[teiid-commits] teiid SVN: r3135 - in trunk: client/src/main/java/org/teiid/adminapi/impl and 8 other directories.
teiid-commits at lists.jboss.org
teiid-commits at lists.jboss.org
Mon May 2 14:34:41 EDT 2011
Author: shawkins
Date: 2011-05-02 14:34:41 -0400 (Mon, 02 May 2011)
New Revision: 3135
Modified:
trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java
trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java
trunk/client/src/main/resources/vdb-deployer.xsd
trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml
trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java
trunk/engine/src/main/java/org/teiid/query/sql/navigator/PreOrPostOrderNavigator.java
trunk/engine/src/main/java/org/teiid/query/sql/visitor/CommandCollectorVisitor.java
trunk/engine/src/main/java/org/teiid/query/validator/AbstractValidationVisitor.java
trunk/engine/src/main/java/org/teiid/query/validator/ValidationVisitor.java
trunk/engine/src/main/java/org/teiid/query/validator/Validator.java
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java
trunk/engine/src/test/java/org/teiid/query/validator/TestAlterValidation.java
Log:
TEIID-1574 adding permissions for alter/execute
Modified: trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -25,7 +25,7 @@
public interface DataPolicy {
- public enum PermissionType {CREATE, READ, UPDATE, DELETE};
+ public enum PermissionType {CREATE, READ, UPDATE, DELETE, ALTER, EXECUTE};
/**
* Get the Name of the Data Policy
@@ -92,6 +92,18 @@
* Is "DELETE" allowed?
* @return
*/
- Boolean getAllowDelete();
+ Boolean getAllowDelete();
+
+ /**
+ * Is "ALTER" allowed?
+ * @return
+ */
+ Boolean getAllowAlter();
+
+ /**
+ * Is "EXECUTE" allowed?
+ * @return
+ */
+ Boolean getAllowExecute();
}
}
Modified: trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -146,7 +146,9 @@
"allowCreate",
"allowRead",
"allowUpdate",
- "allowDelete"
+ "allowDelete",
+ "allowExecute",
+ "allowAlter"
})
@ManagementObject(properties=ManagementProperties.EXPLICIT)
public static class PermissionMetaData implements DataPermission, Serializable {
@@ -162,6 +164,10 @@
protected Boolean allowUpdate;
@XmlElement(name = "allow-delete")
protected Boolean allowDelete;
+ @XmlElement(name = "allow-execute")
+ protected Boolean allowExecute;
+ @XmlElement(name = "allow-alter")
+ protected Boolean allowAlter;
@Override
@ManagementProperty(description="Resource Name, for which permission defined")
@@ -229,13 +235,25 @@
if (Boolean.TRUE.equals(getAllowDelete())) {
sb.append("D");//$NON-NLS-1$
}
+ if (Boolean.TRUE.equals(getAllowExecute())) {
+ sb.append("E");//$NON-NLS-1$
+ }
+ if (Boolean.TRUE.equals(getAllowAlter())) {
+ sb.append("A");//$NON-NLS-1$
+ }
return sb.toString();
}
public Boolean allows(PermissionType type) {
switch (type) {
+ case ALTER:
+ return getAllowAlter();
case CREATE:
return getAllowCreate();
+ case EXECUTE:
+ if (getAllowExecute() != null) {
+ return getAllowExecute();
+ }
case READ:
return getAllowRead();
case UPDATE:
@@ -246,7 +264,27 @@
throw new AssertionError();
}
- public String toString() {
+ @Override
+ @ManagementProperty(description="Allows Alter")
+ public Boolean getAllowAlter() {
+ return allowAlter;
+ }
+
+ @Override
+ @ManagementProperty(description="Allows Execute")
+ public Boolean getAllowExecute() {
+ return allowExecute;
+ }
+
+ public void setAllowAlter(Boolean allowAlter) {
+ this.allowAlter = allowAlter;
+ }
+
+ public void setAllowExecute(Boolean allowExecute) {
+ this.allowExecute = allowExecute;
+ }
+
+ public String toString() {
StringBuilder sb = new StringBuilder();
sb.append(getResourceName());
sb.append("["); //$NON-NLS-1$
Modified: trunk/client/src/main/resources/vdb-deployer.xsd
===================================================================
--- trunk/client/src/main/resources/vdb-deployer.xsd 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/client/src/main/resources/vdb-deployer.xsd 2011-05-02 18:34:41 UTC (rev 3135)
@@ -93,6 +93,8 @@
<xs:element name="allow-read" type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-update" type="xs:boolean" minOccurs="0"/>
<xs:element name="allow-delete" type="xs:boolean" minOccurs="0"/>
+ <xs:element name="allow-execute" type="xs:boolean" minOccurs="0"/>
+ <xs:element name="allow-alter" type="xs:boolean" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
Modified: trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml
