[teiid-issues] [JBoss JIRA] (TEIID-5780) Support certificate based authentication into Teiid pg

Steven Hawkins (Jira) issues at jboss.org
Mon Jun 24 12:06:00 EDT 2019 

    [ https://issues.jboss.org/browse/TEIID-5780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13750859#comment-13750859 ] 

Steven Hawkins commented on TEIID-5780:
---------------------------------------

The relationship is bi-directional.  The pg database fdw needs to point to the Teiid pg instance so that it can perform the materialization loads by reading directly from the Teiid views (imported to it as foreign tables). 

Given our metadata and permission model, the load query cannot simply be an anonymous connection or a regular user.  Already with our materialization logic we escalate loads to "admin" status.  This means that the load query gets to see everything and bypass authorization checks - otherwise a non-privileged user could not implicitly load a materialized view that was used transitively, or even the materialization management would lack authorization to perform loads.

Teiid needs a connection to pg so that on a materialized view query it can redirect to the pg instance instead.  This is far simpler as there will be a pre-configured service account.

> What is the process that Teiid uses to register/enlist PG for the materialization purpose, maybe we can add/build a relationship (secure backdoor) during that perhaps?

I don't quite follow this.  Anything we do over the pg transport will not be a backdoor.



> Support certificate based authentication into Teiid pg
> ------------------------------------------------------
>
>                 Key: TEIID-5780
>                 URL: https://issues.jboss.org/browse/TEIID-5780
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: ODBC
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 12.3
>
>
> To support the pg connection into Teiid we will do something like:
> - require a pg secure port using the service signing certificate: TEIIDSB-90 TEIIDSB-92
> -- one clarification is that we must document how to make the pg cert dominant if both pg and jdbc secure are used
> TODO:
> - configure the pg instance to have a service signing certificate and trust the Teiid service signing certificate.  If that trust seems too difficult we can just configure the connection to trust all.
> - configure the pg connection to Teiid to use the pg service signing certificate as the client certificate
> - trust the pg service signing certificate at the teiid service - we need hostname validation to be enabled and the Teiid server to map the service host name to an authenticated user (this could possibly be generalized via keycloak support to more users).



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list