7 Replies Latest reply on Sep 24, 2015 8:29 AM by rareddy

    datasource selection according to the caller user

    szarazfika

      Hi,

       

      Thanks for your precedent questions! Thanks to them we are making very good progresses.

       

      We are working with the embedded version of Teiid (dynamic vdb).

      We would like to manage the access control inside the source databases (outside Teiid). We would like to authenticate the user and then to make Teiid to pick a specific datasource according to the caller auth. data. Something like the Oracle basic security model, having a database and a few users that can be configured inside it.

      The optimal solution would be having one basic URL for all users and then building an algorithm inside Teiid to select a valid datasource to execute the external database call.

       

      We have been trying with different configurations but we are not able to find the solution above. We know that we can specify different vdb names inside different vdb.xml files, one database name per user and everything goes transparently in the background.

       

      Sorry if we are missing something! Any hint or direction will be very-very appreciated!

       

      Thanks in advance!

        • 1. Re: datasource selection according to the caller user
          rareddy

          Szaraz,

           

          Let me see if am interpreting your question correctly. You want design a Teiid such that when user logs in, based on user's authentication credentials, you want to select a particular data source to push rest of the queries that are submitted to Teiid. So, in a way you want use Teiid as proxy. Is that correct?

           

          Questions, I have is

          1) How is your VDB designed? Do you have all the sources and then one single view which is fronting all the sources either using "multi-source" or "partition union" kind of logic?

          2) Continuation to 1 is, is schema in all the data sources same?

          3) Does a user has access to more then single source?

          4) What kind of security-domain you are thinking for user authentication at the Teiid level, where you going to have user/credentials defined? is this LDAP, simple properties file etc.

          5) Do you need to send the logged in user's credentials to Teiid to be passed to to the data source? or they are using static credentials for that?

           

          >>We know that we can specify different vdb names inside different vdb.xml files, one database name per user and everything goes transparently in the background.

          In Teiid, the user logs into a context of a single VDB, not directly into Teiid system, think like Teiid is stateless and VDB makes it context aware.


          Ramesh..

          • 2. Re: datasource selection according to the caller user
            szarazfika

            Ramesh,

             

            Thanks again.

            I believe you got the point. We are using an embedded Teiid as a router. This way we can flexibly use any supported data source type behind the scene. Basically, we are planning to configure it at runtime and we are looking for the best practice to do so.

             

            Questions, I have is

            1) How is your VDB designed? Do you have all the sources and then one single view which is fronting all the sources either using "multi-source" or "partition union" kind of logic?

            We are using the dynamic approach. Teiid scans up the target data source according to our configuration inside the vdb.xml file. We are considering which approach would suit us better at this point.

            2) Continuation to 1 is, is schema in all the data sources same?

            I would say no, we would like to stay flexible.

            3) Does a user has access to more then single source?

            This is something we have been considering for a while. I would say yes for the first version but probably in scope for later ones.

            4) What kind of security-domain you are thinking for user authentication at the Teiid level, where you going to have user/credentials defined? is this LDAP, simple properties file etc.

            AD

            5) Do you need to send the logged in user's credentials to Teiid to be passed to to the data source? or they are using static credentials for that?

            We don't know how to perform the first option, this is why we are using static credentials at the moment. Passing the user credentials to the data source would be very good for us.


            In Teiid, the user logs into a context of a single VDB, not directly into Teiid system, think like Teiid is stateless and VDB makes it context aware.

            Sorry for our nomenclature, I wasn't precise enough. We understand it, but just this is the way we speak here in our company...

             

            Thanks in advance,

            Szaraz

            • 3. Re: datasource selection according to the caller user
              shawkins

              Some other things to consider. Authentication to Teiid itself is a separate step than authentication to particular sources.  Beyond multi-source (which is more of a general feature rather than specifically multitenant) we don't have a built-in multitenant feature, but we do provide the hooks to implement common strategies.  Either via the JCA layer or from a delegating translator you could choose what database connection to return, or what source schema to use, etc. based upon the authenticated user.  You just have to be careful in this scenario about caching as Teiid won't be aware that results should be user scoped.  Generally we should eventually support multitenant functionality similar to Hibernate - Chapter 16. Multi-tenancy

               

              However a basic expectation would be that the schemas accessed are the same for all users.  If you exposed a superset for everyone, you could also have applicable data roles to limit users to only their relevant subsets.

              • 4. Re: datasource selection according to the caller user
                szarazfika

                Thanks Ramesh!

                 

                I checked your answer against the security API. It looks to me this is the easiest way for us will be the creation of a vdb per customer.

                This way we will authenticate the user globally in Teiid first and then control the access of the authenticated user to the vdb he is allowed to.

                Is it OK or you would advise a better solution?

                 

                We are using the embedded version. Can we create a vdb definition programmatically (instead of using an xml file?)

                 

                Thanks,

                Szaraz

                • 5. Re: datasource selection according to the caller user
                  rareddy

                  Szaraz,

                   

                  As SteveH concisely put it, if you are working with same schema from all the data sources you are supporting, then you can do couple things.

                  1) Use Delegate Translator to create a different  connection based on the user

                  2) Or you can use/write a connection pool for the sources based on user.

                   

                  However the above will fail when there is no common schema. Alternatively you can do what you are eluding to

                   

                  1) Move the user authentication semantics out of the Teiid into your application.

                  2) Then based on the user logged in, configure a new VDB, or choose from a catalog of VDBs, that your application makes the connection to Teiid with, and issues queries. May be you want assign a role to each user and base the VDB creation on that, to minimize the number of VDBs. Be sure remove the VDB when logs out.

                  3) There may be ways to pass in the user authenticated to data sources, as you are the one creating the ManagedConnectionFactories for the sources in the Embedded.

                   

                  As far as the creating the VDB with an API, it is an XML file you can generate however you want. If you want there is class you can use teiid/TestVDBMetadataParser.java at master · teiid/teiid · GitHub as example as to how create one. Depending upon the number of users, at some point you will have scaling issues.

                   

                  Ramesh..

                  • 6. Re: datasource selection according to the caller user
                    szarazfika

                    Ramesh,

                     

                    I would like to tell you more about our app, but I am not entitled at the moment to do so...

                    I asked for the existence of an API as we have a strongly clustered environment and it would have been more confortable for us, but no problems at, we can deal with xmls (OK).

                    We were planning to use our authentication algorithm, we still have to decide where and how (also OK).

                    We do not intend to create our connection pool, we would use the one that is inside Teiid (OK) and we are planning to create connections and maintain them using the Teiid API (also OK for us).

                    We haven't still finished our business model. After that we will decide how to design our vdb schema/user model.

                    Actually, I got all answers, I am satisfied, thanks!!!

                    Szaraz

                    • 7. Re: datasource selection according to the caller user
                      rareddy

                      Szaraz,

                       

                      I asked for the existence of an API as we have a strongly clustered environment and it would have been more confortable for us, but no problems at, we can deal with xmls (OK).

                      On the Emebedded API, you do not have to deploy a XML file for VDB, you can use deploy method at [1], all it takes couple POJO objects to define the VDB structure.

                      We do not intend to create our connection pool, we would use the one that is inside Teiid (OK) and we are planning to create connections and maintain them using the Teiid API (also OK for us).

                      Embedded does not have one, what we have is a interface. You need to plugin your own, some other popular connection pools like DBCP etc. use of connection pool does not matter, if you are not sharing connections and most likely always have just single connection to the source.

                       

                      Ramesh..

                       

                      [1] teiid/EmbeddedServer.java at master · teiid/teiid · GitHub