Author: shawkins Date: 2011-06-06 21:21:33 -0400 (Mon, 06 Jun 2011) New Revision: 3225 Added: branches/7.4.x/api/src/main/java/org/teiid/PolicyDecider.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DefaultAuthorizationValidator.java Removed: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java Modified: branches/7.4.x/api/src/main/java/org/teiid/CommandContext.java branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml branches/7.4.x/build/kits/jboss-container/teiid-releasenotes.html branches/7.4.x/client/src/main/java/org/teiid/adminapi/DataPolicy.java branches/7.4.x/documentation/developer-guide/src/main/docbook/en-US/content/security.xml branches/7.4.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidator.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/Request.java branches/7.4.x/engine/src/main/java/org/teiid/query/util/CommandContext.java branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java Log: TEIID-1607 adding the ability to make authorization checks pluggable Modified: branches/7.4.x/api/src/main/java/org/teiid/CommandContext.java =================================================================== --- branches/7.4.x/api/src/main/java/org/teiid/CommandContext.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/api/src/main/java/org/teiid/CommandContext.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -23,12 +23,15 @@ package org.teiid; import java.io.Serializable; +import java.util.Map; import java.util.Properties; import java.util.TimeZone; import javax.security.auth.Subject; +import org.teiid.adminapi.DataPolicy; import org.teiid.adminapi.Session; +import org.teiid.adminapi.VDB; /** * Context information for the currently executing command. @@ -117,5 +120,17 @@ * @return */ String getRequestId(); + + /** + * Get the user's data policies, never null + * @return + */ + Map<String, DataPolicy> getAllowedDataPolicies(); + + /** + * Get the current vdb + * @return + */ + VDB getVdb(); } Added: branches/7.4.x/api/src/main/java/org/teiid/PolicyDecider.java =================================================================== --- branches/7.4.x/api/src/main/java/org/teiid/PolicyDecider.java (rev 0) +++ branches/7.4.x/api/src/main/java/org/teiid/PolicyDecider.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -0,0 +1,79 @@ +/* + * JBoss, Home of Professional Open Source. + * See the COPYRIGHT.txt file distributed with this work for information + * regarding copyright ownership. Some portions may be licensed + * to Red Hat, Inc. under one or more contributor license agreements. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA. + */ + +package org.teiid; + +import java.util.Set; + +import org.teiid.adminapi.DataPolicy.Context; +import org.teiid.adminapi.DataPolicy.PermissionType; + +/** + * A policy decider that reports authorization decisions for further action. + * A decider may be called many times for a single user command. Typically there will be 1 call for every + * command/subquery/temp table access/function call. + */ +public interface PolicyDecider { + + /** + * Called by the system hasRole function to determine role membership. + * @param roleName + * @param context + * @return true if the user has the given role name, otherwise false + */ + boolean hasRole(String roleName, CommandContext context); + + /** + * Returns the set of resources not allowed to be accessed by the current user. + * Resource names are given based upon the FQNs (NOTE these are non-SQL names - identifiers are not quoted). + * @param action + * @param resources + * @param context in which the action is performed. + * For example you can have a context of {@link Context#UPDATE} for a {@link PermissionType#READ} for columns used in an UPDATE condition. + * @param commandContext + * @return the set of inaccessible resources, never null + */ + Set<String> getInaccessibleResources(PermissionType action, + Set<String> resources, Context context, + CommandContext commandContext); + + /** + * Checks if the given temp table is accessible. Typically as long as temp tables can be created, all operations are allowed. + * Resource names are given based upon the FQNs (NOTE these are non-SQL names - identifiers are not quoted). + * @param action + * @param resource + * @param context in which the action is performed. + * For example you can have a context of {@link Context#UPDATE} for a {@link PermissionType#READ} for columns used in an UPDATE condition. + * @param commandContext + * @return true if the access is allowed, otherwise false + */ + boolean isTempAccessable(PermissionType action, String resource, + Context context, CommandContext commandContext); + + /** + * Determines if an authorization check should proceed + * @param commandContext + * @return + */ + boolean