Bug 1260621

Summary: RoleBasedCredentialMapIdentityLoginModule throws exception at startup time
Product: [JBoss] JBoss Data Virtualization 6 Reporter: Juraj Duráni <jdurani>
Component: TeiidAssignee: David Le Sage <dlesage>
Status: CLOSED CURRENTRELEASE QA Contact: Juraj Duráni <jdurani>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: atangrin, dlesage, drieden, vhalbert
Target Milestone: GAKeywords: Documentation
Target Release: 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
If a data source is configured to use the RoleBasedCredentialMapIdentityLoginModule, then the user will encounter an exception on launching the product. This is because the default username and password are null.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-24 11:36:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juraj Duráni 2015-09-07 11:45:40 UTC
Description of problem:

If a data source is configured to use RoleBasedCredentialMapIdentityLoginModule, then exception is thrown at startup [1], because default username and password are null. Please, add module options "username" and "password" to set up default user (similar functionality have e.g. CallerIdentityLoginModule and PassthroughIdentityLoginModule), so DV is able to properly load data source at startup when no user is authenticated and therefore no mapping could be performed.
Example configuration [2]. Note, there is no exception if UsersRoles login module is used instead of RealDirect. However, it means that EAP users are separate from DV users.

FYI:

    credentialMap module option should be defined as URL (file://...). It would be nice to have this information in the documentation.
    I tried to use unauthenticatedIdentity module option for RealmDirect, but same exception has been thrown with different root cause (realm 'ApplicationRealm' not found). I do not know why.

[1]
ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-5) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1084)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1079)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_40]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1078)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:316)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:120)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_40]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_40]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_40]

[2]

<security-domain name="my-sec">
    <authentication>
        <login-module code="RealmDirect" flag="required">
            <module-option name="password-stacking" value="tryFirstPass"/>
            <!--<module-option name="unauthenticatedIdentity" value="guest"/>-->
        </login-module>
        <login-module code="org.teiid.jboss.RoleBasedCredentialMapIdentityLoginModule" module="org.jboss.teiid" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="credentialMap" value="file://{$jboss.server.config.dir}/teiid-credentialmap.properties"/>
        </login-module>
    </authentication>
</security-domain>


Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:

Comment 1 Van Halbert 2015-12-21 21:37:11 UTC
No fixes are being recommended for this, as its being recommended that this login module be deprecated from further use.

At this time, closing this issue as will not fix, unless it becomes a client issue in the future.

Comment 3 JBoss JIRA Server 2016-02-16 17:21:05 UTC
Ramesh Reddy <rareddy> updated the status of jira TEIID-3684 to Resolved

Comment 4 Van Halbert 2016-02-16 18:07:32 UTC
The use of RoleBasedCredentialMapIdentityLoginModule is being deprecated in DV 6.3, and will be removed in DV 7.

Comment 6 JBoss JIRA Server 2016-08-09 12:34:01 UTC
Steven Hawkins <shawkins> updated the status of jira TEIID-3684 to Closed