===================================================================
--- trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-05-02 18:34:41 UTC (rev 3135)
@@ -73,16 +73,20 @@
</orderedlist>
<orderedlist>
- <para>To process a <emphasis>EXEC</emphasis> statement, the user account requires the following access rights:</para>
- <listitem> <para><emphasis>READ</emphasis> - on the Procedure being executed.</para></listitem>
+ <para>To process a <emphasis>EXEC/CALL</emphasis> statement, the user account requires the following access rights:</para>
+ <listitem> <para><emphasis>EXECUTE (or READ)</emphasis> - on the Procedure being executed.</para></listitem>
</orderedlist>
<orderedlist>
<para>To process any function, the user account requires the following access rights:</para>
- <listitem> <para><emphasis>READ</emphasis> - on the Function being called.</para> </listitem>
- <note><para>For backwards compatibility RuntimeEngineDeployer.allowFunctionCallsByDefault located in the &jboss-beans; file in the <code>RuntimeEngineDeployer</code> section defaults to true.
- This means that to actually require permissions for functions, you need to set this property to false.</para></note>
+ <listitem> <para><emphasis>EXECUTE (or READ)</emphasis> - on the Function being called.</para> <note><para>For backwards compatibility RuntimeEngineDeployer.allowFunctionCallsByDefault located in the &jboss-beans; file in the <code>RuntimeEngineDeployer</code> section defaults to true.
+ This means that to actually require permissions for functions, you need to set this property to false.</para></note></listitem>
</orderedlist>
+
+ <orderedlist>
+ <para>To process any ALTER or CREATE TRIGGER statement, the user account requires the following access rights:</para>
+ <listitem> <para><emphasis>ALTER</emphasis> - on the view or procedure that is effected. INSTEAD OF Triggers (update procedures) are not yet treated as full schema objects and are instead treated as attributes of the view.</para></listitem>
+ </orderedlist>
</section>
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -51,6 +51,9 @@
import org.teiid.query.metadata.TempMetadataID;
import org.teiid.query.resolver.util.ResolverUtil;
import org.teiid.query.sql.LanguageObject;
+import org.teiid.query.sql.lang.AlterProcedure;
+import org.teiid.query.sql.lang.AlterTrigger;
+import org.teiid.query.sql.lang.AlterView;
import org.teiid.query.sql.lang.Create;
import org.teiid.query.sql.lang.Delete;
import org.teiid.query.sql.lang.Drop;
@@ -78,6 +81,7 @@
UPDATE,
DELETE,
FUNCTION,
+ ALTER,
STORED_PROCEDURE;
}
@@ -108,6 +112,21 @@
Collection<GroupSymbol> symbols = Arrays.asList(obj.getTable());
validateTemp(resources, symbols, Context.CREATE);
}
+
+ @Override
+ public void visit(AlterProcedure obj) {
+ validateEntitlements(Arrays.asList(obj.getTarget()), DataPolicy.PermissionType.ALTER, Context.ALTER);
+ }
+
+ @Override
+ public void visit(AlterTrigger obj) {
+ validateEntitlements(Arrays.asList(obj.getTarget()), DataPolicy.PermissionType.ALTER, obj.isCreate()?Context.CREATE:Context.ALTER);
+ }
+
+ @Override
+ public void visit(AlterView obj) {
+ validateEntitlements(Arrays.asList(obj.getTarget()), DataPolicy.PermissionType.ALTER, Context.ALTER);
+ }
private void validateTemp(Set<String> resources,
Collection<GroupSymbol> symbols, Context context) {
@@ -190,7 +209,7 @@
if (schema != null && !isSystemSchema(schema)) {
Map<String, Function> map = new HashMap<String, Function>();
map.put(schema + '.' + obj.getFunctionDescriptor().getName(), obj);
- validateEntitlements(PermissionType.READ, Context.FUNCTION, map);
+ validateEntitlements(PermissionType.EXECUTE, Context.FUNCTION, map);
}
}
}
@@ -212,12 +231,15 @@
*/
protected void validateEntitlements(Update obj) {
// Check that all elements used in criteria have read permission
+ HashSet<ElementSymbol> elements = new HashSet<ElementSymbol>();
+ ElementCollectorVisitor.getElements(obj.getChangeList().getClauseMap().values(), elements);
if (obj.getCriteria() != null) {
- validateEntitlements(
- ElementCollectorVisitor.getElements(obj.getCriteria(), true),
+ ElementCollectorVisitor.getElements(obj.getCriteria(), elements);
+ }
+ validateEntitlements(
+ elements,
DataPolicy.PermissionType.READ,
Context.UPDATE);
- }
// The variables from the changes must be checked for UPDATE entitlement
// validateEntitlements on all the variables used in the update.
