3 Replies Latest reply on Feb 18, 2015 1:46 PM by Ramesh Reddy

    Using KeyCloak as the Teiid JDBC LoginModule

    Joe Strathern Newbie

      Hello Teiid Community,

      I am trying to use JBoss KeyCloak as the LoginModule for Teiid through JDBC, but experiencing issues with Teiid not knowing how to authenticate. I am trying to connect using the Teiid MS SQL Server Translator, with login users and passwords i know are authenticated through KeyCloak and/ the database.

       

      For details, firstly the KeyCloak security domain is defined in standalone-dsds.xml:

      <security-domain name="keycloak">
                          <authentication>
                              <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required" module="org.keycloak.keycloak-jboss-adapter-core"/>
                          </authentication>
      </security-domain>
      

      Above is the method defined to create the security domain, with the additional module defined for the login-module. I added this as a response to similar issues on this forum where users encountered the same authentication issue, but it did not resolve the issue.

       

      After this, i also ensure i defined the KeyCloak module for Teiid-JDBC:

      <subsystem xmlns="urn:jboss:domain:teiid:1.0">
                  ...
                  <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
                      <authentication security-domain="keycloak"/>
                  </transport>
      ...
      

       

      However, as a result, whenever i try to connect with JDBC, i get the follow stack trace:

       

      Caused by: org.teiid.net.ConnectionException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.net.socket.SocketServerConnection.selectServerInstance(SocketServerConnection.java:139)
        at org.teiid.net.socket.SocketServerConnection.<init>(SocketServerConnection.java:92)
        at org.teiid.net.socket.SocketServerConnectionFactory.getConnection(SocketServerConnectionFactory.java:312)
        at org.teiid.jdbc.SocketProfile.connect(SocketProfile.java:54)
        ... 11 more
      Caused by: org.teiid.client.security.LogonException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:149)
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:117)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.teiid.transport.ServerWorkItem.run(ServerWorkItem.java:87)
        at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:274)
        at org.teiid.transport.SocketClientInstance.processMessagePacket(SocketClientInstance.java:207)
        at org.teiid.transport.SocketClientInstance.receivedMessage(SocketClientInstance.java:193)
        at org.teiid.transport.SSLAwareChannelHandler.messageReceived(SSLAwareChannelHandler.java:212)
        at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
        at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
        at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
        at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:555)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
        at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:107)
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312)
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:88)
        at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
      Caused by: javax.security.auth.login.LoginException: TEIID50072 The username "admin" and/or password and/or payload token could not be authenticated by any membership domain.
        at org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:74)
        at org.teiid.services.SessionServiceImpl.createSession(SessionServiceImpl.java:170)
        at org.teiid.transport.LogonImpl.logon(LogonImpl.java:134)
        ... 35 more
      

       

      What changes can I make to allow Teiid to use the KeyCloak LoginModule? As far as i can tell with the stack trace, it doesnt appear to be hitting the KeyCLoak LoginModule code, instead experiencing issues in Teiid code.

       

      Thanks,

      Joe