Skip to main content

JCA Container Integration, Why Teiid needs it? Part 3

The Teiid project is being integrated to run inside a JCA container. In earlier posts I gave two compelling reasons for the move.

Reason # 1
Reason #2

Today we examine #3

Reason 3: Security

Security is vitally important for any enterprise application. This is especially true for Teiid as there are typically strict organizational rules governing access to data sources. At a high level Teiid allows for a customizable user authentication/authorization system. There are pre-defined system administrative roles and data authorization roles can be defined for each virtual database (a.k.a. entitlements, or data roles) to govern access at a granular level.

Teiid 6.2 (and earlier) Security Features

Teiid 6.2 provided a Membership API to define customizable security domains from which to obtain authentication and authorization information. Teiid shipped with implementations of LDAP and File based membership domains. Security at the connector level was supported, static credentials, client passed credentials, or through "trusted" payloads. Using trusted payloads, the client can pass any object to a connector for custom authentication/authorization. Like previous issues, this worked great! and there are reams of code to prove it. However, there is a better alternative JAAS.

Java Authentication and Authorization Service (JAAS)

JAAS is a java based security framework that is built into Java runtime. Here is description from the spec site:

Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. The Java security model is based on a customizable "sandbox" in which Java software programs can run safely, without potential risk to systems or users.

JBoss AS uses the PicketLink (JBoss Security) as the security module, which implements the JAAS based authentication framework. Out of the box there are various different login modules available for use. As before, LDAP and File based login modules supported. If their requirements are not satisfied with any of the provided modules, a developer can also write a custom login module.

By moving into container environment Teiid:
  • replaced a custom security framework with a standards based JAAS based framework
  • has access to a plugin based authorization and authentication mechanism
  • retained all the functionality from before to define security domains.
  • reduced its code footprint.
Connectors can also be configured for a "security-domain" such that the container ensures the user is authenticated prior to access. In some Containers this security profile is used to create user specific connection pools to segregate connections from common connection pools. Having this login context available at the Connector is similar to having the "trusted payload" as before, however passing a payload is left for the implementation of the login module.

Next up well look at Microcontiner and its service and deployer framework.

Comments

Popular posts from this blog

Teiid Spring Boot 1.7.0 Released

Teiid Spring Boot version 1.7.0 to support Teiid 16.0 has been released. This release is mainly to support the Teiid's latest version.  In this release, the support for OpenAPI code generation based on VDB has been removed as there is no community interest and moreover it was at OpenAPI 2.0, and the industry has moved to 3.0 and beyond. There are no plans to further pursue this feature. VDB maven plugin was also removed, which was intended to be a replacement for the VDB importing feature was to be used when working on OpenShift, however, since it requires the Maven repository and does not completely represent the feature as defined on the WildFly based deployments this is also removed. You can still use the VDB import feature with Teiid Spring Boot, simply define the VDB with your "IMPORT DATABASE" statements and provide the additional files along with the main VDB file. During the start of the application, Teiid Spring Boot will load all the necessary DDL files for the ...

Access Teiid from node.js

Are you writing a "node.js" application and would like to access Teiid VDB from it? If "yes", this is currently possible using NPM package "pg" .  Since, Teiid supports the PG transport, you can use this PostgreSQL client for "node.js" for accessing the Teiid. For example if you have VDB called "northwind" deployed on your Teiid server, and it has table called "customers" and you are using default configuration such as user = 'user' password = 'user' host = 127.0.0.1 port = 35432 then you can use following to write simple access program to Teiid var pg = require('pg'); var connectionString = "pg://user:user@localhost:35432/northwind" pg.connect(connectionString, function(err, client) { client.query('SELECT CustomerID, ContactName, ContactTitle FROM Customers', function(err, result) { console.log(result.rows) }); }); If you want ...

Teiid 8.13.3 Released

Teiid 8.13.3 is now  available .  In total 8.13.3 addresses 10 issues since 8.13.2: [ TEIID-4028 ] - adding salesforce-34 resource adapter does not work through the cli [ TEIID-4066 ] - Odata translator ClassNotFoundException: com.sun.ws.rs.ext.RuntimeDelegateImpl [ TEIID-4070 ] - Issues with resource adapters with api modules in wildfly [ TEIID-4089 ] - Teiid JDBC driver does not reset the update count when calling getMoreResults(int) [ TEIID-4093 ] - OData authentication fails with NPE when gss-pattern related properties are included in VDB [ TEIID-4096 ] - AssertionError with independent side of a dependent join that has an ordered limit [ TEIID-3050 ] - allow for more incremental insert with iterator [ TEIID-4075 ] - Netezza translator to support common table expressions [ TEIID-4098 ] - Always preserve columns order in google spreadsheets models [ TEIID-4046 ] - OData - $skip is bee...