June 2019 - teiid-issues - Jboss List Archives

[JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

by Steven Hawkins (Jira)

[ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin... ] Steven Hawkins commented on TEIID-5780: --------------------------------------- > The SSL certificate is the one from the transport level certificate that is created as part of route creation? There would be service signing certificate created both for the teiid pg service, and one create for the pg database. > Where does the Teiid server get this certificate? It would one for the Teiid pg service as shown in https://github.com/teiid/teiid-openshift-examples/blob/master/keycloak/ke... Note that the deployment config converts the service signing certificate to a jks file: https://github.com/teiid/teiid-openshift-examples/blob/master/keycloak/sr... to use with a Teiid transport. This needs to occur for the pg instance as well. It will have to have a signing certificate created, which an init container would turn into the the appropriate formats (pem and der) for consumption by the pg fdw connection to present to Teiid as the client certificate. Each side will also need additional changes for another init container that creates or adds to a trust store on each side the public key from the other side. At the end of the day that means that the teiid pg transport will support mutual authentication such that connections from the pg server are trusted. On top of that there is the additional configuration on the Teiid session service to set a specific certificate principal as the admin account. This would need to match whatever openshift populates for the service signing certificate created for the pg database service. > Is this for general authentication for any client for PG, or you looking only at materialization case? It is primarily so that a pg client to Teiid can assume an "admin" role for materialization. You could extrapolate this is several ways to make it a more general mechanism. Essentially we need the connection coming in from pg to read Teiid to be a super user. At a minimum it has to see all tables (which marking the dqpworkcontext as admin does). It will probably need to be granted all roles as well - as it needs to be able to directly read from any view that is marked as materialized, which is not required of the normal materialization logic because it performs loads via procedures. The other approach would be to have the user designate or create an admin user in the realm used with each vdb, and the provide the credentials if materialization is being used. > Maybe a flow diagram will help me. A thousand words is worth one picture right? > Support certificate based authentication into Teiid pg > ------------------------------------------------------ > > Key: TEIID-5780 > URL: https://issues.jboss.org/browse/TEIID-5780 > Project: Teiid > Issue Type: Sub-task > Components: ODBC > Reporter: Steven Hawkins > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > To support the pg connection into Teiid we will do something like: > - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92 > -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used > TODO: > - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate. If that trust seems too difficult we can just configure the connection to trust all. > - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate > - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users). -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

by Ramesh Reddy (Jira)

[ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIID-5780: ------------------------------------- I am a little confused about the overall flow. The SSL certificate is the one from the transport level certificate that is created as part of route creation? Where does the Teiid server get this certificate? Is this for general authentication for any client for PG, or you looking only at materialization case? Maybe a flow diagram will help me. > Support certificate based authentication into Teiid pg > ------------------------------------------------------ > > Key: TEIID-5780 > URL: https://issues.jboss.org/browse/TEIID-5780 > Project: Teiid > Issue Type: Sub-task > Components: ODBC > Reporter: Steven Hawkins > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > To support the pg connection into Teiid we will do something like: > - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92 > -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used > TODO: > - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate. If that trust seems too difficult we can just configure the connection to trust all. > - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate > - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users). -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIIDSB-110) Support kerberos over pg/jdbc

by Ramesh Reddy (Jira)

[ https://issues.jboss.org/browse/TEIIDSB-110?page=com.atlassian.jira.plugi... ] Ramesh Reddy commented on TEIIDSB-110: -------------------------------------- I am not sure how much useful this will be at this time, as all applications in the OpenShift will be OAuth2 based AFAIK. > Support kerberos over pg/jdbc > ----------------------------- > > Key: TEIIDSB-110 > URL: https://issues.jboss.org/browse/TEIIDSB-110 > Project: Teiid Spring Boot > Issue Type: Enhancement > Reporter: Steven Hawkins > Priority: Major > Fix For: 1.3.0 > > > Keycloak has support for spengo/kerberos, but at first glance it's only for browser/http challenge flows. It seems like using it in a direct flow is not possible out of the box: https://issues.jboss.org/browse/KEYCLOAK-1751 > Note that even if just kerberos password authentication were supported that would allow for secure logins without ssl, which can be useful for our pg transport. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

by Steven Hawkins (Jira)

[ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin... ] Steven Hawkins commented on TEIID-5780: --------------------------------------- [~rareddy] See https://github.com/shawkins/teiid/commit/53c143eaaebc225a3f83c75688442352... - this adds the ability to assume an admin user via client auth. This creates a dummy security context using the principal from the certificate when the principal matches one configured on the sessionservice, then that is used by the passthrough logic to create the session. This would work as described above by setting the adminPrincipal to the principal name on the pg service signing certificate, which would presumably be like CN=service-name,... The drawback is that this isn't a proper user in the actual realm/security-domain. What to you think? > Support certificate based authentication into Teiid pg > ------------------------------------------------------ > > Key: TEIID-5780 > URL: https://issues.jboss.org/browse/TEIID-5780 > Project: Teiid > Issue Type: Sub-task > Components: ODBC > Reporter: Steven Hawkins > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > To support the pg connection into Teiid we will do something like: > - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92 > -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used > TODO: > - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate. If that trust seems too difficult we can just configure the connection to trust all. > - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate > - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users). -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

by Steven Hawkins (Jira)

[ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin... ] Steven Hawkins commented on TEIID-5780: --------------------------------------- To allow the ssl transport to be reused, we'll need to add another authentication mode where where want, but don't require client auth (in the first commit). This would not yet be the pg certificate authentication type. However I'm uneasy about creating a subject that may or may not exist in the realm. If we instead require an admin user to be created in the realm that could simplify things, but may introduce issues around password expiration. > Support certificate based authentication into Teiid pg > ------------------------------------------------------ > > Key: TEIID-5780 > URL: https://issues.jboss.org/browse/TEIID-5780 > Project: Teiid > Issue Type: Sub-task > Components: ODBC > Reporter: Steven Hawkins > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > To support the pg connection into Teiid we will do something like: > - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92 > -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used > TODO: > - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate. If that trust seems too difficult we can just configure the connection to trust all. > - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate > - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users). -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5781) Deprecate the anonymous authentication mode

by Steven Hawkins (Jira)

[ https://issues.jboss.org/browse/TEIID-5781?page=com.atlassian.jira.plugin... ] Steven Hawkins resolved TEIID-5781. ----------------------------------- Resolution: Done Added a deprecation warning and simplified the configuration. > Deprecate the anonymous authentication mode > ------------------------------------------- > > Key: TEIID-5781 > URL: https://issues.jboss.org/browse/TEIID-5781 > Project: Teiid > Issue Type: Quality Risk > Components: Server > Reporter: Steven Hawkins > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > The configuration of cipher suites can be accomplished via the vm and the enabledCipherSuites property. There is no need to have a special anonymous mode. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5729) Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects

by Christoph John (Jira)

[ https://issues.jboss.org/browse/TEIID-5729?page=com.atlassian.jira.plugin... ] Christoph John commented on TEIID-5729: --------------------------------------- Hello Steven, thanks. Seems you thought on everything :) Best regards, Christoph > Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: TEIID-5729 > URL: https://issues.jboss.org/browse/TEIID-5729 > Project: Teiid > Issue Type: Enhancement > Components: OData > Reporter: Christoph John > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > This is a follow up regarding https://issues.jboss.org/browse/TEIID-5725 > As discussed there, Teiid currently does not map virtual procedures and functions to odata functions and procedures according to the notion of "side effect free" > Please introduce a mechanism to allow for a mapping according to adequate odata semantics. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5729) Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects

by Steven Hawkins (Jira)

