TEIID-4499: OData Kerberos cannot access VDB (improving GSS auth with…

… local connections)
teiid · Nov 8, 2016 · 92c03fd · 92c03fd
1 parent 95a50a4
commit 92c03fd
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 29 deletions.
diff --git a/build/kits/jboss-as7/overlay/docs/teiid/teiid-releasenotes.html b/build/kits/jboss-as7/overlay/docs/teiid/teiid-releasenotes.html
@@ -228,9 +228,6 @@ <h4 class="western">from ${project.version}</h4>
 <a href='https://issues.jboss.org/browse/TEIID-4448'>TEIID-4448</a> - Multi-way join predicate inappropriately removed (correcting setting the predicate as optional)
 	<li/>
 	<p style="margin-bottom: 0in">
-<a href='https://issues.jboss.org/browse/TEIID-4511'>TEIID-4511</a> - st_Intersection not implemented (add st_intersection function)
-	<li/>
-	<p style="margin-bottom: 0in">
 <a href='https://issues.jboss.org/browse/TEIID-4469'>TEIID-4469</a> - Insert with query expression does not apply source hint to target (applying the source hint)
 	<li/>
 	<p style="margin-bottom: 0in">
@@ -241,6 +238,12 @@ <h4 class="western">from ${project.version}</h4>
 	<li/>
 	<p style="margin-bottom: 0in">
 <a href='https://issues.jboss.org/browse/TEIID-4491'>TEIID-4491</a> - Refine uniqueidentifier support for SQL Server (updating uniqueidentifier handling)
+	<li/>
+	<p style="margin-bottom: 0in">
+<a href='https://issues.jboss.org/browse/TEIID-4499'>TEIID-4499</a> - OData Kerberos cannot access VDB (improving GSS auth with local connections)
+	<li/>
+	<p style="margin-bottom: 0in">
+<a href='https://issues.jboss.org/browse/TEIID-4511'>TEIID-4511</a> - st_Intersection not implemented (add st_intersection function)
 </ul>
 
 <h4 class="western">from 8.12.7.6_3</h4>

diff --git a/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java b/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java
@@ -106,6 +106,10 @@ public static Version getVersion(String version) {
 			}
 			return v.getValue();
 		}
+
+		public static Version latest() {
+		    return versionMap.lastEntry().getValue();
+		}
 	}
 
 	private static ThreadLocal<DQPWorkContext> CONTEXTS = new ThreadLocal<DQPWorkContext>() {
@@ -140,7 +144,7 @@ public static void setWorkContext(DQPWorkContext context) {
     private SecurityHelper securityHelper;
     private HashMap<String, DataPolicy> policies;
     private boolean useCallingThread;
-    private Version clientVersion = Version.SEVEN_4;
+    private Version clientVersion = Version.latest();
     private boolean admin;
     private MetadataFactory metadataFactory;
 

diff --git a/runtime/src/main/java/org/teiid/runtime/RuntimePlugin.java b/runtime/src/main/java/org/teiid/runtime/RuntimePlugin.java
@@ -154,6 +154,9 @@ public static enum Event implements BundleUtil.Event{
         TEIID40144,
         TEIID40145, 
         TEIID40146, 
-        TEIID40147
+        TEIID40147, 
+        TEIID40148, 
+        TEIID40149,
+        TEIID40150
     }
 }
diff --git a/runtime/src/main/java/org/teiid/transport/LocalServerConnection.java b/runtime/src/main/java/org/teiid/transport/LocalServerConnection.java
@@ -48,12 +48,16 @@
 import org.teiid.deployers.VDBRepository;
 import org.teiid.dqp.internal.process.DQPWorkContext;
 import org.teiid.jdbc.EmbeddedProfile;
+import org.teiid.gss.MakeGSS;
+import org.teiid.jdbc.JDBCPlugin;
+//import org.teiid.jdbc.LocalProfile;
 import org.teiid.logging.LogConstants;
 import org.teiid.logging.LogManager;
 import org.teiid.net.CommunicationException;
 import org.teiid.net.ConnectionException;
 import org.teiid.net.ServerConnection;
 import org.teiid.net.TeiidURL;
+import org.teiid.net.socket.AuthenticationType;
 import org.teiid.runtime.RuntimePlugin;
 
 
@@ -140,7 +144,28 @@ public synchronized void authenticate() throws ConnectionException, Communicatio
 		workContext.setSecurityContext(previousSecurityContext);
         try {
         	this.result = this.getService(ILogon.class).logon(this.connectionProperties);
+
+        	AuthenticationType type = (AuthenticationType) this.result.getProperty(ILogon.AUTH_TYPE);
+
+            if (type != null) {
+                //server has issued an additional challenge
+                if (type == AuthenticationType.GSS) {
+                    try {
+                        this.result = MakeGSS.authenticate(this.getService(ILogon.class), this.connectionProperties);
+                    } catch (LogonException e) {
+                        if (!passthrough) {
+                            throw new LogonException(RuntimePlugin.Event.TEIID40150, e, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40150));
+                        }
+                        throw e;
+                    }
+                } else {
+                    throw new LogonException(JDBCPlugin.Event.TEIID20034, JDBCPlugin.Util.gs(JDBCPlugin.Event.TEIID20034, type));
+                }
+            }
+
         } catch (LogonException e) {
+            //TODO: above we make a special check for gss if not passthrough, we could do the same in general here or in sessionserviceimpl
+
             // Propagate the original message as it contains the message we want
             // to give to the user
              throw new ConnectionException(e);

