[
https://issues.jboss.org/browse/TEIID-4183?page=com.atlassian.jira.plugin...
]
Juraj Duráni commented on TEIID-4183:
-------------------------------------
I built jboss-integration jar from 63-8.12.x branch (I have copied the single JAR to my
JDV server. I did not build Teiid completely). I can confirm, that wrapping works.
However, I can see three issues here:
- if wrapping is enabled, then JDV creates new connection to DB for each query, which is
slow. Adding cache to pass-through login module solved this \[1\]. We could add a note to
the documentation.
- there is a new exception \[2\] in the log during reload of the server. I did not
encounter the exception before fix. But, exception maybe makes sense. However, as I wrote,
there were no exception before fix in same circumstances, _Server is booting up and there
is no subject to be used to authenticate against data source._ Do you know [~rareddy] what
exact change in your last commit causes this issue? Is it easy to fix? It would be nice to
have "old" behavior during booting phase of the server.
- *if wrapping is set to false and no cache is used \[3\], then Teiid throws _Access
denied_ exception \[4\].*
-- adding cache to pass-through login module turns exception to _This ticket is no longer
valid_ exception - this means, that MSSQL driver invalidates the ticket which is expected
as wrapping is still disabled
-- now, the invalidation impact other test in my class. I did not encounter the impact
before fix. I believe it is related to cache. What do you think Ramesh? Can you confirm
this?
{code:plain|title=\[1\] Cache}
/subsystem=security/security-domain=passthrough-security:add(cache-type=default)
{code}
{code:plain|title=\[2\] Start up exception}
07:13:34,264 ERROR
[org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
(MSC service thread 1-4) Exception during createSubject() for java:/SQL2012_Krb:
PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016:
Access denied: authentication failed
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:316)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:120)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
08:13:34,315 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744)
[rt.jar:1.8.0-internal]
{code}
{code:plain|title=\[3\] Pass-through login module - failed configuration}
/subsystem=security/security-domain=passthrough-security:add
/subsystem=security/security-domain=passthrough-security/authentication=classic:add
/subsystem=security/security-domain=passthrough-security/authentication=classic/login-module=org.teiid.jboss.PassthroughIdentityLoginModule:add(code=org.teiid.jboss.PassthroughIdentityLoginModule,flag=required,module=org.jboss.teiid,module-options=[\
userName=guest,\
password=guest,\
wrapGSSCredential=false])
{code}
{code:plain|title=\[4\] Access denied exception}
07:36:20,139 ERROR [org.teiid.CONNECTOR] (Worker0_QueryProcessorQueue22) Connector worker
process failed for atomic-request=N2TxM305BvZO.1.3.6: java.lang.SecurityException:
PBOX000016: Access denied: authentication failed
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
[picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getSubject(AbstractConnectionManager.java:721)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:498)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
[translator-jdbc-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
[translator-jdbc-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
[teiid-api-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.datamgr.ConnectorWorkItem.execute(ConnectorWorkItem.java:328)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.datamgr.ConnectorManager$1.invoke(ConnectorManager.java:211)
08:36:20,142 INFO [MultiPlatformProcessRunner] at com.sun.proxy.$Proxy48.execute(Unknown
Source)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource.getResults(DataTierTupleSource.java:306)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:112)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:108)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.FutureWork.run(FutureWork.java:65)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)
08:36:20,142 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744)
[rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner]
08:36:20,145 INFO [MultiPlatformProcessRunner] 07:36:20,144 ERROR [org.teiid.PROCESSOR]
(Worker1_QueryProcessorQueue23) TEIID30019 Unexpected exception for request
N2TxM305BvZO.1: java.lang.SecurityException: PBOX000016: Access denied: authentication
failed
08:36:20,145 INFO [MultiPlatformProcessRunner] at
org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
[picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getSubject(AbstractConnectionManager.java:721)
[ironjacamar-core-impl-1.0.37.Final-redhat-1.jar:1.0.37.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:498)
[ironjacamar-core-impl-1.0.37.Final-redhat-1.jar:1.0.37.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
[teiid-api-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.datamgr.ConnectorWorkItem.execute(ConnectorWorkItem.java:328)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.datamgr.ConnectorManager$1.invoke(ConnectorManager.java:211)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at com.sun.proxy.$Proxy48.execute(Unknown
Source)
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource.getResults(DataTierTupleSource.java:306)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:112)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:108)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.FutureWork.run(FutureWork.java:65)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,147 INFO [MultiPlatformProcessRunner] at
org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)
[teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,147 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0-internal]
08:36:20,147 INFO [MultiPlatformProcessRunner] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0-internal]
08:36:20,147 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744)
[rt.jar:1.8.0-internal]
{code}
MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
-------------------------------------------------------------------
Key: TEIID-4183
URL:
https://issues.jboss.org/browse/TEIID-4183
Project: Teiid
Issue Type: Bug
Affects Versions: 8.12.x, 8.7.5.6_2
Reporter: Juraj Duráni
Assignee: Ramesh Reddy
Fix For: 9.1, 8.12.5
MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla
\[1\]).
If user creates kerberos connection, driver invalidates ticket on closing connection
(Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround
for this by adding module option *wrapGSSCredential=true* with additional setting
*credentialLifetime=-1* \[2, 3, 4, 5\]. This works for static kerberos authentication.
However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does
not work, because passed ticket is not managed by EAP but by client.
\[1\]
https://bugzilla.redhat.com/show_bug.cgi?id=1097276
\[2\]
https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
\[3\]
https://issues.jboss.org/browse/SECURITY-905
\[4\]
https://issues.jboss.org/browse/JBEAP-843
\[5\]
https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)