[teiid-issues] [JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

Steven Hawkins (Jira) issues at jboss.org
Fri Jun 21 18:02:00 EDT 2019 

    [ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13750299#comment-13750299 ] 

Steven Hawkins commented on TEIID-5780:
---------------------------------------

[~rareddy] See https://github.com/shawkins/teiid/commit/53c143eaaebc225a3f83c756884423528ff00f3f - this adds the ability to assume an admin user via client auth.  This creates a dummy security context using the principal from the certificate when the principal matches one configured on the sessionservice, then that is used by the passthrough logic to create the session.  This would work as described above by setting the adminPrincipal to the principal name on the pg service signing certificate, which would presumably be like CN=service-name,...  

The drawback is that this isn't a proper user in the actual realm/security-domain.  What to you think?

> Support certificate based authentication into Teiid pg
> ------------------------------------------------------
>
>                 Key: TEIID-5780
>                 URL: https://issues.jboss.org/browse/TEIID-5780
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: ODBC
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 12.3
>
>
> To support the pg connection into Teiid we will do something like:
> - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92
> -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used
> TODO:
> - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate.  If that trust seems too difficult we can just configure the connection to trust all.
> - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate
> - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users).



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list