@@ -278,7 +300,7 @@
* Validate query entitlements
*/
protected void validateEntitlements(StoredProcedure obj) {
- validateEntitlements(Arrays.asList(obj.getGroup()), DataPolicy.PermissionType.READ, Context.STORED_PROCEDURE);
+ validateEntitlements(Arrays.asList(obj.getGroup()), DataPolicy.PermissionType.EXECUTE, Context.STORED_PROCEDURE);
}
/**
Modified: trunk/engine/src/main/java/org/teiid/query/sql/navigator/PreOrPostOrderNavigator.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/query/sql/navigator/PreOrPostOrderNavigator.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/query/sql/navigator/PreOrPostOrderNavigator.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -674,7 +674,9 @@
public void visit(AlterProcedure obj) {
preVisitVisitor(obj);
visitNode(obj.getTarget());
- visitNode(obj.getDefinition());
+ if (deep) {
+ visitNode(obj.getDefinition());
+ }
postVisitVisitor(obj);
}
@@ -682,7 +684,9 @@
public void visit(AlterTrigger obj) {
preVisitVisitor(obj);
visitNode(obj.getTarget());
- visitNode(obj.getDefinition());
+ if (deep) {
+ visitNode(obj.getDefinition());
+ }
postVisitVisitor(obj);
}
@@ -690,7 +694,9 @@
public void visit(AlterView obj) {
preVisitVisitor(obj);
visitNode(obj.getTarget());
- visitNode(obj.getDefinition());
+ if (deep) {
+ visitNode(obj.getDefinition());
+ }
postVisitVisitor(obj);
}
Modified: trunk/engine/src/main/java/org/teiid/query/sql/visitor/CommandCollectorVisitor.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/query/sql/visitor/CommandCollectorVisitor.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/query/sql/visitor/CommandCollectorVisitor.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -27,9 +27,6 @@
import org.teiid.query.sql.LanguageObject;
import org.teiid.query.sql.LanguageVisitor;
-import org.teiid.query.sql.lang.AlterProcedure;
-import org.teiid.query.sql.lang.AlterTrigger;
-import org.teiid.query.sql.lang.AlterView;
import org.teiid.query.sql.lang.BatchedUpdateCommand;
import org.teiid.query.sql.lang.Command;
import org.teiid.query.sql.lang.ExistsCriteria;
@@ -119,23 +116,6 @@
this.commands.addAll(obj.getUpdateCommands());
}
- @Override
- public void visit(AlterProcedure alterProcedure) {
- this.commands.add(alterProcedure.getDefinition());
- }
-
- @Override
- public void visit(AlterTrigger alterTrigger) {
- if (alterTrigger.getDefinition() != null) {
- this.commands.add(alterTrigger.getDefinition());
- }
- }
-
- @Override
- public void visit(AlterView alterView) {
- this.commands.add(alterView.getDefinition());
- }
-
/**
* Helper to quickly get the commands from obj
* @param obj Language object
Modified: trunk/engine/src/main/java/org/teiid/query/validator/AbstractValidationVisitor.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/query/validator/AbstractValidationVisitor.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/query/validator/AbstractValidationVisitor.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -45,7 +45,7 @@
private LanguageObject exceptionObject;
// Validation error handling
- private ValidatorReport report;
+ protected ValidatorReport report;
private QueryMetadataInterface metadata;
Modified: trunk/engine/src/main/java/org/teiid/query/validator/ValidationVisitor.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/query/validator/ValidationVisitor.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/query/validator/ValidationVisitor.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -1434,6 +1434,7 @@
