Identity Support in Teiid

Starting from version 6.2 access to  Teiid runtime can be secured  with user-id and password and prohibit un-authorized access by enabling Identity management. Given a user belongs to set of working  "groups" that define his/her allowed permissions in a company, different "roles" can be assigned in the Teiid system based on these groups to  provide privileges to access various parts of the system.


Teiid's membership framework allows users to plug-in their own identity management systems, such that Teiid serves as a pass through system for such a management system. Teiid works with the configured membership domain to perform per user identity assertion to grant access and group resolution to determine each user's privileges. Teiid provides membership domain plug-ins for


   1. LDAP
   2. File based management


File based authentication is easy to setup but only recommended for development purposes. For  production use LDAP is recommended. User can write their own membership domains based on Membership API defined by Teiid.  See "Server Extensions" guide for more information. Please note that identity management can also be turned off the altogether, which may be appropriate in embedded scenarios where the identity management is handled by a higher layer of the application.

 

By default user identity checking is turned on in the Teiid system, with a default super user named "admin" with password as "teiid". Using the following properties in the <teiid-install>/deploy.properties file, you control  whether membership is enabled or not, the super user credentials and which membership domain to use to manage user accounts.

 

#
# Membership Service Settings (handles the authentication of the user)
#

membership.enabled=true
membership.superUser=admin
membership.superUserPassword=teiid
membership.DomainOrder=file,ldap
membership.allowedHosts=

 

membership.enabled = true|false - Controls turning identity checking ON or OFF. Note that if identity checking is turned OFF, there will not be any authorization checks, so the system will be wide open for anybody to connect and issue  query commands.

 

membership.superUser - This is name of the super user or root user of the system, who has rights to perform any/all operations in the system

 

membership.superUserPassword - The password for the super user. Make sure  "deploy.properties" is secure such that no un-authorized person can access it. If you do not want show clear text password you can encrypt the password using technique defined here.

 

membership.DomainOrder -This property has two distinct responsibilities.

  1. It defines the membership domains to use. For example,  by defining "file", Teiid runtime will search for a property file called "membership-file.properties" in "<teiid-install>/deploy" directory. This property file defines all the necessary configuration properties that are required to initialize and plug  a "file" membership domain  into Teiid runtime. If your membership domain name is "foo", then Teiid will search for "membership-foo.properties" file. The contents of the  property file are specific to the membership domain it is initializing. The developer of the membership domain can define them per its needs. However, every property file must provide the following two  properties that will enable Teiid to integrate the membership domain into the system.
      1. activate = true | false - flag to enable or disable membership domain
      2. AuthDomainClass= class name - java  class name that implements the membership domain.
  2. User can define more than one membership domain to use. Multiple domain names can be specified, delimited by commas. This property also defines the order of membership domains that Teiid system needs to follow in authenticating the user. Teiid will cycle though the all the domains defined to authenticate the user until membership  grants access, or tried them all unsucessfully. If none of the membership domains grant access, then user will be denied access to the Teiid system.

 

membership.allowedHosts - Optionally Teiid can be configured to only accept "superUser" connections from trusted hosts. This property defines  host address pattern that defines which client connections are accepted ( ex: 192\.168\.32\.100 or 192\.168\.32\.*).   If this property left commented or blank, then superUser connections from any hosts  are allowed.

 

Configuring the Memebership Domains

 

File  Membership Domain

To use file based membership make sure the property "membership.DomainOrder" has the value "file"  and there is a "membership-file.properties" file in the "<teiid-install>/deploy" directory (default install already has this defined). The below section defines the "membership-file.properties"

 

#File based membership domain configuration properties

# File Membership Domain Settings (activate, Membership Domain Class Name, Property file for configuration) 
activate=true

# The class that implements the File membership 
AuthDomainClass=com.metamatrix.platform.security.membership.spi.file.FileMembershipDomain

#Location of the properties file containing user name and password entries.
usersFile=users.properties

#Location of the properties file containing group assignments
groupsFile=groups.properties

#Check passwords against the users file.
checkPassword=true

 

In addition to above property file, user need to provide two other files that specify the allowed users  in "users.properties" file and groups for the users in the "groups.properties" file

 

A sample "users.properties" is like (sample file attached)

john=mm
paul=mm

where each user is specified in one line, with user name to the left of the '=' sign, and password to the right.

 

A sample "groups.properties" is like

group1=john,paul
group2=paul

where each line defines a group, with group name  to the left of the '=' sign, and a list of users in the specified group to the right.

 

Once you provide all the three property files, and make sure the "activate" flag is "true", then you can start using the file based identity assertions. Please note that this membership domain only recommended for development purposes.

 

LDAP Membership Domain

If your company uses  LDAP based authentication, or Active Directory, then use LDAP membership domain to for authentication. Make sure "membership-ldap.properties" file in the "<teiid-install>/deploy" directory and is in following format.

 

# Configuration file for LDAP membership domain

activate=true

# The class that implements the LDAP membership 
AuthDomainClass=com.metamatrix.platform.security.membership.spi.ldap.LDAPMembershipDomain

#Full LDAP URL (mandatory)
ldapURL=

#Bind account password for group lookup.
ldapAdmin.password=

#The attribute(s) that uniquely identifies a user.
users.displayName.attribute = uid

#The search filter(s) to apply to each users root context.
users.searchFilter=(objectclass=*)

#Specifies the context(s) to use when searching for users.(mandatory)
users.rootContext=

#Bind account DN for group lookup.
ldapAdmin.dn=

#Attribute(s) that appears on each user that identifies group membership.
users.memberOf.attribute=

#The attribute(s) that uniquely identifies a group.
groups.displayName.attribute=

#How far down the directory tree to search each users root context.
users.searchScope=SUBTREE_SCOPE

#Specifies the context(s) to use when searching for groups.(mandatory)
groups.rootContext=

#The search filter(s) to apply to each groups root context
groups.searchFilter=(objectclass=*)

#How far down the directory tree to search each groups root context.
groups.searchScope=SUBTREE_SCOPE

#Time to wait for LDAP operations to complete.
txnTimeoutInMillis=

#The attribute(s) that contains the members of the group.
groups.groupMember.attribute=

 

A sample file is attached at the end.