3 Replies Latest reply on Jul 5, 2018 2:58 PM by shawkins

    Impersonate Oracle in the VDB

    angeladdati

      Hi!

       

      I connect a vdb to oracle data base. I use a service user (or generic user) in the connection. But, I need execute some inserts with impersonate. Is it possible?

       

      Thank you.


      Angel

        • 1. Re: Impersonate Oracle in the VDB
          shawkins

          Are you saying that you need to switch the Teiid connection to oracle to a different user?  There are a couple of options supported by Teiid/WildFly - there is end-to-end delegation if you can use Kerberos: Kerberos Authentication to Oracle from Teiid  or you can use the oracle reauthentication plugin and an identity mapping security domain to switch the connection to another user.

          • 2. Re: Impersonate Oracle in the VDB
            angeladdati

            Yeah, I need switch the connection. The oracle impersonate enable switch the connection with second user without the password of the second user. Obviusly I need configurate in the data base some roles.

             

            Impersonate option in the oracle: "alter user user1 grant connect through someuser" ;

             

            For example, I need some as the following in the virtual procedure.

             

            connect user1[someuser]/pass@oracle; // Use the impersonate

            execute some inserts/update; // Execute somes statements

            connect user1/pass@oracle; // Exit the impersonate

            • 3. Re: Impersonate Oracle in the VDB
              shawkins

              You can use the Oracle reauth plugin and a security domain that associates the desired username/password with subject.  On your datasource:

               

              <security>

                  <reauth-plugin class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleReauthPlugin"/>

                  <security-domain>someDomain</security-domain>

              </security>

               

              The security domain is up to your needs and can associate the caller credentials, map to specific credentials, etc.  It seems like you may want the switch to be contextual (only for some updates, but not other operations) however which will be difficult to control with built in mechanisms.