JBoss.orgCommunity Documentation

Chapter 2. Teiid Security

2.1. Teiid Security
2.1.1. Introduction
2.1.2. Authentication
2.1.3. Authorization
2.2. Membership Domains
2.2.1. Built-in Membership Domains
2.2.2. Custom Membership Domains

Membership domains are at the core of Teiid’s security system and bridge the gap between Teiid and an external security system.  A membership domain provides:

Access to membership domains is coordinated through the Membership Service.  The Membership Service together with the Authorization Service implement the necessary logic to authenticate users, determine role membership, and to enforce roles.

There are multiple types of membership domains that allow for connectivity to different security systems.  A Teiid server environment can be configured with multiple membership domains (there can be multiple instances of a given membership domain type).  Each membership domain instance must be assigned a unique domain name in the Teiid system.  The domain name can be used to fully qualify user names to authenticate only against that domain.  The format for a qualified name is username@domainname.

If a user name is not fully qualified, then the installed membership domains will be consulted in order until a domain successfully or unsuccessfully authenticates the user.  If a membership domain reports the user does not exist or that the credentials are not recognized, that is not considered an unsuccessful authentication and the next membership domain will be consulted.

If no membership domain can authenticate the user, the logon attempt will fail.  For any failed logon attempt the message the users sees will always be the same.  It will simply indicate the user could not be authenticated by any membership domain – it will not reveal any further details which could potentially be sensitive information.  Details including invalid users, which domains were consulted, etc. will be in the server log with appropriate levels of severity.