[teiid-issues] [JBoss JIRA] (TEIID-2763) kerberosServicePrincipleName as user when dealing with kerberos security domain

Ramesh Reddy (JIRA) issues at jboss.org
Tue Feb 4 10:58:29 EST 2014 

     [ https://issues.jboss.org/browse/TEIID-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ramesh Reddy resolved TEIID-2763.
---------------------------------

    Resolution: Done


In the case of Kerberoes based authntication and no "user" information is supplied on the JDBC URL then "kerberosServicePrincipleName" proeprty value will be used as the user name.

Previously the documentation was written such that, it was forcing a second authentication on Teiid layer using a simple user name/passwd on top of the kerberoes. Which is not really needed. It will only designed for assigning a generic user to the kerberos authenticated user and add any role information.

As part of this JIRA, I also added a SimpleLoginModule, which works as pass-through based on just name (kerberosServicePrincipleName) and null password. Thus, only Kerberoes is real authentication. This login-module can be stacked to supply the role information, and example is shown in the documentation.

https://docs.jboss.org/author/display/TEIID/Kerberos+support+through+GSSAPI
                
> kerberosServicePrincipleName as user when dealing with kerberos security domain
> -------------------------------------------------------------------------------
>
>                 Key: TEIID-2763
>                 URL: https://issues.jboss.org/browse/TEIID-2763
>             Project: Teiid
>          Issue Type: Enhancement
>    Affects Versions: 8.6
>         Environment: Windows 2008R2
>            Reporter: Andy Yip
>            Assignee: Ramesh Reddy
>              Labels: authentication, login-module
>             Fix For: 8.7
>
>
> When both the security-domain and krb5-domain is defined within the transport authentication element. The security-domain module does not take into account of kerberosServicePrincipleName. This means a username (and/or password) is still required in the connection url forthe security-domain's authentication/authorization. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list