validateCommand(CommandContext commandContext); + +} Property changes on: branches/7.4.x/api/src/main/java/org/teiid/PolicyDecider.java ___________________________________________________________________ Added: svn:mime-type + text/plain Modified: branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml =================================================================== --- branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-06-07 01:21:33 UTC (rev 3225) @@ -101,7 +101,7 @@ <property name="cacheFactory"><inject bean="CacheFactory"/></property> <property name="resultsetCacheConfig"><inject bean="ResultsetCacheConfig"/></property> <property name="preparedPlanCacheConfig"><inject bean="PreparedPlanCacheConfig"/></property> - + <property name="authorizationValidator"><inject bean="AuthorizationValidator"/></property> <!-- Process pool maximum thread count. (default 64) --> <property name="maxThreads">64</property> <!-- Max active plans (default 20). Increase this value on highly concurrent systems - but ensure that the underlying pools can handle the increased load without timeouts. --> @@ -117,12 +117,6 @@ <property name="maxRowsFetchSize">20480</property> <!-- The max lob chunk size in KB transferred each time when processing blobs, clobs (100KB default) --> <property name="lobChunkSizeInKB">100</property> - <!-- Turn on role checking based upon the data roles defined in VDBs. (default true) --> - <property name="useDataRoles">true</property> - <!-- Sets whether temporary table usage is allowed by default with data roles enabled. If false, the user must have a role that grants creates temporary table rights to use temporary tables. (default true) --> - <property name="allowCreateTemporaryTablesByDefault">true</property> - <!-- Sets whether functions may be called by default with data roles enabled. If false, a specific permission must exist to call the function. (default true) --> - <property name="allowFunctionCallsByDefault">true</property> <!-- Long running query threshold, after which a alert can be generated by tooling if configured--> <property name="queryThresholdInSecs">600</property> <!-- Maximum rows allowed from a source query. -1 indicates no limit. (default -1)--> @@ -136,6 +130,24 @@ <!-- Set to true for the engine to detect local change events. Should be disabled if using external change data capture tools. (default true) --> <property name="detectingChangeEvents">true</property> </bean> + + <!-- An authorization validator that by default uses data role information stored in VDBs --> + <bean name="AuthorizationValidator" class="org.teiid.dqp.internal.process.DefaultAuthorizationValidator"> + <!-- Turn on authorization checking (default true) --> + <property name="enabled">true</property> + <!-- The policy decider to use. (default AuthorizationValidator). + This instance may be changed to another org.teiid.PolicyDecider if needed. + --> + <property name="policyDecider"><inject bean="PolicyDecider"/></property> + </bean> + + <!-- A policy decider that uses data role information stored in VDBs --> + <bean name="PolicyDecider" class="org.teiid.dqp.internal.process.DataRolePolicyDecider"> + <!-- Sets whether temporary table usage is allowed by default with data roles enabled. If false, the user must have a role that grants creates temporary table rights to use temporary tables. (default true) --> + <property name="allowCreateTemporaryTablesByDefault">true</property> + <!-- Sets whether functions may be called by default with data roles enabled. If false, a specific permission must exist to call the function. (default true) --> + <property name="allowFunctionCallsByDefault">true</property> + </bean> <!-- JDBC Socket connection properties (SSL see below) --> <bean name="JdbcSocketConfiguration" class="org.teiid.transport.SocketConfiguration"> Modified: branches/7.4.x/build/kits/jboss-container/teiid-releasenotes.html =================================================================== --- branches/7.4.x/build/kits/jboss-container/teiid-releasenotes.html 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/build/kits/jboss-container/teiid-releasenotes.html 2011-06-07 01:21:33 UTC (rev 3225) @@ -58,7 +58,8 @@ <LI><B>Runtime Updates of Metadata</B> - ALTER statements have been added to change view/procedure/INSTEAD OF trigger (update procedure) definitions. A CREATE TRIGGER statement is also available to add an INSTEAD OF trigger (update procedures) to views. System procedures were added to set extension metadata and stat values. By default all effects of metadata updates happen only on running vdbs across the cluster. To make the changes persistent see the Developers Guide Runtime Updates section. <LI><B>ODBC SSL</B> - added support for SSL encrypted ODBC connections. - <LI><B>Reauthentication Statement</B> - SET SESSION AUTHORIZATION can now be used to perform a reauthentication via JDBC or ODBC. + <LI><B>Reauthentication Statement</B> - SET SESSION AUTHORIZATION can now be used to perform a reauthentication via JDBC or ODBC. + <LI><B>Pluggable Authorization</B> - an alternative PolicyDecider can be defined in the teiid-jboss-beans.xml file to customize authorization decisions. </UL> <h2><a name="Compatibility">Compatibility Issues</a></h2> Modified: branches/7.4.x/client/src/main/java/org/teiid/adminapi/DataPolicy.java =================================================================== --- branches/7.4.x/client/src/main/java/org/teiid/adminapi/DataPolicy.