[teiid-issues] [JBoss JIRA] (TEIID-5841) Authorization of table name that contain .

Steven Hawkins (Jira) issues at jboss.org
Thu Nov 7 15:04:00 EST 2019 

    [ https://issues.jboss.org/browse/TEIID-5841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13809799#comment-13809799 ] 

Steven Hawkins commented on TEIID-5841:
---------------------------------------

This actually extends beyond just table names as column level permissions have the same issue - column "s"."t"."c" can conflict with table "s"."t.c".  To address this I'm changing the PolicyDecider to operate over metadata records instead.  The logic down in the DataPolicyMetadata will change as well, but since it's in admin, which does not depend on api (the dependency goes the other way) it will need to still use strings but add the resource type.

> Authorization of table name that contain .
> ------------------------------------------
>
>                 Key: TEIID-5841
>                 URL: https://issues.jboss.org/browse/TEIID-5841
>             Project: Teiid
>          Issue Type: Bug
>          Components: Query Engine
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>   Original Estimate: 6 hours
>  Remaining Estimate: 6 hours
>
> We have a long standing issue with the permission system mostly due to the initial api design - we only pass fully qualified names to the policy decider in the from of schema.table.  If the table name contains '.' the policy decider simplistically walks up each segment - which effectively introduces inappropriate checks.
> For example if we have:
> view "a.b" and view "a", when we check permissions for "a.b" we'll first check for the a.b resource, then the a resource - which is not appropriate.  This behavior in part was likely initially due to multi-schema import scenarios, such that the imported table names would be qualified by source schema name.  Then you could add permissions against that partially qualified name teiidSchema.sourceSchema.  That will no longer be possible if we implement TEIID-5840



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the teiid-issues mailing list