[teiid-commits] teiid SVN: r2502 - in branches/7.1.x: documentation/caching-guide/src/main/docbook/en-US/content and 2 other directories.

teiid-commits at lists.jboss.org teiid-commits at lists.jboss.org
Mon Aug 30 11:39:34 EDT 2010 

Author: shawkins
Date: 2010-08-30 11:39:33 -0400 (Mon, 30 Aug 2010)
New Revision: 2502

Modified:
   branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html
   branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/codetable.xml
   branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/matviews.xml
   branches/7.1.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml
   branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/IndexInfo.java
   branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/TempTable.java
Log:
TEIID-1210 TEIID-1220 adding release note entries, updating docs, and adding more logging.

Modified: branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html
===================================================================
--- branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html	2010-08-30 15:39:33 UTC (rev 2502)
@@ -29,12 +29,18 @@
 	<LI><B>Procedure Result Caching</B> - virtual procedure definitions may use a cache hint to cache results in the result set cache.
 	<LI><B>Improved Plan Caching</B> - plans used by internal materialization and stored procedure plans will be automatically cached in the prepared plan cache.  Improvements were also made to reduce the memory footprint of the plans.
     <LI><B>Refined Load Balancing and Fail Over</B> - clients can use use the statement "SET NEWINSTANCE TRUE" to allow their connection to select a new server instance.  See the Client Developer's Guide for more information. 
+    <LI><B>Simplified Role Usage</B> - a role can now be assigned to any authenticated user via the any-authenticated attribute on the data-role element.
+    <LI><B>Materialized View Performance</B> - materialized view tables will now automatically create and use non-unique secondary indexes for unique constraints and indexes defined on the view.   
 </UL>
 
 <h2><a name="Compatibility">Compatibility Issues</a></h2>
 <ul>
   <li>Support for named parameter syntax using param=value has been deprecated, since it is ambiguous with a comparison predicate boolean value expression.  param<b>=></b>value should be used instead.  
 </ul>
+<h4>from 7.1</h4>
+<ul>
+  <li>Model visibility no longer restricts access to tables and procedures.  Setting visible to false will only hide entries from system tables.  Data roles should be used to restrict data access.
+</ul>
 <h4>from 7.0</h4>
 <ul>
   <li>The term data policy was replaced with data role.  The AdminAPI methods for adding role mappings have changed from addRoleToDataPolicy and removeRoleFromDataPolicy to addDataRoleMapping and removeDataRoleMapping respectively.

Modified: branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/codetable.xml
===================================================================
--- branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/codetable.xml	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/codetable.xml	2010-08-30 15:39:33 UTC (rev 2502)
@@ -60,7 +60,7 @@
 				<para>More control of the cache hint.</para>
 			</listitem>
 			<listitem>
-				<para>The ability to use option nocache.</para>
+				<para>The ability to use <link linkend="nocache">OPTION NOCACHE</link>.</para>
 			</listitem>
 			<listitem>
 				<para>Usage of a materialized view lookup as an uncorrelated subquery is no different than the use of the lookup function.</para>

Modified: branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/matviews.xml
===================================================================
--- branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/matviews.xml	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/documentation/caching-guide/src/main/docbook/en-US/content/matviews.xml	2010-08-30 15:39:33 UTC (rev 2502)
@@ -162,9 +162,21 @@
 				</para>
 	 		</section>
 		</section>
-		<section>
+		<section id="internal-index">
 			<title>Secondary Indexes</title>
-			<para>Function based indexes, Covering indexes, converting unique to index</para>
+			<para>Internal materialized view tables will automatically create non-unique indexes for each unique constraint and index defined on the materialized view.  
+			These indexes are created as non-unique even for unique constraints since the materialized table is not intended as an enforcement point for data integrity 
+			and when updatable the table may not be consistent with underlying values and thus unable to satisfy constraints.  The primary key (if it exists) of the view will automatically be part of the covered columns for the index.</para>
+			<para>The secondary indexes are always created as trees - bitmap or hash indexes are not supported.  Teiid's metadata for indexes is currently limited.  
+			We are not currently able to capture additional information, such as specifying the evluated expressions, sort direction, additional columns to cover, etc.  You may workaround some of these limitations though.  
+			<itemizedlist>
+				<listitem><para>If a function based index is needed, consider adding another column to the view that projects the funciton expression, then place an index on that new column.  
+			Queries to the view will need to be modified as appropiate though to make use of the new column/index.</para></listitem>
+				<listitem><para>If additional covered columns are needed, they may simply be added to the index columns.  This however is only applicable to comparable types.  
+				Adding additional columns will increase the amount of space used by the index, but may allow 
+			its usage to result in higher performance when only the covered columns are used and the main table is not consulted.</para></listitem>
+			</itemizedlist>
+			</para>
 		</section>
 	</section>
 </chapter>