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/client/src/main/java/org/teiid/adminapi/DataPolicy.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -25,8 +25,20 @@ public interface DataPolicy { - public enum PermissionType {CREATE, READ, UPDATE, DELETE, ALTER, EXECUTE}; + public enum Context { + CREATE, + DROP, + QUERY, + INSERT, + UPDATE, + DELETE, + FUNCTION, + ALTER, + STORED_PROCEDURE; + } + public enum PermissionType {CREATE, READ, UPDATE, DELETE, ALTER, EXECUTE, DROP}; + /** * Get the Name of the Data Policy * @return Modified: branches/7.4.x/documentation/developer-guide/src/main/docbook/en-US/content/security.xml =================================================================== --- branches/7.4.x/documentation/developer-guide/src/main/docbook/en-US/content/security.xml 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/documentation/developer-guide/src/main/docbook/en-US/content/security.xml 2011-06-07 01:21:33 UTC (rev 3225) @@ -1,6 +1,11 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> -<chapter id="custom_login_modules"> +<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +<!ENTITY % CustomDTD SYSTEM "../../../../../../docbook/custom.dtd"> +%CustomDTD; +]> +<chapter> +<title>Custom Security</title> +<section id="custom_login_modules"> <title>Login Modules</title> <para>The Teiid system provides a range of built-in and extensible security features to enable the secure access of data.  For details about how to configure the available security features check out @@ -92,4 +97,27 @@ <para>If you are extending one of the built-in LoginModules, refer to <ulink url="http://community.jboss.org/docs/DOC-9466"/>.</para> </section> +</section> +<section> + <title>Custom Authorization</title> + <para>In situations where Teiid's built-in role mechanism is not sufficient, a custom + <code>org.teiid.PolicyDecider</code> can be installed via the &jboss-beans; configuration file under the "AuthorizationValidator" bean. + <example> + <title>Example Configuration Snippet</title> + <programlisting role="XML" language="XML"><![CDATA[ + <bean name="AuthorizationValidator" class="org.teiid.dqp.internal.process.DefaultAuthorizationValidator"> + <property name="enabled">true</property> + <property name="policyDecider"><inject bean="PolicyDecider"/></property> + </bean> + + <bean name="PolicyDecider" class="com.company.CustomPolicyDecider"> + <property name="someProperty">some value</property> + </bean>]]> + </programlisting> + </example> + Your custom <code>PolicyDecider</code> should be installed in a jar that is made available to the same classloader as Teiid, typically the profile lib directory. + A <code>PolicyDecider</code> may be consulted many times for a single user command, but it is only called to make decisions based upon resources that + appear in user queries. Any further access of resources through views or stored procedures, just as with data roles, is not checked against a <code>PolicyDecider.</code> + </para> +</section> </chapter> \ No newline at end of file Modified: branches/7.4.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml =================================================================== --- branches/7.4.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-06-07 01:21:33 UTC (rev 3225) @@ -168,4 +168,8 @@ <para>The <code>hasRole</code> system function will return true if the current user has the given data role. The <code>hasRole</code> function can be used in procedure or view definitions to allow for a more dynamic application of security - which allows for things such as value masking or row level security.</para> </section> + <section> + <title>Customizing</title> + <para>See the Developer's Guide Custom Security Chapter for details on using an alternative authorization scheme.