I have a succesful JDBC connection to TEIID using a kerberos ticket. I like to get the default principal that is in the ticket
Ticket details: Ticket cache: KEYRING:persistent:6003:6003 Default principal: [email protected]
Valid starting Expires Service principal 05/21/2018 21:14:46 05/22/2018 21:14:44 krbtgt/[email protected]
but in the execute function of the translator, I am only getting the principal from the service, which is configured at data source.
Code:
public void execute(String tableName, List<String> columns, Map<String, List<Object>> values, Subject subject, Limit limit) throws IonicTranslatorException{
.
.
if (subject!=null) {
users = subject.getPrincipals();
for(Principal p: users){
log.warn("available subject: " + p.getName());
log.warn("Type:" + p.getClass().getName());
as a result I get:
..... available subject: HTTP/52.201.217.84
..... Type:org.jboss.security.SimplePrincipal
..... available subject: Roles
..... Type:org.jboss.security.SimpleGroup
..... available subject: CallerPrincipal
..... Type:org.jboss.security.SimpleGroup
..... available subject: HTTP/[email protected]
..... Type:javax.security.auth.kerberos.KerberosPrincipal
but no "nfunke"
where would I get the user name from the context?
below the domain configuration in standalone.xml:
<security-domain name="FUNKE.HK">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="userKeyTab" value="true"/>
<module-option name="principal" value="HTTP/[email protected]"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="/etc/krb5.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="useTicketCache" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="isInitiator" value="true"/>
<module-option name="delegationCredential" value="USE"/>
<module-option name="addGSSCredential" value="true"/>
</login-module>
</authentication>
</security-domain>
and yes, I can run queries with no problems
If you want to delegate to data sources, first you need to define "security-domain" on your data source configuration. Then you need to define another security domain with "login-module" like above. See Kerberos Delegation