[teiid-issues] [JBoss JIRA] (TEIID-4183) MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
Juraj Duráni (JIRA)
issues at jboss.org
Tue Jun 28 03:01:00 EDT 2016
[ https://issues.jboss.org/browse/TEIID-4183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257672#comment-13257672 ]
Juraj Duráni commented on TEIID-4183:
-------------------------------------
I built jboss-integration jar from 63-8.12.x branch (I have copied the single JAR to my JDV server. I did not build Teiid completely). I can confirm, that wrapping works. However, I can see three issues here:
- if wrapping is enabled, then JDV creates new connection to DB for each query, which is slow. Adding cache to pass-through login module solved this \[1\]. We could add a note to the documentation.
- there is a new exception \[2\] in the log during reload of the server. I did not encounter the exception before fix. But, exception maybe makes sense. However, as I wrote, there were no exception before fix in same circumstances, _Server is booting up and there is no subject to be used to authenticate against data source._ Do you know [~rareddy] what exact change in your last commit causes this issue? Is it easy to fix? It would be nice to have "old" behavior during booting phase of the server.
- *if wrapping is set to false and no cache is used \[3\], then Teiid throws _Access denied_ exception \[4\].*
-- adding cache to pass-through login module turns exception to _This ticket is no longer valid_ exception - this means, that MSSQL driver invalidates the ticket which is expected as wrapping is still disabled
-- now, the invalidation impact other test in my class. I did not encounter the impact before fix. I believe it is related to cache. What do you think Ramesh? Can you confirm this?
{code:plain|title=\[1\] Cache}
/subsystem=security/security-domain=passthrough-security:add(cache-type=default)
{code}
{code:plain|title=\[2\] Start up exception}
07:13:34,264 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-4) Exception during createSubject() for java:/SQL2012_Krb: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
08:13:34,315 INFO [MultiPlatformProcessRunner] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:316)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:120)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
08:13:34,315 INFO [MultiPlatformProcessRunner] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
08:13:34,315 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0-internal]
08:13:34,315 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0-internal]
{code}
{code:plain|title=\[3\] Pass-through login module - failed configuration}
/subsystem=security/security-domain=passthrough-security:add
/subsystem=security/security-domain=passthrough-security/authentication=classic:add
/subsystem=security/security-domain=passthrough-security/authentication=classic/login-module=org.teiid.jboss.PassthroughIdentityLoginModule:add(code=org.teiid.jboss.PassthroughIdentityLoginModule,flag=required,module=org.jboss.teiid,module-options=[\
userName=guest,\
password=guest,\
wrapGSSCredential=false])
{code}
{code:plain|title=\[4\] Access denied exception}
07:36:20,139 ERROR [org.teiid.CONNECTOR] (Worker0_QueryProcessorQueue22) Connector worker process failed for atomic-request=N2TxM305BvZO.1.3.6: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getSubject(AbstractConnectionManager.java:721)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:498)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270) [translator-jdbc-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68) [translator-jdbc-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202) [teiid-api-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.datamgr.ConnectorWorkItem.execute(ConnectorWorkItem.java:328)
08:36:20,142 INFO [MultiPlatformProcessRunner] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.datamgr.ConnectorManager$1.invoke(ConnectorManager.java:211)
08:36:20,142 INFO [MultiPlatformProcessRunner] at com.sun.proxy.$Proxy48.execute(Unknown Source)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource.getResults(DataTierTupleSource.java:306)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:112)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:108)
08:36:20,142 INFO [MultiPlatformProcessRunner] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0-internal]
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.FutureWork.run(FutureWork.java:65)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)
08:36:20,142 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)
08:36:20,142 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0-internal]
08:36:20,143 INFO [MultiPlatformProcessRunner]
08:36:20,145 INFO [MultiPlatformProcessRunner] 07:36:20,144 ERROR [org.teiid.PROCESSOR] (Worker1_QueryProcessorQueue23) TEIID30019 Unexpected exception for request N2TxM305BvZO.1: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
08:36:20,145 INFO [MultiPlatformProcessRunner] at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getSubject(AbstractConnectionManager.java:721) [ironjacamar-core-impl-1.0.37.Final-redhat-1.jar:1.0.37.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:498) [ironjacamar-core-impl-1.0.37.Final-redhat-1.jar:1.0.37.Final-redhat-1]
08:36:20,145 INFO [MultiPlatformProcessRunner] at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202) [teiid-api-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.datamgr.ConnectorWorkItem.execute(ConnectorWorkItem.java:328) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.datamgr.ConnectorManager$1.invoke(ConnectorManager.java:211) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at com.sun.proxy.$Proxy48.execute(Unknown Source)
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource.getResults(DataTierTupleSource.java:306) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:112) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:108) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0-internal]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.FutureWork.run(FutureWork.java:65) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,146 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,147 INFO [MultiPlatformProcessRunner] at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210) [teiid-engine-8.12.5.redhat-6.jar:8.12.5.redhat-6]
08:36:20,147 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0-internal]
08:36:20,147 INFO [MultiPlatformProcessRunner] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0-internal]
08:36:20,147 INFO [MultiPlatformProcessRunner] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0-internal]
{code}
> MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
> -------------------------------------------------------------------
>
> Key: TEIID-4183
> URL: https://issues.jboss.org/browse/TEIID-4183
> Project: Teiid
> Issue Type: Bug
> Affects Versions: 8.12.x, 8.7.5.6_2
> Reporter: Juraj Duráni
> Assignee: Ramesh Reddy
> Fix For: 9.1, 8.12.5
>
>
> MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla \[1\]).
> If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option *wrapGSSCredential=true* with additional setting *credentialLifetime=-1* \[2, 3, 4, 5\]. This works for static kerberos authentication.
> However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client.
> \[1\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276
> \[2\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
> \[3\] https://issues.jboss.org/browse/SECURITY-905
> \[4\] https://issues.jboss.org/browse/JBEAP-843
> \[5\] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the teiid-issues
mailing list