[teiid-issues] [JBoss JIRA] (TEIID-2863) Allow both gssapi and username/password authentication on the same transport
Steven Hawkins (JIRA)
issues at jboss.org
Wed Mar 5 14:31:33 EST 2014
[ https://issues.jboss.org/browse/TEIID-2863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12950413#comment-12950413 ]
Steven Hawkins commented on TEIID-2863:
---------------------------------------
> In stacking model, it security-domains are tried to login sequentially one after other.
Suppose we want to do kerberos or file logins, if I have a security domain with the kerberos login module first and marked as optional (with the storepass option enabled) as below:
{code}
<login-module code="Kerberos" flag="optional">
<module-option name="storeKey">true</module-option>
<module-option name="storePass">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">demo at EXAMPLE.COM</module-option>
<module-option name="keyTab">path/to/krb5.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">false</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
</authentication>
{code}
Then if we authenticate into kerberos, then useFirstPass option will allow us to pick up the roles from the roles file. Otherwise the security-domain will use file authentication.
What this is hopefully getting at is that the auth type ideally should be associated with the vdb/user - and not with the security domain.
> So the question is which one we want to support?
I'm not sure what you mean. I would like the ODBC/JDBC approach to be the same (or at least similar) if possible, so given a vdb/user the server should make a determination of what auth type to use, then log the user into the security domain associated with the vdb using that auth type.
> Allow both gssapi and username/password authentication on the same transport
> ----------------------------------------------------------------------------
>
> Key: TEIID-2863
> URL: https://issues.jboss.org/browse/TEIID-2863
> Project: Teiid
> Issue Type: Enhancement
> Components: Server
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
>
> With GSSAPI support enabled, username/password support on the same transport is effectively disabled. JDBC/ODBC should ideally support both on the same transport.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list