[teiid-issues] [JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS

Steven Hawkins (Jira) issues at jboss.org
Mon Nov 25 16:10:00 EST 2019 

    [ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13817578#comment-13817578 ] 

Steven Hawkins commented on TEIID-5798:
---------------------------------------

Old syntax example:

{code}
GRANT SELECT,INSERT ON TABLE tbl CONDITION col = user() TO role;  -- defaults to CONSTRAINT

New:

{code}
GRANT SELECT,INSERT ON tbl TO role;
CREATE POLICY pname ON tbl FOR SELECT,INSERT TO role USING col = user() WITH CHECK; -- effectively WITH CHECK col = user()
{code}

In creating a new implementation we would need to under the covers do a similar conversion - where the policy name is effectively derived.  Another simplification would be to only support a single role target, rather than a role list.  That would address creating another container concept for this style of grant and instead we could put the grants directly on the DataPolicyMetadata - the same would go for masks.

The "mixed" from above:

{code}
GRANT SELECT,INSERT,UPDATE,DELETE ON tbl TO role; -- could add an ALL option
CREATE POLICY pname ON tbl FOR INSERT,UPDATE,DELETE TO role USING col = user() WITH CHECK;
{code}


> Mixed PERMISSION GRANTS
> -----------------------
>
>                 Key: TEIID-5798
>                 URL: https://issues.jboss.org/browse/TEIID-5798
>             Project: Teiid
>          Issue Type: Enhancement
>          Components: Query Engine
>            Reporter: Christoph John
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>   Original Estimate: 6 hours
>  Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in  (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the teiid-issues mailing list