1211539 – Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver

Bug 1211539 - Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver

Summary: Pass-through kerberos authentication on IBM JDK - principal is not passed to ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	JBoss Data Virtualization 6
Classification:	JBoss
Component:	Teiid
Sub Component:
Version:	6.2.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	6.2.0
Assignee:	Van Halbert
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-14 09:26 UTC by Juraj Duráni
Modified:	2015-10-02 16:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	If you are using the IBM Java Development Kit, Kerberos identification will fail under some circumstances. This is because the Kerberos principal is not passed to the driver. As a result, the user will see an exception. MSSQL is affected (pass-through configuration only) as is Impala (for both static and pass-through configurations).
Clone Of:
Environment:	OS: Fedora 20 java: IBM JDK 1.7 arch: x86_64
Last Closed:	2015-10-02 16:38:49 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Configuration file (4.12 KB, text/plain) 2015-04-14 09:28 UTC, Juraj Duráni	no flags	Details
VDB for static configuration (529 bytes, text/plain) 2015-04-14 09:28 UTC, Juraj Duráni	no flags	Details
VDB for pass-through authentication (654 bytes, text/plain) 2015-04-14 09:29 UTC, Juraj Duráni	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	TEIID-3425	0	Major	Resolved	Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver	2018-03-15 16:42:18 UTC

Description Juraj Duráni 2015-04-14 09:26:22 UTC

Description:

I have configured a datasource for MSSQL database. The datasource uses PassthroughIdentityLoginModule. I have also created a VDB which requires kerberos authentication. I am trying to pass credentials used for authentication CLIENT <=> TEIID to datasource so they can be used for authentication TEIID <=> MSSQL.

Method getConnection(..) (record in server log) is called with correct credentials, but SQLServerDriver throws an exception:
initAuthInit failed privileged exception:-java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cannot get credential from JAAS Subject for principal: default principal

Some ideas, but I am only guessing:
1. I have seen same exception (on client side) if system property "javax.security.auth.useSubjectCredsOnly" is set to false on client side. As this property is set to true in the server config (<property name="javax.security.auth.useSubjectCredsOnly" value="true"/>), it is probably not passed to the driver (or is being ignored).
2. SQLServerDriver sets two system properties by default (if no kerberos configuration file is specified) useDefaultCcache = true moduleBanner = false - see https://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx - ibm kerberos login module will try to get TGT from ticket cache

------------------------
Steps to reproduce:

0. add dependency "ibm.jdk" to module org.jboss.security.negotiation (https://issues.jboss.org/browse/TEIID-3416)
1. start Teiid
2. adapt set-up-mssql-ibm.cli and run it to configure Teiid
3. deploy VDBs
4. connect to Teiid and run query SELECT "user" FROM us

------------------------
Additional information:

I have tried static kerberos configuration for same DS and there was no problem with it.

Comment 1 Juraj Duráni 2015-04-14 09:28:12 UTC

Created attachment 1014225 [details]
Configuration file

Comment 2 Juraj Duráni 2015-04-14 09:28:40 UTC

Created attachment 1014226 [details]
VDB for static configuration

Comment 3 Juraj Duráni 2015-04-14 09:29:18 UTC

Created attachment 1014227 [details]
VDB for pass-through authentication

Comment 4 Juraj Duráni 2015-04-14 10:24:18 UTC

Same problem with Impala (pass-through). But in this case even static configuration does not work.

Static configuration error:
ERROR [org.apache.thrift.transport.TSaslTransport] (Worker1_QueryProcessorQueue1) SASL negotiation failure: javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Input max size 0 less than computed required size 53]

Comment 5 Juraj Duráni 2015-04-14 10:26:49 UTC

Additional info to Comment 4: IBM jdk is not supported - http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/pcm_jdk_cdh_cm.html

Comment 6 David Le Sage 2015-09-03 03:55:49 UTC

Release note errata - in progress.

Comment 7 David Le Sage 2015-09-03 05:11:31 UTC

Release note draft completed.  Assigning back to Van for engineering.

Comment 8 JBoss JIRA Server 2015-09-30 16:39:03 UTC

Steven Hawkins <shawkins> updated the status of jira TEIID-3425 to Resolved

Note You need to log in before you can comment on or make changes to this bug.