public void visit(AlterView obj) {
try {
QueryResolver.validateProjectedSymbols(obj.getTarget(), getMetadata(), obj.getDefinition());
+ Validator.validate(obj.getDefinition(), getMetadata(), this);
} catch (QueryValidatorException e) {
handleValidationError(e.getMessage(), obj.getDefinition());
} catch (TeiidComponentException e) {
@@ -1449,6 +1450,7 @@
handleValidationError(QueryPlugin.Util.getString("ValidationVisitor.not_a_procedure", gs), gs); //$NON-NLS-1$
return;
}
+ Validator.validate(obj.getDefinition(), getMetadata(), this);
StoredProcedureInfo info = getMetadata().getStoredProcedureInfoForProcedure(gs.getName());
for (SPParameter param : info.getParameters()) {
if (param.getParameterType() == SPParameter.RESULT_SET) {
@@ -1466,6 +1468,13 @@
@Override
public void visit(AlterTrigger obj) {
validateGroupSupportsUpdate(obj.getTarget());
+ try {
+ if (obj.getDefinition() != null) {
+ Validator.validate(obj.getDefinition(), getMetadata(), this);
+ }
+ } catch (TeiidComponentException e) {
+ handleException(e);
+ }
}
//TODO: it may be simpler to catch this in the parser
Modified: trunk/engine/src/main/java/org/teiid/query/validator/Validator.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/query/validator/Validator.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/main/java/org/teiid/query/validator/Validator.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -51,9 +51,9 @@
// Construct combined runtime / query metadata if necessary
if(object instanceof Command) {
// Recursively validate subcommands
- Iterator iter = CommandCollectorVisitor.getCommands((Command)object).iterator();
+ Iterator<Command> iter = CommandCollectorVisitor.getCommands((Command)object).iterator();
while(iter.hasNext()) {
- Command subCommand = (Command) iter.next();
+ Command subCommand = iter.next();
validate(subCommand, metadata, visitor);
}
}
Modified: trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java
===================================================================
--- trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -51,6 +51,7 @@
import org.teiid.query.sql.symbol.ElementSymbol;
import org.teiid.query.unittest.FakeMetadataFacade;
import org.teiid.query.unittest.FakeMetadataFactory;
+import org.teiid.query.unittest.RealMetadataFactory;
import org.teiid.query.validator.Validator;
import org.teiid.query.validator.ValidatorFailure;
import org.teiid.query.validator.ValidatorReport;
@@ -76,6 +77,12 @@
case UPDATE:
p.setAllowUpdate(flag);
break;
+ case ALTER:
+ p.setAllowAlter(flag);
+ break;
+ case EXECUTE:
+ p.setAllowExecute(flag);
+ break;
}
return p;
}
@@ -149,6 +156,13 @@
svc.setAllowCreateTemporaryTables(false);
return svc;
}
+
+ private DataPolicyMetadata examplePolicyBQT() {
+ DataPolicyMetadata svc = new DataPolicyMetadata();
+ svc.setName("test"); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.ALTER, "VQT.SmallA_2589")); //$NON-NLS-1$
+ return svc;
+ }
private void helpTest(DataPolicyMetadata policy, String sql, QueryMetadataInterface metadata, String[] expectedInaccesible, VDBMetaData vdb) throws QueryParserException, QueryResolverException, TeiidComponentException {
QueryParser parser = QueryParser.getQueryParser();
@@ -236,6 +250,10 @@
@Test public void testUpdateCriteriaInaccessibleForRead() throws Exception {
helpTest(exampleAuthSvc1(), "UPDATE pm1.g2 SET e2 = 5 WHERE e1 = 'x'", FakeMetadataFactory.example1Cached(), new String[] {"pm1.g2.e1"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