diff --git a/runtime/src/main/java/org/teiid/transport/LogonImpl.java b/runtime/src/main/java/org/teiid/transport/LogonImpl.java
@@ -116,7 +116,7 @@ public LogonResult logon(Properties connProps) throws LogonException {
 				return result;
 			}
 			//throw an exception
-			throw new LogonException(RuntimePlugin.Event.TEIID40055, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40055, authType));
+			throw new LogonException(RuntimePlugin.Event.TEIID40149, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40149));
 		}
 
 		//default to username password

diff --git a/runtime/src/main/resources/org/teiid/runtime/i18n.properties b/runtime/src/main/resources/org/teiid/runtime/i18n.properties
@@ -147,3 +147,6 @@ TEIID40144={0} deploy failed - imported vdb {1} is not properly specified.  The
 TEIID40145={0} deploy failed - the version must be fully specified
 
 TEIID40147=Invalid integer {0}
+TEIID40148=Uncaught exception calling listener on event {0} for vdb {1}
+TEIID40149=Pre-8.7 clients cannot authenticate using GSS.
+TEIID40150=Could not make a local GSS connection with PassthroughAuthentication=false.  If you are already authenticated, please use PassthroughAuthentication=true.  Otherwise see the nested exception for details.
diff --git a/runtime/src/test/java/org/teiid/transport/TestLogonImpl.java b/runtime/src/test/java/org/teiid/transport/TestLogonImpl.java
@@ -134,17 +134,13 @@ public void testLogonAuthenticationType() throws Exception {
 		result = fimpl.logon(p);
 		assertEquals("GSS@SC", result.getUserName());
 
-		// if the transport default defined as GSS, then preference is USERPASSWORD, throw exception
+		// if the transport default defined as GSS, then preference is USERPASSWORD, additional challenge
 		ssi.setAuthenticationType(AuthenticationType.GSS); 		
-		try {
-			DQPWorkContext.setWorkContext(new DQPWorkContext());
-			p = buildProperties("fred", "name");		
-			impl = new LogonImpl(ssi, "fakeCluster"); //$NON-NLS-1$
-			result = impl.logon(p);
-			fail("should have failed due server does not support USERPASSWORD");
-		} catch(LogonException e) {
-			// pass
-		}
+		DQPWorkContext.setWorkContext(new DQPWorkContext());
+		p = buildProperties("fred", "name");		
+		impl = new LogonImpl(ssi, "fakeCluster"); //$NON-NLS-1$
+		result = impl.logon(p);
+		assertEquals(AuthenticationType.GSS, result.getProperty("authType"));
 	}
 
 	@Test
@@ -189,18 +185,15 @@ public void testLogonAuthenticationTypeByVDB() throws Exception {
 
 		}
 
-		// if the transport default defined as GSS, then preference is USERPASSWORD, throw exception
-		try {
-			addVdb(repo, "name2", "SC", "GSS");		
-			DQPWorkContext.setWorkContext(new DQPWorkContext());
-			impl = new LogonImpl(ssi, "fakeCluster"); //$NON-NLS-1$
-			p = buildProperties("fred", "name2");		
-			result = impl.logon(p);
-			fail("should have failed due server does not support USERPASSWORD");
-		} catch(LogonException e) {
-			// pass
-		}
-
+		// if the transport default defined as GSS, then preference is USERPASSWORD, additional challenge
+		addVdb(repo, "name2", "SC", "GSS");		
+		DQPWorkContext.setWorkContext(new DQPWorkContext());
+		impl = new LogonImpl(ssi, "fakeCluster"); //$NON-NLS-1$
+		p = buildProperties("fred", "name2");		
+		result = impl.logon(p);
+		assertEquals(AuthenticationType.GSS, result.getProperty("authType"));
+
+	    // doesn't match gss pattern
 		metadata.addProperty(SessionServiceImpl.GSS_PATTERN_PROPERTY, "GSS");
 		DQPWorkContext.setWorkContext(new DQPWorkContext());
 		impl = new LogonImpl(ssi, "fakeCluster"); //$NON-NLS-1$

diff --git a/test-integration/common/src/test/java/org/teiid/jdbc/TestQueryPlans.java b/test-integration/common/src/test/java/org/teiid/jdbc/TestQueryPlans.java
@@ -85,7 +85,7 @@ public class TestQueryPlans {
 		assertNotNull(s.unwrap(TeiidStatement.class).getDebugLog());
 		PlanNode node = s.unwrap(TeiidStatement.class).getPlanDescription();
 		Property p = node.getProperty(AnalysisRecord.PROP_DATA_BYTES_SENT);
-		assertEquals("21", p.getValues().get(0));
+		assertEquals("20", p.getValues().get(0));
 
 		rs = s.executeQuery("show plan");
 		assertTrue(rs.next());