Teiid Data Security

Question

To make use of vault store, have created keystore to hold application sensitive info,

<datasource jndi-name="java:/Test_VDB" pool-name="Test_VDB" enabled="true">
                    <connection-url>jdbc:teiid:Test_VDB</connection-url>
                    <driver>teiid</driver>
                    <security>
                        <user-name>dvuser</user-name>
                        <password>${VAULT::ds_creds::mysql_creds::1}</password>
                    </security>
                </datasource>

I have created my data source configuration to my VDB like this. Ideally when I connect from a client, have to specify the url and the above username and password to connect to.

But what happening is, there is an entry in the standalone-teiid.xml file,

<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
                <authentication security-domain="teiid-security"/>
            </transport>

which binds teiid-jdbc to 31000.

When I try to connect to VDB using the vault credentials, my request is blocked, rather if I try to connect using teiid-security credentials, it is going through. By doing so, whatever I configure as credentials in the data source definition is meaningless.

How can I delegate my teiid-security to refer to the security aspects defined under datasource?

Answer 1

Brian, if I understand your question correctly, you want to access your mysql database through teiid, but still use the mysql credentials.

The password vault serves to hide passwords from the configuration files, nothing more.

Either you would have to:

1. Use the datasource you configured, but connect with teiid's credentials (thus basic scenario). You say, you don't want this.
2. Use advanced security options (e.g. kerberos auth) to share the security context between the Teiid server and your database. Then you can refer to Teiid's Security Guide and either use one of supported options, or you can implement your own custom solution by implementing your own LoginModule.