[teiid-issues] [JBoss JIRA] (TEIID-3554) Audit log is missing details related to what role was applied and what info was allowed or denied

Steven Hawkins (JIRA) issues at jboss.org
Tue Jun 23 18:41:02 EDT 2015 

    [ https://issues.jboss.org/browse/TEIID-3554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13083053#comment-13083053 ] 

Steven Hawkins commented on TEIID-3554:
---------------------------------------

> If so, would be good if the role that is in the VDB that controls the access be written to audit log, but not put into the exception. So when its denied, only care what role thats important (and what the user doesn't have).

The logic is not set up that way.  A user has an associated set of roles and the permissions of those roles are checked.  There is no general mapping of resource to permission across all roles known to a vdb (and the same permission could appear in many roles).

> Additionally, when access is given, the role that was used for access

Here again the same permission could appear in many roles that a user has.  Which one is tested first does not matter.  Reporting the full set will can further slow down permission processing.

> Also, if the VDB is sequenced, a report could be run between metadata and audit log to analyze for any differences.

I don't follow you here.  Anything you would want to analyze could be done statically.

>  It would be a backdoor check to make sure no one changes the the VDB and gives access that isn't modeled thru the standard process.

Can you elaborate on this scenario?  Are you expecting that the metadata, the roles, the role mappings, etc. can be compromised?  How would that happen and what non-compromised artifact are you comparing against?

> Audit log is missing details related to what role was applied and what info was allowed or denied
> -------------------------------------------------------------------------------------------------
>
>                 Key: TEIID-3554
>                 URL: https://issues.jboss.org/browse/TEIID-3554
>             Project: Teiid
>          Issue Type: Quality Risk
>          Components: Server
>    Affects Versions: 8.7.1.6_2
>            Reporter: Van Halbert
>            Assignee: Steven Hawkins
>         Attachments: portfolioroles_data.xlsx
>
>
> Using the dynamicvdb-dataroles quick start as the basis for triggering the audit log.   Executing the view query:  "Select * from StockPrice" .  The query will only present the "price" column value when the user has the "prices" role.  When performing queries with a user (name=teiidUser) that doesn't have the "prices" role versus one that does (name=portfolio), doesn't provide any discerning information in the audit log to indicate that a role was applied to the data.  
> Attaching excel file of the audit log data.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the teiid-issues mailing list