Modified: branches/7.1.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml
===================================================================
--- branches/7.1.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml	2010-08-30 15:39:33 UTC (rev 2502)
@@ -6,11 +6,18 @@
 <chapter id="dataroles">
     <title>Data Roles</title>
     <para>Data roles, also called entitlements, are sets of permissions defined 
-    per VDB that dictate data access (create, read,  update, delete). The use of data roles can be disabled system wide with the property in 
-    &jboss-beans; file in bean configuration section of <code>RuntimeEngineDeployer</code> with property <code>useDataRoles</code>.</para>
+    per VDB that dictate data access (create, read,  update, delete). Data roles use a fine-grained permission system that Teiid will enforce
+     at runtime and provide audit log entries for access violations (see that Admin and Developers Guide for more on Audit Logging).</para>
     
-    <para>If data roles is enabled and data roles are defined in a VDB, then access permissions will be enforced by the Teiid Server.</para>
+    <para>Prior to applying data roles, you should consider restricting source system access through the fundamental design of your VDB.  
+    Foremost, Teiid can only access source entries that are represented in imported metadata.  You should narrow imported metadata to only what
+     is necessary for use by your VDB.  When using Teiid Designer, you may then go further and modify the imported metadata at a granular
+      level to remove specific columns, mark tables as non-updatable, etc.</para>
     
+    <para>If data roles is enabled and data roles are defined in a VDB, then access permissions will be enforced by the Teiid Server.  
+    The use of data roles may be disabled system wide via the
+    &jboss-beans; file, by setting the property <code>useDataRoles</code> to false in the configuration section of the <code>RuntimeEngineDeployer</code>.</para>
+    
     <warning><para>Unlike previous versions of Teiid data roles will only be checked if present in a VDB.  
     A VDB deployed without data roles is open for use by any authenticated user.</para></warning>
 
@@ -81,14 +88,15 @@
 
 	<section>
 		<title>XML Definition</title>
-	    <para>Data roles are defined inside the <code>vdb.xml</code> file (inside the .vdb Zip archive under META-INF/vdb.xml) if you used Designer. 
-    This example will show a sample "vdb.xml" file with few simple data rules.</para>
+	    <para>Data roles are defined inside the <code>vdb.xml</code> file (inside the .vdb Zip archive under META-INF/vdb.xml) if you used Designer.  
+	    The "vdb.xml" file is checked against the schema file <code>vdb-deployer.xsd</code>, which can be found in the kit under teiid-docs/schema.
+	    This example will show a sample "vdb.xml" file with few simple data roles.</para>
     
     <para>For example, if a VDB defines a table "TableA" in schema "modelName" with columns (column1, column2) - note that the column types do not matter.  And we wish to define three roles "RoleA", "RoleB", "RoleC" with following permissions:
    <orderedlist>
-    <listitem><para>RoleA has privileges to read, write access to TableA, but can not delete.</para></listitem>
-    <listitem><para>RoleB has no privileges that allow access to TableA</para></listitem>
-    <listitem><para>RoleC has privileges that only allow read access to TableA.column1</para></listitem>
+    <listitem><para>RoleA has permissions to read, write access to TableA, but can not delete.</para></listitem>
+    <listitem><para>RoleB has no permissions that allow access to TableA</para></listitem>
+    <listitem><para>RoleC has permissions that only allow read access to TableA.column1</para></listitem>
    </orderedlist>
 	</para>
     <example><title>vdb.xml defining RoleA, RoleB, and RoleC</title>
@@ -109,20 +117,6 @@
             <allow-update>true</allow-update>
         </permission>
 