}
+
+ @Test public void testUpdateCriteriaInaccessibleForRead1() throws Exception {
+ helpTest(exampleAuthSvc1(), "UPDATE pm1.g2 SET e2 = cast(e1 as integer)", FakeMetadataFactory.example1Cached(), new String[] {"pm1.g2.e1"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
+ }
@Test public void testUpdateElementInaccessibleForUpdate() throws Exception {
helpTest(exampleAuthSvc1(), "UPDATE pm1.g1 SET e1 = 5 WHERE e1 = 'x'", FakeMetadataFactory.example1Cached(), new String[] {"pm1.g1.e1"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
@@ -293,6 +311,14 @@
helpTest(exampleAuthSvc1(), "select * from xmltest.doc1", FakeMetadataFactory.example1Cached(), new String[] {"xmltest.doc1"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
}
+ @Test public void testAlter() throws Exception {
+ helpTest(exampleAuthSvc1(), "alter view SmallA_2589 as select * from bqt1.smalla", RealMetadataFactory.exampleBQTCached(), new String[] {"SmallA_2589"}, FakeMetadataFactory.exampleBQTVDB()); //$NON-NLS-1$ //$NON-NLS-2$
+ helpTest(examplePolicyBQT(), "alter view SmallA_2589 as select * from bqt1.smalla", RealMetadataFactory.exampleBQTCached(), new String[] {}, FakeMetadataFactory.exampleBQTVDB()); //$NON-NLS-1$ //$NON-NLS-2$
+
+ helpTest(exampleAuthSvc1(), "alter trigger on SmallA_2589 INSTEAD OF UPDATE enabled", RealMetadataFactory.exampleBQTCached(), new String[] {"SmallA_2589"}, FakeMetadataFactory.exampleBQTVDB()); //$NON-NLS-1$ //$NON-NLS-2$
+ helpTest(examplePolicyBQT(), "alter trigger on SmallA_2589 INSTEAD OF UPDATE enabled", RealMetadataFactory.exampleBQTCached(), new String[] {}, FakeMetadataFactory.exampleBQTVDB()); //$NON-NLS-1$ //$NON-NLS-2$
+ }
+
private void helpTestLookupVisibility(boolean visible) throws QueryParserException, QueryValidatorException, TeiidComponentException {
VDBMetaData vdb = FakeMetadataFactory.example1VDB();
vdb.getModel("pm1").setVisible(visible); //$NON-NLS-1$
Modified: trunk/engine/src/test/java/org/teiid/query/validator/TestAlterValidation.java
===================================================================
--- trunk/engine/src/test/java/org/teiid/query/validator/TestAlterValidation.java 2011-05-02 17:02:28 UTC (rev 3134)
+++ trunk/engine/src/test/java/org/teiid/query/validator/TestAlterValidation.java 2011-05-02 18:34:41 UTC (rev 3135)
@@ -31,10 +31,15 @@
@Test public void testValidateAlterView() {
TestValidator.helpValidate("alter view SmallA_2589 as select 2", new String[] {"SELECT 2"}, RealMetadataFactory.exampleBQTCached());
TestValidator.helpValidate("alter view Defect15355 as select 'a', 1", new String[] {"SELECT 'a', 1"}, RealMetadataFactory.exampleBQTCached());
+ TestValidator.helpValidate("alter view Defect15355 as select 'a', cast(1 as biginteger)", new String[] {}, RealMetadataFactory.exampleBQTCached());
TestValidator.helpValidate("alter view SmallA_2589 as select * from bqt1.smalla", new String[] {}, RealMetadataFactory.exampleBQTCached());
}
+ @Test public void testValidateAlterViewDeep() {
+ TestValidator.helpValidate("alter view Defect15355 as select xpathvalue('a', ':'), cast(1 as biginteger)", new String[] {"xpathvalue('a', ':')"}, RealMetadataFactory.exampleBQTCached());
+ }
+
@Test public void testValidateAlterTrigger() {
TestValidator.helpValidate("alter trigger on SmallA_2589 instead of insert as for each row select 1;", new String[] {"SmallA_2589"}, RealMetadataFactory.exampleBQTCached());
}
More information about the teiid-commits
mailing list