<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Data+Source+Security">Data Source Security</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<h4>Changes (5)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-changed-lines" >h1. Security at <span class="diff-added-words"style="background-color: #dfd;">the</span> Data Source <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">l</span><span class="diff-added-chars"style="background-color: #dfd;">L</span>evel</span> <br></td></tr>
<tr><td class="diff-unchanged" >In some use cases, the user might need to pass\-in different credentials to their data sources based on the logged in user rather than using the shared credentials for all the logged users. To support this feature, JBoss AS and Teiid provide multiple different login modules to be used in conjunction with Teiid's main security domain. See this [document|http://community.jboss.org/docs/DOC-9350] for details on configuration. Note that the below directions need to be used in conjunction with this document. <br> <br> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h2. CallerIdentity and Trusted Payload <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h2. CallerIdentity <br></td></tr>
<tr><td class="diff-changed-lines" >If client wants to pass in simple text password or a certificate or a custom serialized object as token credential to the data source, user can configure "CallerIdentity" login module. Using this login module, user can pass\-in same credential that user logged into Teiid security domain to the data source. Here is a sample <span class="diff-changed-words">configuration<span class="diff-added-chars"style="background-color: #dfd;">:</span></span> <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:XML|title=standalone-teiid.xml} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here https://community.jboss.org/docs/DOC-17248 <br>{tip} <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>h2. Translator Customization <br> <br>Teiid's extensible [Translator framework|Translator Development] also provides hooks for securing access at the DataSource level. The {{ExecutionFactory.getConnection}} may be overridden to initialize the source connection in any number of ways, such as re-authentication, based upon the Teiid {{Subject}}, execution payload, session variables, and any of the other relevant information accessible via the {{ExecutionContext}} and the {{CommandContext}}. You may even also modify the generated source SQL in any way that is seen fit in the relevant {{Execution}}. <br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h1><a name="DataSourceSecurity-SecurityattheDataSourceLevel"></a>Security at the Data Source Level</h1>
<p>In some use cases, the user might need to pass-in different credentials to their data sources based on the logged in user rather than using the shared credentials for all the logged users. To support this feature, JBoss AS and Teiid provide multiple different login modules to be used in conjunction with Teiid's main security domain. See this <a href="http://community.jboss.org/docs/DOC-9350" class="external-link" rel="nofollow">document</a> for details on configuration. Note that the below directions need to be used in conjunction with this document.</p>
<h2><a name="DataSourceSecurity-CallerIdentity"></a>CallerIdentity</h2>
<p>If client wants to pass in simple text password or a certificate or a custom serialized object as token credential to the data source, user can configure "CallerIdentity" login module. Using this login module, user can pass-in same credential that user logged into Teiid security domain to the data source. Here is a sample configuration:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
<login-module code="org.picketbox.datasource.security.CallerIdentityLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<p>In the datasource configuration, instead of supplying the userid/pasword you need to add the following element</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>In JDBC Datasource</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<datasource jndi-name="java:/mysql-ds" pool-name="mysql-ds" enabled="true">
<connection-url>jdbc:mysql://localhost:3306/txns</connection-url>
<driver>mysql</driver>
<pool><allow-multiple-users/></pool>
<security>
<security-domain>my-security-domain</security-domain>
</security>
</datasource>
</pre>
</div></div>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>In a connection factory ex:ldap</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<resource-adapter>
<archive>teiid-connector-ldap.rar</archive>
<transaction-support>NoTransaction</transaction-support>
<connection-definitions>
<connection-definition class-name="org.teiid.resource.adapter.ldap.LDAPManagedConnectionFactory"
jndi-name="java:/ldapDS"
enabled="true"
use-java-context="true"
pool-name="ldap-ds">
<config-property name="LdapUrl">ldap://ldapServer:389</config-property>
<config-property name="LdapAdminUserDN">cn=???,ou=???,dc=???</config-property>
<config-property name="LdapAdminUserPassword">pass</config-property>
<config-property name="LdapTxnTimeoutInMillis">-1</config-property>
<security>
<security-domain>my-security-domain</security-domain>
</security>
</connection-definition>
</connection-definitions>
</resource-adapter>
</pre>
</div></div>
<p>In the above configuration example, in the primary login module "UsersRoles" is setup to hold the passwords in the file, and when user logs in with password, the <b>same</b> userid and password will be also set on the logged in Subject after authentication. These credentials can be extracted by the data source by asking for Subject's private credentials.</p>
<p>Please note that encoding and decoding of this object is strictly up to the user as JBoss AS and Teiid will only act as a carrier of the information from login module to connection factory. Using this CallerIdentity module, the connection pool for data source is segmented by Subject.</p>
<h2><a name="DataSourceSecurity-RoleBasedCredentialMap"></a>Role Based Credential Map</h2>
<p>In some use cases, the users are divided by their functionality and they have varied levels of security access to data sources. These types of users are identified by their roles as to what they have access to. In the above "CallerIdentity" login scenario, that may be too fine-grained security at data sources, that can lead resource exhaustion as every user has their own separate connection. Using Role based security gives a balance, where the users with same role are treated equally for authentication purposes at the data source. Teiid provides a login module called "RoleBasedCredentialMap" for this purposes, where administrator can define a role-based authentication module, where given the role of the user from the primary login module, this module will hold a credential to that role. So, it is the container of credentials that maps to different roles. If a user has multiple roles, the first role that has the credential will be chosen. Below find the sample configuration.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
<login-module code="org.teiid.jboss.RoleBasedCredentialMapIdentityLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="credentialMap" value="teiid-credentialmap.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<p>Then follow the same instructions as above in defining the <em>security-domain</em> in the data source or connection factory configuration.</p>
<p>In the above configuration example, in the primary login module "UsersRolesLoginModule" is set up for logging in the primary user and assign some roles. The "RoleBasedCredentialMap" login module is configured to hold role to password information in the file defined by "credentialMap" property. When user logs in, the role information from the primary login module is taken, and extracts the role's passsword and attaches as a private credential to the Subject.</p>
<div class='panelMacro'><table class='tipMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b>Obfuscate your passwords</b><br />If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here <a href="https://community.jboss.org/docs/DOC-17248" class="external-link" rel="nofollow">https://community.jboss.org/docs/DOC-17248</a></td></tr></table></div>
<h2><a name="DataSourceSecurity-TranslatorCustomization"></a>Translator Customization</h2>
<p>Teiid's extensible <a href="/author/display/TEIID/Translator+Development" title="Translator Development">Translator framework</a> also provides hooks for securing access at the DataSource level. The <tt>ExecutionFactory.getConnection</tt> may be overridden to initialize the source connection in any number of ways, such as re-authentication, based upon the Teiid <tt>Subject</tt>, execution payload, session variables, and any of the other relevant information accessible via the <tt>ExecutionContext</tt> and the <tt>CommandContext</tt>. You may even also modify the generated source SQL in any way that is seen fit in the relevant <tt>Execution</tt>.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Data+Source+Security">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=51806538&revisedVersion=7&originalVersion=6">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Data+Source+Security?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>