The datasource you have defined above and accessing Teiid using port 31000, are 2 different access points. If you want to control the credentials from a client application, then that needs to be done using JAAS or a custom login module. For which you can then change which security domain that the teiid transport is using. The datasource defined above, is accessed by other applications in the same JVM. This is often referred to as using embedded mode.
Instead of authenticating based on teiid-security, is there anyway that the authentication can be offloaded to the security section of data sources? Similar to other data source authentication in EAP though JNDI and creds lookup?
As Van indicated, you are trying two different types of auth
1) If your client is remote application, then the only possible way you supply the credentials is when you making the connection. i.e. supplying over the JDBC URL, if you are using JDBC.
2) If you configured a data source configuration as shown above with JNDI name and VAULT store, that is ONLY for the in VM applications. i.e. if you have a web application, you can look up the JNDI name and grab the data source, and then get a connection on the data source without providing any credentials. In this case the configured credentials are used.
So, it depends upon your client usage model.
Also, what is in "teiid-security" is a configuration for a JAAS based security domain, which will force any Teiid user to authenticate *against*, Where as what is in the "data-source" configuration, is credentials that authenticate user with Teiid's security-domain, but is not a security-domain. So, they serve two different purposes.