<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Custom+Authorization+Validator">Custom Authorization Validator</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<h4>Changes (4)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">In situations where Teiid's built-in role mechanism is not sufficient, a custom {{org.teiid.PolicyDecider}} can be installed via JBoss module. Extend the {{org.teiid.PolicyDecider}} interface and build a custom java class. If you are using maven as your build process, you can use following dependencies <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">In situations where Teiid's built-in [Data Roles] mechanism is not sufficient, a custom {{org.teiid.PolicyDecider}} can be installed via a JBoss module. Note that a PolicyDecider only makes high-level authorization decisions based upon the access context (INSERT, UPDATE, DELETE, etc.), the caller, and the resource (column, table/view, procedure, function, etc.). Data-level column masking and row based security policy information due to its interaction with the Teiid planner cannot be injected via a custom {{org.teiid.PolicyDecider}}. You may add column masking and row based security permissions via the {{org.teiid.MetadataFactory}} in custom a {{org.teiid.MetadataRepository}} or custom translator. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">To provide a custom authorization validator, you must extend the {{org.teiid.PolicyDecider}} interface and build a custom java class. If you are using maven as your build process, you can use following dependencies: <br> <br></td></tr>
<tr><td class="diff-unchanged" >{code:lang=XML} <br><dependencies> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color: #dfd;">The</span> _PoilcyDecider_ interface is loaded by the Teiid using the Java's standard service loader mechanism. For this to work, add the following named file _META-INF/services/org.teiid.PolicyDecider_ with full name of your PolicyDecider implementation class as its contents. for <span class="diff-changed-words">example<span class="diff-added-chars"style="background-color: #dfd;">:</span></span> <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:title=META-INF/services/org.teiid.PolicyDecider} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>In situations where Teiid's built-in <a href="/author/display/TEIID/Data+Roles" title="Data Roles">Data Roles</a> mechanism is not sufficient, a custom <tt>org.teiid.PolicyDecider</tt> can be installed via a JBoss module. Note that a PolicyDecider only makes high-level authorization decisions based upon the access context (INSERT, UPDATE, DELETE, etc.), the caller, and the resource (column, table/view, procedure, function, etc.). Data-level column masking and row based security policy information due to its interaction with the Teiid planner cannot be injected via a custom <tt>org.teiid.PolicyDecider</tt>. You may add column masking and row based security permissions via the <tt>org.teiid.MetadataFactory</tt> in custom a <tt>org.teiid.MetadataRepository</tt> or custom translator.</p>
<p>To provide a custom authorization validator, you must extend the <tt>org.teiid.PolicyDecider</tt> interface and build a custom java class. If you are using maven as your build process, you can use following dependencies:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<dependencies>
<dependency>
<groupId>org.jboss.teiid</groupId>
<artifactId>teiid-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.jboss.teiid</groupId>
<artifactId>teiid-common-core</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
</pre>
</div></div>
<p>The <em>PoilcyDecider</em> interface is loaded by the Teiid using the Java's standard service loader mechanism. For this to work, add the following named file <em>META-INF/services/org.teiid.PolicyDecider</em> with full name of your PolicyDecider implementation class as its contents. for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>META-INF/services/org.teiid.PolicyDecider</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
org.jboss.teiid.auth.MyCustomPolicyDecider
</pre>
</div></div>
<p>Now package all these files into a JAR archive file and build JBoss module in <em>jboss-as/modules</em> directory. If your PolicyDecider has any third party dependencies those jar files can also be added as dependencies to the same module. Make sure you list all the files in the <em>module.xml</em> file. Below is sample module.xml file along with Teiid specific dependencies</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>module.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.0" name="org.jboss.teiid.auth">
<resources>
<resource-root path="my_custom_policy.jar" />
<!--add any other dependent jars here, if they are not defined as modules -->
</resources>
<dependencies>
<module name="org.jboss.teiid.common-core"/>
<module name="org.jboss.teiid.api"/>
<module name="javax.api"/>
</dependencies>
</module>
</pre>
</div></div>
<p>create folder in the "<jboss-as>/modules/org/jboss/teiid/auth/main", copy the above <em>module.xml</em> file along with all the jar files. This directory can be different if you choose, just make sure the name of the module and the directory name match.</p>
<p>After the module has been added, change the configuration. Edit either the standalone-teiid.xml or te domain-teiid.xml file, and in the "teiid" subsystem xml fragment add the following xml with the module name created.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<policy-decider-module>name</policy-decider-module>
</pre>
</div></div>
<p>then restart the system. A <tt>PolicyDecider</tt> may be consulted many times for a single user command, but it is only called to make decisions based upon resources that appear in user queries. Any further access of resources through views or stored procedures, just as with data roles, is not checked against a <tt>PolicyDecider</tt>.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Custom+Authorization+Validator">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=39845895&revisedVersion=4&originalVersion=3">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Custom+Authorization+Validator?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>