mark Addleman Master

          I should clarify that I'm really only interested in mapping identities between the USER_DOMAIN and each data source domain.  The translator will still be responsible for obtaining proper credentials to the data source but it must receive the proper identity as part of its getConnection() method. 

          • 2. Re: Teiid & single sign on?
            Ramesh Reddy Master

            Mark,

             

            In JBoss EAP, data source configuration, you can also specify "security-domain" instead of static user id and password.  Now if this security-domain is custom it have access to your USER_DOMAIN's subject so that you can derive the user for the source. Translator is typically not involved in this situation, only resource-adapter or data source.

             

            Ramesh..

            • 3. Re: Teiid & single sign on?
              Mark Addleman Master

              Thanks Ramesh - I should explain something about our requirements that, I think, is different than a normal J2EE setup.  Right now, Teiid and our sources are all in the same domain.  When Teiid connects to a data source in order to satisfy a user query, the translator's getConnection() method uses the subject within the execution context to log into the data source as the user.  In effect, Teiid is impersonating the user to each of our data sources.

               

              In the world of multiple domains, I can see how putting the security domain in the data source configuration is helpful but how will the translator receive the proper subject for its data source?

              • 4. Re: Teiid & single sign on?
                Mark Addleman Master

                Ramesh - I'm a little slow this morning.  I just realized the importance of the idea that the data source's domain has knowledge of USER_DOMAIN.  Thanks, I think this makes sense.