no user principal ad TEIID JDBC in custom translator

Question

I have a succesful JDBC connection to TEIID using a kerberos ticket. I like to get the default principal that is in the ticket

Ticket details: Ticket cache: KEYRING:persistent:6003:6003 Default principal: [email protected]

Valid starting Expires Service principal 05/21/2018 21:14:46 05/22/2018 21:14:44 krbtgt/[email protected]

but in the execute function of the translator, I am only getting the principal from the service, which is configured at data source.

Code:

public void execute(String tableName, List<String> columns, Map<String, List<Object>> values, Subject subject, Limit limit) throws IonicTranslatorException{
.
.
    if (subject!=null) {
users = subject.getPrincipals();
        for(Principal p: users){
            log.warn("available subject: " + p.getName());
            log.warn("Type:" + p.getClass().getName());

as a result I get:

..... available subject: HTTP/52.201.217.84
..... Type:org.jboss.security.SimplePrincipal
..... available subject: Roles
..... Type:org.jboss.security.SimpleGroup
..... available subject: CallerPrincipal
..... Type:org.jboss.security.SimpleGroup
..... available subject: HTTP/[email protected]
..... Type:javax.security.auth.kerberos.KerberosPrincipal

but no "nfunke"

where would I get the user name from the context?

below the domain configuration in standalone.xml:

            <security-domain name="FUNKE.HK">
                <authentication>
                    <login-module code="SPNEGO" flag="requisite">
                        <module-option name="password-stacking" value="useFirstPass"/>
                        <module-option name="serverSecurityDomain" value="host"/>
                        <module-option name="removeRealmFromPrincipal" value="true"/>
                    </login-module>
                    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" module="org.jboss.security.negotiation">
                        <module-option name="storeKey" value="true"/>
                        <module-option name="userKeyTab" value="true"/>
                        <module-option name="principal" value="HTTP/[email protected]"/>
                        <module-option name="useKeyTab" value="true"/>
                        <module-option name="keyTab" value="/etc/krb5.keytab"/>
                        <module-option name="doNotPrompt" value="true"/>
                        <module-option name="debug" value="true"/>
                        <module-option name="useTicketCache" value="true"/>
                        <module-option name="refreshKrb5Config" value="true"/>
                        <module-option name="isInitiator" value="true"/>
                        <module-option name="delegationCredential" value="USE"/>
                        <module-option name="addGSSCredential" value="true"/>
                    </login-module>
                </authentication>
            </security-domain>

and yes, I can run queries with no problems

Answer 1

If you want to delegate to data sources, first you need to define "security-domain" on your data source configuration. Then you need to define another security domain with "login-module" like above. See Kerberos Delegation