[ https://issues.jboss.org/browse/TEIID-5729?page=com.atlassian.jira.plugin... ] Steven Hawkins commented on TEIID-5729: --------------------------------------- > I have not found the relevant section in the documentation. Could you please add a link? http://teiid.github.io/teiid-documents/master/content/client-dev/OData4_S... > Furthermore, as far as I understand your comment, simply adding OPTIONS(UPDATECOUNT '0') will force the procedure to become a function? > a function also always needs to have a return value. Is this also considered? No, it must meet all of the conditions from the link above. > I assume INOUT parameters are ignored as return values? INOUT are treated simply as IN, which is also mentioned on that page. > Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: TEIID-5729 > URL: https://issues.jboss.org/browse/TEIID-5729 > Project: Teiid > Issue Type: Enhancement > Components: OData > Reporter: Christoph John > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > This is a follow up regarding https://issues.jboss.org/browse/TEIID-5725 > As discussed there, Teiid currently does not map virtual procedures and functions to odata functions and procedures according to the notion of "side effect free" > Please introduce a mechanism to allow for a mapping according to adequate odata semantics. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5729) Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects

by Christoph John (Jira)

[ https://issues.jboss.org/browse/TEIID-5729?page=com.atlassian.jira.plugin... ] Christoph John edited comment on TEIID-5729 at 6/20/19 6:53 PM: ---------------------------------------------------------------- Hello Steven, I have not found the relevant section in the documentation. Could you please add a link? Furthermore, as far as I understand your comment, simply adding OPTIONS(UPDATECOUNT '0') will force the procedure to become a function? According to: https://devblogs.microsoft.com/odata/tutorial-sample-functions-actions-in... http://docs.oasis-open.org/odata/odata/v4.0/errata01/os/complete/part1-pr... a function also always needs to have a return value. Is this also considered? I assume INOUT parameters are ignored as return values? was (Author: cjohn001): Hello Steven, I have not found the relevant section in the documentation. Could you please add a link. Furthermore, as far as I understand your comment, simply adding OPTIONS(UPDATECOUNT '0') will force the procedure to become a function. According to https://devblogs.microsoft.com/odata/tutorial-sample-functions-actions-in... http://docs.oasis-open.org/odata/odata/v4.0/errata01/os/complete/part1-pr... a function also always needs to have a return value. Is this also considered? I assume INOUT parameters are ignored? > Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: TEIID-5729 > URL: https://issues.jboss.org/browse/TEIID-5729 > Project: Teiid > Issue Type: Enhancement > Components: OData > Reporter: Christoph John > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > This is a follow up regarding https://issues.jboss.org/browse/TEIID-5725 > As discussed there, Teiid currently does not map virtual procedures and functions to odata functions and procedures according to the notion of "side effect free" > Please introduce a mechanism to allow for a mapping according to adequate odata semantics. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

[JBoss JIRA] (TEIID-5729) Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects

by Christoph John (Jira)

[ https://issues.jboss.org/browse/TEIID-5729?page=com.atlassian.jira.plugin... ] Christoph John commented on TEIID-5729: --------------------------------------- Hello Steven, I have not found the relevant section in the documentation. Could you please add a link. Furthermore, as far as I understand your comment, simply adding OPTIONS(UPDATECOUNT '0') will force the procedure to become a function. According to https://devblogs.microsoft.com/odata/tutorial-sample-functions-actions-in... http://docs.oasis-open.org/odata/odata/v4.0/errata01/os/complete/part1-pr... a function also always needs to have a return value. Is this also considered? I assume INOUT parameters are ignored? > Introduce mechanism or option to allow for mapping of side effect free Teiid procedures to ODATA functions, and actions if procedure has side effects > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: TEIID-5729 > URL: https://issues.jboss.org/browse/TEIID-5729 > Project: Teiid > Issue Type: Enhancement > Components: OData > Reporter: Christoph John > Assignee: Steven Hawkins > Priority: Major > Fix For: 12.3 > > > This is a follow up regarding https://issues.jboss.org/browse/TEIID-5725 > As discussed there, Teiid currently does not map virtual procedures and functions to odata functions and procedures according to the notion of "side effect free" > Please introduce a mechanism to allow for a mapping according to adequate odata semantics. -- This message was sent by Atlassian Jira (v7.12.1#712002)

6 years, 9 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

teiid-issues June 2019