MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla [1]). If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option 'wrapGSSCredential=true' with additional setting 'credentialLifetime=-1' [2, 3, 4, 5]. This works for static kerberos authentication. However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1097276 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58 [3] https://issues.jboss.org/browse/SECURITY-905 [4] https://issues.jboss.org/browse/JBEAP-843 [5] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4 Steps to reproduce: 1. run query 2. flush connection (in CLI - /subsystem=datasource/data-source=<ds>:flush-all-connection-in-pool) 3. run query again
Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Resolved
Additional option "wrapGSSCredential=true" for login module org.teiid.jboss.PassthroughIdentityLoginModule is supposed to be a workaround. But Teiid/MSSQL driver throws exception [1] with that option. Setting to assigned. [1] org.teiid.jdbc.TeiidSQLException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available. The command could not be planned properly. at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:135) at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:71) at org.teiid.jdbc.StatementImpl.postReceiveResults(StatementImpl.java:706) at org.teiid.jdbc.StatementImpl.access$100(StatementImpl.java:64) at org.teiid.jdbc.StatementImpl$2.onCompletion(StatementImpl.java:545) at org.teiid.client.util.ResultsFuture.done(ResultsFuture.java:135) at org.teiid.client.util.ResultsFuture.access$200(ResultsFuture.java:40) at org.teiid.client.util.ResultsFuture$1.receiveResults(ResultsFuture.java:79) at org.teiid.net.socket.SocketServerInstanceImpl.receivedMessage(SocketServerInstanceImpl.java:268) at org.teiid.net.socket.SocketServerInstanceImpl.read(SocketServerInstanceImpl.java:306) at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.teiid.net.socket.SocketServerConnectionFactory$ShutdownHandler.invoke(SocketServerConnectionFactory.java:98) at com.sun.proxy.$Proxy6.read(Unknown Source) at org.teiid.net.socket.SocketServerInstanceImpl$RemoteInvocationHandler$1.get(SocketServerInstanceImpl.java:405) at org.teiid.jdbc.StatementImpl.executeSql(StatementImpl.java:554) at org.teiid.jdbc.PreparedStatementImpl.execute(PreparedStatementImpl.java:241) at org.jboss.dv.qe.kerberos.Utils.executePerformanceTest(Utils.java:88) at org.jboss.dv.qe.kerberos.MSSQLKerberosTest.performanceTest(MSSQLKerberosTest.java:232) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80) at org.testng.internal.Invoker.invokeMethod(Invoker.java:714) at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:901) at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1231) at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127) at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111) at org.testng.TestRunner.privateRun(TestRunner.java:767) at org.testng.TestRunner.run(TestRunner.java:617) at org.testng.SuiteRunner.runTest(SuiteRunner.java:334) at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291) at org.testng.SuiteRunner.run(SuiteRunner.java:240) at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52) at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86) at org.testng.TestNG.runSuitesSequentially(TestNG.java:1198) at org.testng.TestNG.runSuitesLocally(TestNG.java:1123) at org.testng.TestNG.run(TestNG.java:1031) at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:70) at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.execute(TestNGDirectoryTestSuite.java:108) at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:111) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:164) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:110) at org.apache.maven.surefire.booter.SurefireStarter.invokeProvider(SurefireStarter.java:172) at org.apache.maven.surefire.booter.SurefireStarter.runSuitesInProcessWhenForked(SurefireStarter.java:104) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:70) Caused by: org.teiid.core.TeiidProcessingException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available. The command could not be planned properly. at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertNode(PlanToProcessConverter.java:326) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:143) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:147) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159) at org.teiid.query.optimizer.relational.PlanToProcessConverter.convert(PlanToProcessConverter.java:120) at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:228) at org.teiid.query.optimizer.QueryOptimizer.optimizePlan(QueryOptimizer.java:159) at org.teiid.dqp.internal.process.Request.generatePlan(Request.java:442) at org.teiid.dqp.internal.process.PreparedStatementRequest.generatePlan(PreparedStatementRequest.java:119) at org.teiid.dqp.internal.process.Request.processRequest(Request.java:470) at org.teiid.dqp.internal.process.PreparedStatementRequest.processRequest(PreparedStatementRequest.java:294) at org.teiid.dqp.internal.process.RequestWorkItem.processNew(RequestWorkItem.java:642) at org.teiid.dqp.internal.process.RequestWorkItem.process(RequestWorkItem.java:337) at org.teiid.dqp.internal.process.AbstractWorkItem.run(AbstractWorkItem.java:51) at org.teiid.dqp.internal.process.RequestWorkItem.run(RequestWorkItem.java:274) at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276) at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119) at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:744) Caused by: org.teiid.core.TeiidException: TEIID11009 Remote org.teiid.translator.TranslatorException: TEIID11009 java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:274) at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68) at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202) at org.teiid.dqp.internal.datamgr.ConnectorManager.buildCapabilities(ConnectorManager.java:179) at org.teiid.dqp.internal.datamgr.ConnectorManager.getCapabilities(ConnectorManager.java:163) at org.teiid.dqp.internal.process.CachedFinder.findCapabilities(CachedFinder.java:108) at org.teiid.query.metadata.TempCapabilitiesFinder.findCapabilities(TempCapabilitiesFinder.java:78) at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.getCapabilities(CapabilitiesUtil.java:439) at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.supports(CapabilitiesUtil.java:459) at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.requiresCriteria(CapabilitiesUtil.java:444) at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.addAccessNode(RulePlaceAccess.java:196) at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.execute(RulePlaceAccess.java:86) at org.teiid.query.optimizer.relational.RelationalPlanner.executeRules(RelationalPlanner.java:859) at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:226) ... 15 more Caused by: java.sql.SQLException: Remote java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151) at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270) ... 28 more Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:410) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:367) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:499) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143) ... 29 more Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000658: Unexpected throwable while trying to create a connection: null at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:454) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:457) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:429) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:344) ... 32 more Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: Could not create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:351) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.access$200(LocalManagedConnectionFactory.java:60) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:274) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:265) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:264) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:858) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:413) ... 35 more Caused by: java.sql.SQLException: Remote com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:b0e4955c-f233-4ee3-b609-2929d8f6a169 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:176) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1326) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:323) ... 43 more Caused by: org.teiid.core.TeiidRuntimeException: Remote java.security.PrivilegedActionException: null at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at com.microsoft.sqlserver.jdbc.KerbAuthentication.getClientCredential(KerbAuthentication.java:199) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:150) ... 55 more Caused by: org.teiid.core.TeiidRuntimeException: Remote org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:189) at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:187) ... 59 more
Setting blocker to ?. With workaround every query fails. With out workaround, user cannot use connection poll properly.
Van Halbert <vhalbert> updated the status of jira TEIID-4183 to Reopened
Basic configuration (no wrapping, no cache) did not pass [1]. [1] https://issues.jboss.org/browse/TEIID-4183?focusedCommentId=13273356&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13273356
Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Reopened
Steven Hawkins <shawkins> updated the status of jira TEIID-4183 to Closed