[JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

Monday, 2 December 2019

    [
https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin...
] 

Steven Hawkins commented on TEIID-5780:
---------------------------------------

Rather than doing this as something specific for just pg, I've been looking at
incorporating this as a general change.  It would naturally move to the
SSLAwareChannelHandler.  There with an onConnection event we can get the principal and the
certificate chain.  We can attempt an authentication call, which would require the realm
to accept a x509 certificate as the credential (still need to validate that and that the
Certificate[] is the expected credential).  

With keycloak direct auth needs to be configured with x509 support and we need make a
request that adds the certificates as header values:
https://www.keycloak.org/docs/4.8/server_admin/#adding-x-509-client-certi...

However it does seem like we would need a new authentication type to indicate that a
username/password check is optional.

Obviously adding as a general feature does not support the specific case of admin access
for materialization, but it at least makes the inclusion much simpler if we want to do
that.  In any case this needs to be pulled out of 13.0.

...
 Support certificate based authentication into Teiid pg
 ------------------------------------------------------

                 Key: TEIID-5780
                 URL: https://issues.jboss.org/browse/TEIID-5780
             Project: Teiid
          Issue Type: Sub-task
          Components: ODBC
            Reporter: Steven Hawkins
            Assignee: Steven Hawkins
            Priority: Major
             Fix For: 13.0

 To support the pg connection into Teiid we will do something like:
 - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92
 -- one clarification is that we must document how to make the pg cert dominant if both pg
and jdbc secure are used
 TODO:
 - configure the pg instance to have a service signing certificate and trust the Teiid
service signing certificate.  If that trust seems too difficult we can just configure the
connection to trust all.
 - configure the pg connection to Teiid to use the pg service signing certificate as the
client certificate
 - trust the pg service signing certificate at the teiid service - we need hostname
validation to be enabled and the Teiid server to map the service host name to an
authenticated user (this could possibly be generalized via keycloak support to more
users). 

--
This message was sent by Atlassian Jira
(v7.13.8#713008)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009