-        <permission>
-            <resource-name>modelName.TableA.colum1</resource-name>
-            <allow-create>true</allow-create>
-            <allow-read>true</allow-read>
-            <allow-update>true</allow-update>
-        </permission>
-
-        <permission>
-            <resource-name>modelName.TableA.column2</resource-name>
-            <allow-create>true</allow-create>
-            <allow-read>true</allow-read>
-            <allow-update>true</allow-update>
-        </permission>
-
         <mapped-role-name>role1</mapped-role-name>
 
     </data-role>
@@ -136,8 +130,8 @@
         </permission>
 
         <permission>
-            <resource-name>modelName.TableA.colum1</resource-name>
-            <allow-read>true</allow-read>
+            <resource-name>modelName.TableA.colum2</resource-name>
+            <allow-read>false</allow-read>
         </permission>
 
         <mapped-role-name>role2</mapped-role-name>
@@ -145,14 +139,17 @@
 </vdb>]]></programlisting>    
 </example>   
    <para>The above XML defined two data roles, "RoleA" which allows everything except delete on the table, "RoleC" that 
-   allows only read operation on the table. Since Teiid uses deny by default, there is no explicit data-role entry needed for "RoleB".  The "mapped-role-name" defines the JAAS "role" to whom these policies are applicable.</para>
+   allows only read operation on the table. Since Teiid uses deny by default, there is no explicit data-role entry needed for "RoleB".  Note that explicit column permissions are 
+   not needed for RoleA, since the parent resource path, modelName.TableA, permissions still apply.  RoleC however must explicitly disallow read to column2.</para>  
    
-   <para>For assigning roles to your users in the JBoss AS, 
-   check out the instructions for the selected Login Module. Check the "Admin Guide" for configuring Login Modules.</para> 
+   <para>The "mapped-role-name" defines the container JAAS roles that are assigned the data role.  For assigning roles to your users in the JBoss AS, 
+   check out the instructions for the selected Login Module. Check the "Admin Guide" for configuring Login Modules.  You may also choose to allow any
+   authenticated user to have a data role by setting the any-authenticated attribute value to true on data-role element.</para> 
    
-   <para>The "vdb.xml" file is checked against the schema file <code>vdb-deployer.xsd</code>, check the documents sections of the Teiid kit
-   to find a copy of the schema file.</para>
-   
 	</section>
-
+	<section>
+		<title>System Functions</title>
+		<para>The <code>hasRole</code> system function will return true if the current user has the given data role.  
+		The <code>hasRole</code> function can be used in procedure or view definitions to allow for a more dynamic application of security - which allows for things such as value masking or row level security.</para>
+	</section>
 </chapter>
\ No newline at end of file

Modified: branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/IndexInfo.java
===================================================================
--- branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/IndexInfo.java	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/IndexInfo.java	2010-08-30 15:39:33 UTC (rev 2502)
@@ -32,6 +32,8 @@
 import org.teiid.common.buffer.TupleBrowser;
 import org.teiid.common.buffer.TupleSource;
 import org.teiid.core.TeiidComponentException;
+import org.teiid.logging.LogConstants;
+import org.teiid.logging.LogManager;
 import org.teiid.query.processor.CollectionTupleSource;
 import org.teiid.query.processor.relational.RelationalNode;
 import org.teiid.query.sql.lang.CompareCriteria;
@@ -67,23 +69,25 @@
 			covering = true;
 		}
 		if (table.getPkLength() > 0) {
-			processCriteria(condition);
+			processCriteria(condition, primary);
 			if (orderBy != null && (covering || this.table.getColumnMap().keySet().containsAll(orderBy.getSortKeys()))) {
 				ordering = useIndexForOrderBy(orderBy);
 			}
 		}
 	}
 
