[teiid-issues] [JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

Steven Hawkins (Jira) issues at jboss.org
Mon Jun 24 10:45:00 EDT 2019 

    [ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13750797#comment-13750797 ] 

Steven Hawkins commented on TEIID-5780:
---------------------------------------

> Is there an option we can explore with ServiceAccount that has permissions on both containers?

That gets complicated as well.  Presumably the Teiid pod will be configured to use keycloak, where as the pg container will have it's own user store with an admin account generated at deployment time.

- We simply glean the pg admin credentials and put special handling in our username/password authentication to grant that user admin access.  This is very similar to the ssl cert approach in that the principal we're authenticating will not exist in the Teiid realm.  As with the ssl case there's a chance that this username will collide with a user in the realm which would be very confusing from a logging perspective.  Note that it is possible to assume that this user belongs to a different security-domain / realm, but most of our logic no longer reports that as part of the username...

- We require the creation of an admin account in the realm, and then also configure pg to use keycloak or some other identity assertion mechanism.  This doesn't seem that easy, and it could be a manual task to add the admin user.  It that account gets disabled for any reason all materialization for any vdb using that realm will be broken.

Do you see another option?

> Support certificate based authentication into Teiid pg
> ------------------------------------------------------
>
>                 Key: TEIID-5780
>                 URL: https://issues.jboss.org/browse/TEIID-5780
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: ODBC
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 12.3
>
>
> To support the pg connection into Teiid we will do something like:
> - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92
> -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used
> TODO:
> - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate.  If that trust seems too difficult we can just configure the connection to trust all.
> - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate
> - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users).



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list