Skip to main content

JCA Container Integration, Why Teiid needs it? Part 3

The Teiid project is being integrated to run inside a JCA container. In earlier posts I gave two compelling reasons for the move.

Reason # 1
Reason #2

Today we examine #3

Reason 3: Security

Security is vitally important for any enterprise application. This is especially true for Teiid as there are typically strict organizational rules governing access to data sources. At a high level Teiid allows for a customizable user authentication/authorization system. There are pre-defined system administrative roles and data authorization roles can be defined for each virtual database (a.k.a. entitlements, or data roles) to govern access at a granular level.

Teiid 6.2 (and earlier) Security Features

Teiid 6.2 provided a Membership API to define customizable security domains from which to obtain authentication and authorization information. Teiid shipped with implementations of LDAP and File based membership domains. Security at the connector level was supported, static credentials, client passed credentials, or through "trusted" payloads. Using trusted payloads, the client can pass any object to a connector for custom authentication/authorization. Like previous issues, this worked great! and there are reams of code to prove it. However, there is a better alternative JAAS.

Java Authentication and Authorization Service (JAAS)

JAAS is a java based security framework that is built into Java runtime. Here is description from the spec site:

Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. The Java security model is based on a customizable "sandbox" in which Java software programs can run safely, without potential risk to systems or users.

JBoss AS uses the PicketLink (JBoss Security) as the security module, which implements the JAAS based authentication framework. Out of the box there are various different login modules available for use. As before, LDAP and File based login modules supported. If their requirements are not satisfied with any of the provided modules, a developer can also write a custom login module.

By moving into container environment Teiid:
  • replaced a custom security framework with a standards based JAAS based framework
  • has access to a plugin based authorization and authentication mechanism
  • retained all the functionality from before to define security domains.
  • reduced its code footprint.
Connectors can also be configured for a "security-domain" such that the container ensures the user is authenticated prior to access. In some Containers this security profile is used to create user specific connection pools to segregate connections from common connection pools. Having this login context available at the Connector is similar to having the "trusted payload" as before, however passing a payload is left for the implementation of the login module.

Next up well look at Microcontiner and its service and deployer framework.

Comments

Popular posts from this blog

Teiid Spring Boot 1.7.0 Released

Teiid Spring Boot version 1.7.0 to support Teiid 16.0 has been released. This release is mainly to support the Teiid's latest version.  In this release, the support for OpenAPI code generation based on VDB has been removed as there is no community interest and moreover it was at OpenAPI 2.0, and the industry has moved to 3.0 and beyond. There are no plans to further pursue this feature. VDB maven plugin was also removed, which was intended to be a replacement for the VDB importing feature was to be used when working on OpenShift, however, since it requires the Maven repository and does not completely represent the feature as defined on the WildFly based deployments this is also removed. You can still use the VDB import feature with Teiid Spring Boot, simply define the VDB with your "IMPORT DATABASE" statements and provide the additional files along with the main VDB file. During the start of the application, Teiid Spring Boot will load all the necessary DDL files for the ...

Expose Excel Data as OData feed using Teiid

For that matter you can expose any data source that is supported by Teiid through its translators as OData service. You can convert Relational databases XML, JSON, CSV files Web Services  Sales Force Excel documents sources, or write your on top of your specific source. Teiid added support for exposing its virtual database (VDB) as OData service without any additional work. Create a virtual database with your required sources and create any additional views and deploy in the the JBoss EAP 6.1 server, that has Teiid 8.3 or greater installed.  See https://docs.jboss.org/author/display/teiid84final/OData+Support  for more information. So, lets build a simple example of exposing the Excel Sheet. Teiid accesses Excel sheets via JDBC-ODBC bridge, and Windows OS provides a ODBC driver for Excel documents.  Edit the standalone-teiid.xml, and create Connection Factory jdbc:odbc:Driver={Microsoft Excel Driver (*.xls)};Dbq=c:\ODBC\ExcelDat...

Teiid 8.13.3 Released

Teiid 8.13.3 is now  available .  In total 8.13.3 addresses 10 issues since 8.13.2: [ TEIID-4028 ] - adding salesforce-34 resource adapter does not work through the cli [ TEIID-4066 ] - Odata translator ClassNotFoundException: com.sun.ws.rs.ext.RuntimeDelegateImpl [ TEIID-4070 ] - Issues with resource adapters with api modules in wildfly [ TEIID-4089 ] - Teiid JDBC driver does not reset the update count when calling getMoreResults(int) [ TEIID-4093 ] - OData authentication fails with NPE when gss-pattern related properties are included in VDB [ TEIID-4096 ] - AssertionError with independent side of a dependent join that has an ordered limit [ TEIID-3050 ] - allow for more incremental insert with iterator [ TEIID-4075 ] - Netezza translator to support common table expressions [ TEIID-4098 ] - Always preserve columns order in google spreadsheets models [ TEIID-4046 ] - OData - $skip is bee...