-	private void processCriteria(Criteria condition) {
+	private void processCriteria(Criteria condition, boolean primary) {
 		List<Criteria> crits = Criteria.separateCriteriaByAnd(condition);
-		for (Iterator<Criteria> critIter = crits.iterator(); critIter.hasNext();) {
-			Criteria criteria = critIter.next();
-			if (table.getColumnMap().keySet().containsAll(ElementCollectorVisitor.getElements(criteria, false))) {
-				coveredCriteria.add(criteria);
-			} else {
-				covering = false;
-				nonCoveredCriteria.add(criteria);
-				critIter.remove();
+		if (!primary) {
+			for (Iterator<Criteria> critIter = crits.iterator(); critIter.hasNext();) {
+				Criteria criteria = critIter.next();
+				if (table.getColumnMap().keySet().containsAll(ElementCollectorVisitor.getElements(criteria, false))) {
+					coveredCriteria.add(criteria);
+				} else {
+					covering = false;
+					nonCoveredCriteria.add(criteria);
+					critIter.remove();
+				}
 			}
 		}
 		for (int i = 0; i < table.getPkLength(); i++) {
@@ -244,11 +248,17 @@
 	}
 	
 	TupleBrowser createTupleBrowser() throws TeiidComponentException {
-		boolean direction = ordering == null ? OrderBy.ASC : ordering;
+		boolean direction = OrderBy.ASC;
+		if (ordering != null) {
+			LogManager.logDetail(LogConstants.CTX_DQP, "Using index for ordering"); //$NON-NLS-1$
+			direction = ordering;
+		}
 		if (valueTs != null) {
+			LogManager.logDetail(LogConstants.CTX_DQP, "Using index value set"); //$NON-NLS-1$
 			return new TupleBrowser(this.table.getTree(), valueTs, direction);
 		}
 		if (!valueSet.isEmpty()) {
+			LogManager.logDetail(LogConstants.CTX_DQP, "Using index value set"); //$NON-NLS-1$
 			CollectionTupleSource cts = null;
 			if (direction == OrderBy.ASC) {
 				cts = new CollectionTupleSource(valueSet.iterator());
@@ -271,6 +281,9 @@
 			}
 			return new TupleBrowser(this.table.getTree(), cts, direction);
 		}
+		if (lower != null || upper != null) {
+			LogManager.logDetail(LogConstants.CTX_DQP, "Using index for range query", lower, upper); //$NON-NLS-1$
+		} 
 		return new TupleBrowser(this.table.getTree(), lower, upper, direction);
 	}
 	

Modified: branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/TempTable.java
===================================================================
--- branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/TempTable.java	2010-08-30 03:21:37 UTC (rev 2501)
+++ branches/7.1.x/engine/src/main/java/org/teiid/query/tempdata/TempTable.java	2010-08-30 15:39:33 UTC (rev 2502)
@@ -315,6 +315,7 @@
 		IndexInfo primary = new IndexInfo(this, projectedCols, condition, orderBy, true);
 		IndexInfo ii = primary;
 		if (indexTables != null && (condition != null || orderBy != null) && ii.valueSet.size() != 1) {
+			LogManager.logDetail(LogConstants.CTX_DQP, "Considering indexes on table", this, "for query", projectedCols, condition, orderBy); //$NON-NLS-1$ //$NON-NLS-2$
 			int rowCost = this.tree.getRowCount();
 			int bestCost = estimateCost(orderBy, ii, rowCost);
 			for (TempTable table : this.indexTables.values()) {
@@ -325,6 +326,7 @@
 					bestCost = cost;
 				}
 			}
+			LogManager.logDetail(LogConstants.CTX_DQP, "Choose index", ii.table, "covering:", ii.coveredCriteria,"ordering:", ii.ordering); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
 			if (ii.covering) {
 				return ii.table.createTupleSource(projectedCols, condition, orderBy, ii);
 			}
@@ -345,7 +347,6 @@
 					Criteria.combineCriteria(ii.coveredCriteria), pkOrderBy, ii);
 			return createTupleSource(projectedCols, Criteria.combineCriteria(ii.nonCoveredCriteria), orderBy, primary);
 		}
-		
 		return createTupleSource(projectedCols, condition, orderBy, ii);
 	}

More information about the teiid-commits mailing list