[teiid-issues] [JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

Steven Hawkins (Jira) issues at jboss.org
Mon Dec 2 18:56:00 EST 2019 

    [ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13820018#comment-13820018 ] 

Steven Hawkins commented on TEIID-5780:
---------------------------------------

Rather than doing this as something specific for just pg, I've been looking at incorporating this as a general change.  It would naturally move to the SSLAwareChannelHandler.  There with an onConnection event we can get the principal and the certificate chain.  We can attempt an authentication call, which would require the realm to accept a x509 certificate as the credential (still need to validate that and that the Certificate[] is the expected credential).  

With keycloak direct auth needs to be configured with x509 support and we need make a request that adds the certificates as header values: https://www.keycloak.org/docs/4.8/server_admin/#adding-x-509-client-certificate-authentication-to-a-direct-grant-flow

However it does seem like we would need a new authentication type to indicate that a username/password check is optional.

Obviously adding as a general feature does not support the specific case of admin access for materialization, but it at least makes the inclusion much simpler if we want to do that.  In any case this needs to be pulled out of 13.0.

> Support certificate based authentication into Teiid pg
> ------------------------------------------------------
>
>                 Key: TEIID-5780
>                 URL: https://issues.jboss.org/browse/TEIID-5780
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: ODBC
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>
> To support the pg connection into Teiid we will do something like:
> - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92
> -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used
> TODO:
> - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate.  If that trust seems too difficult we can just configure the connection to trust all.
> - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate
> - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users).



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the teiid-issues mailing list