</para> + </section> </chapter> \ No newline at end of file Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -28,16 +28,17 @@ import java.util.Collections; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; +import java.util.LinkedHashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; import org.teiid.CommandContext; +import org.teiid.PolicyDecider; import org.teiid.adminapi.DataPolicy; +import org.teiid.adminapi.DataPolicy.Context; import org.teiid.adminapi.DataPolicy.PermissionType; -import org.teiid.adminapi.impl.DataPolicyMetadata; import org.teiid.api.exception.query.QueryMetadataException; import org.teiid.core.CoreConstants; import org.teiid.core.TeiidComponentException; @@ -74,44 +75,19 @@ public class AuthorizationValidationVisitor extends AbstractValidationVisitor { - public enum Context { - CREATE, - DROP, - QUERY, - INSERT, - UPDATE, - DELETE, - FUNCTION, - ALTER, - STORED_PROCEDURE; - } - - private HashMap<String, DataPolicy> allowedPolicies; - private boolean allowCreateTemporaryTablesDefault = true; - private boolean allowFunctionCallsByDefault = true; private CommandContext commandContext; + private PolicyDecider decider; - public AuthorizationValidationVisitor(HashMap<String, DataPolicy> policies, CommandContext commandContext) { - this.allowedPolicies = policies; + public AuthorizationValidationVisitor(PolicyDecider decider, CommandContext commandContext) { + this.decider = decider; this.commandContext = commandContext; } - - public void setAllowCreateTemporaryTablesDefault( - boolean allowCreateTemporaryTablesDefault) { - this.allowCreateTemporaryTablesDefault = allowCreateTemporaryTablesDefault; - } - - public void setAllowFunctionCallsByDefault(boolean allowFunctionCallsDefault) { - this.allowFunctionCallsByDefault = allowFunctionCallsDefault; - } // ############### Visitor methods for language objects ################## @Override public void visit(Create obj) { - Set<String> resources = Collections.singleton(obj.getTable().getName()); - Collection<GroupSymbol> symbols = Arrays.asList(obj.getTable()); - validateTemp(resources, symbols, Context.CREATE); + validateTemp(PermissionType.CREATE, obj.getTable(), Context.CREATE); } @Override @@ -129,30 +105,18 @@ validateEntitlements(Arrays.asList(obj.getTarget()), DataPolicy.PermissionType.ALTER, Context.ALTER); } - private void validateTemp(Set<String> resources, - Collection<GroupSymbol> symbols, Context context) { + private void validateTemp(DataPolicy.PermissionType action, GroupSymbol symbol, Context context) { + String resource = symbol.getNonCorrelationName(); + Set<String> resources = Collections.singleton(resource); logRequest(resources, context); - boolean allowed = false; - for(DataPolicy p:this.allowedPolicies.values()) { - DataPolicyMetadata policy = (DataPolicyMetadata)p; - - if (policy.isAllowCreateTemporaryTables() == null) { - if (allowCreateTemporaryTablesDefault) { - allowed = true; - break; - } - } else if (policy.isAllowCreateTemporaryTables()) { - allowed = true; - break; - } - } + boolean allowed = decider.isTempAccessable(action, resource, context, commandContext); logResult(resources, context, allowed); if (!allowed) { handleValidationError( QueryPlugin.Util.getString("ERR.018.005.0095", commandContext.getUserName(), "CREATE_TEMPORARY_TABLES"), //$NON-NLS-1$ //$NON-NLS-2$ - symbols); + Arrays.asList(symbol)); } } @@ -166,9 +130,7 @@ @Override public void visit(Drop obj) { - Set<String> resources = Collections.singleton(obj.getTable().getName()); - Collection<GroupSymbol> symbols = Arrays.asList(obj.getTable()); - validateTemp(resources, symbols, Context.CREATE); + validateTemp(PermissionType.DROP, obj.getTable(), Context.DROP); } public void visit(Delete obj) { @@ -205,7 +167,7 @@ } catch (TeiidProcessingException e) { handleException(e, obj); } - } else if (!allowFunctionCallsByDefault) { + } else { String schema = obj.getFunctionDescriptor().getSchema(); if (schema != null && !isSystemSchema(schema)) { Map<String, Function> map = new HashMap<String, Function>(); @@ -221,14 +183,13 @@ * Validate insert entitlements */ protected void validateEntitlements(Insert obj) { + List<LanguageObject> insert = new LinkedList<LanguageObject>(); + insert.add(obj.getGroup()); + insert.addAll(obj.getVariables()); validateEntitlements( - obj.getVariables(), + insert, DataPolicy.PermissionType.CREATE, Context.INSERT); - - if (obj.getGroup().isTempTable()) { - validateTemp(Collections.singleton(obj.getGroup().getNonCorrelationName()), Arrays.asList(obj.getGroup()), Context.INSERT); - } } /** @@ -248,7 +209,10 @@ // The variables from the changes must be checked for UPDATE entitlement // validateEntitlements on all the variables used in the update. - validateEntitlements(obj.getChangeList().getClauseMap().keySet(), DataPolicy.PermissionType.UPDATE, Context.UPDATE); + List<LanguageObject> updated = new LinkedList<LanguageObject>(); + updated.add(obj.getGroup()); + updated.addAll(obj.getChangeList().getClauseMap().keySet()); + validateEntitlements(updated, DataPolicy.PermissionType.UPDATE, Context.UPDATE); } /** @@ -275,12 +239,10 @@ Into intoObj = obj.getInto(); if ( intoObj != null ) { GroupSymbol intoGroup = intoObj.getGroup(); - if (intoGroup.isTempTable()) { - validateTemp(Collections.singleton(intoGroup.getNonCorrelationName()), Arrays.asList(intoGroup), Context.INSERT); - } - List<ElementSymbol> intoElements = null; + Collection<LanguageObject> intoElements = new LinkedList<LanguageObject>(); + intoElements.add(intoGroup); try { - intoElements = ResolverUtil.resolveElementsInGroup(intoGroup, getMetadata()); + intoElements.addAll(ResolverUtil.resolveElementsInGroup(intoGroup, getMetadata())); } catch (QueryMetadataException err) { handleException(err, intoGroup); } catch (TeiidComponentException err) { @@ -292,7 +254,7 @@ } // Validate this query's entitlements - Collection entitledObjects = GroupCollectorVisitor.getGroups(obj, true); + Collection<LanguageObject> entitledObjects = new ArrayList<LanguageObject>(GroupCollectorVisitor.getGroupsIgnoreInlineViews(obj, true)); if (!isXMLCommand(obj)) { entitledObjects.addAll(ElementCollectorVisitor.getElements(obj, true)); } @@ -319,7 +281,7 @@ * @param auditContext The {@link AuthorizationService} to use when resource auditing is done. */ protected void validateEntitlements(Collection<? extends LanguageObject> symbols, DataPolicy.PermissionType actionCode, Context auditContext) { - Map<String, LanguageObject> nameToSymbolMap = new HashMap<String, LanguageObject>(); + Map<String, LanguageObject> nameToSymbolMap = new LinkedHashMap<String, LanguageObject>(); for (LanguageObject symbol : symbols) { try { String fullName = null; @@ -333,6 +295,9 @@ GroupSymbol group = (GroupSymbol)symbol; metadataID = group.getMetadataID(); if (metadataID instanceof TempMetadataID && !group.isProcedure()) { + if (group.isTempTable()) { + validateTemp(actionCode, group, auditContext); + } continue; } } @@ -380,27 +345,12 @@ } /** - * Out of resources specified, return the subset for which the specified not have authorization to access. + * Out of the resources specified, return the subset for which the specified not have authorization to access. */ public Set<String> getInaccessibleResources(DataPolicy.PermissionType action, Set<String> resources, Context context) { logRequest(resources, context); - HashSet<String> results = new HashSet<String>(resources); - - for(DataPolicy p:this.allowedPolicies.values()) { - DataPolicyMetadata policy = (DataPolicyMetadata)p; - - if (results.isEmpty()) { - break; - } - - Iterator<String> i = results.iterator(); - while (i.hasNext()) { - if (policy.allows(i.next(), action)) { - i.remove(); - } - } - } + Set<String> results = decider.getInaccessibleResources(action, resources, context, commandContext); logResult(resources, context, results.isEmpty()); return results; Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidator.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidator.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidator.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -33,8 +33,11 @@ */ public interface AuthorizationValidator { - void validate(Command command, QueryMetadataInterface metadata, - DQPWorkContext workContext, CommandContext commandContext) throws QueryValidatorException, TeiidComponentException; + void validate(Command command, QueryMetadataInterface metadata, CommandContext commandContext) throws QueryValidatorException, TeiidComponentException; - boolean hasRole(String roleName, DQPWorkContext workContext); + boolean hasRole(String roleName, CommandContext commandContext); + + boolean isEnabled(); + + void setEnabled(boolean enabled); } Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -135,40 +135,15 @@ */ @ManagementProperty(description="Turn on role checking based upon the data roles defined in VDBs. (default true)") public boolean getUseDataRoles() { - return useDataRoles; + return this.authorizationValidator != null && this.authorizationValidator.isEnabled(); } public void setUseDataRoles(boolean useEntitlements) { - this.useDataRoles = useEntitlements; + if (this.authorizationValidator != null) { + this.authorizationValidator.setEnabled(useEntitlements); + } } - /** - * Whether temporary table usage is enabled by default. - * @return <code>true</code> if temporary table usage is enabled by default. - */ - @ManagementProperty(description="Sets whether temporary table usage is allowed by default with data roles enabled. If false, the user must have a role that grants creates temporary table rights to use temporary tables. (default true)") - public boolean isAllowCreateTemporaryTablesByDefault() { - return allowCreateTemporaryTablesByDefault; - } - - public void setAllowCreateTemporaryTablesByDefault( - boolean allowCreateTemporaryTablesByDefault) { - this.allowCreateTemporaryTablesByDefault = allowCreateTemporaryTablesByDefault; - } - - /** - * Whether functions are callable by default - * @return <code>true</code> if function usage is enabled by default. - */ - @ManagementProperty(description="Sets whether functions may be called by default with data roles enabled. If false, a specific permission must exist to call the function. (default true)") - public boolean isAllowFunctionCallsByDefault() { - return allowFunctionCallsByDefault; - } - - public void setAllowFunctionCallsByDefault(boolean allowFunctionCallsDefault) { - this.allowFunctionCallsByDefault = allowFunctionCallsDefault; - } - @ManagementProperty(description="Long running query threshold, after which a alert can be generated by tooling if configured") public int getQueryThresholdInSecs() { return queryThresholdInSecs; Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -673,9 +673,6 @@ public void start(DQPConfiguration config) { this.config = config; this.authorizationValidator = config.getAuthorizationValidator(); - if (this.authorizationValidator == null) { - this.authorizationValidator = new DataRoleAuthorizationValidator(config.getUseDataRoles(), config.isAllowCreateTemporaryTablesByDefault(), config.isAllowFunctionCallsByDefault()); - } this.chunkSize = config.getLobChunkSizeInKB() * 1024; //get buffer manager Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -217,6 +217,10 @@ } return this.policies; } + + public void setPolicies(HashMap<String, DataPolicy> policies) { + this.policies = policies; + } private boolean matchesPrincipal(Set<String> userRoles, DataPolicy policy) { if (policy.isAnyAuthenticated()) { Deleted: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -1,65 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * See the COPYRIGHT.txt file distributed with this work for information - * regarding copyright ownership. Some portions may be licensed - * to Red Hat, Inc. under one or more contributor license agreements. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301 USA. - */ - -package org.teiid.dqp.internal.process; - -import org.teiid.api.exception.query.QueryValidatorException; -import org.teiid.core.TeiidComponentException; -import org.teiid.query.metadata.QueryMetadataInterface; -import org.teiid.query.sql.lang.Command; -import org.teiid.query.util.CommandContext; - -/** - * The default Teiid authorization validator - */ -public class DataRoleAuthorizationValidator implements AuthorizationValidator { - - private boolean useEntitlements; - private boolean allowCreateTemporaryTablesByDefault; - private boolean allowFunctionCallsByDefault; - - public DataRoleAuthorizationValidator(boolean useEntitlements, - boolean allowCreateTemporaryTablesByDefault, boolean allowFunctionCallsByDefault) { - this.useEntitlements = useEntitlements; - this.allowCreateTemporaryTablesByDefault = allowCreateTemporaryTablesByDefault; - this.allowFunctionCallsByDefault = allowFunctionCallsByDefault; - } - - @Override - public void validate(Command command, QueryMetadataInterface metadata, DQPWorkContext workContext, CommandContext commandContext) throws QueryValidatorException, TeiidComponentException { - if (useEntitlements && !workContext.getVDB().getDataPolicies().isEmpty()) { - AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(workContext.getAllowedDataPolicies(), commandContext); - visitor.setAllowCreateTemporaryTablesDefault(allowCreateTemporaryTablesByDefault); - visitor.setAllowFunctionCallsByDefault(allowFunctionCallsByDefault); - Request.validateWithVisitor(visitor, metadata, command); - } - } - - @Override - public boolean hasRole(String roleName, DQPWorkContext workContext) { - if (!useEntitlements) { - return true; - } - return workContext.getAllowedDataPolicies().containsKey(roleName); - } - -} Added: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java (rev 0) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -0,0 +1,76 @@ +package org.teiid.dqp.internal.process; + +import java.util.Collections; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.Set; + +import org.teiid.CommandContext; +import org.teiid.PolicyDecider; +import org.teiid.adminapi.DataPolicy; +import org.teiid.adminapi.DataPolicy.Context; +import org.teiid.adminapi.DataPolicy.PermissionType; +import org.teiid.adminapi.impl.DataPolicyMetadata; + +public class DataRolePolicyDecider implements PolicyDecider { + + private boolean allowCreateTemporaryTablesByDefault = true; + private boolean allowFunctionCallsByDefault = true; + + @Override + public Set<String> getInaccessibleResources(PermissionType action, + Set<String> resources, Context context, CommandContext commandContext) { + if (action == PermissionType.EXECUTE && context == Context.FUNCTION && allowFunctionCallsByDefault) { + return Collections.emptySet(); + } + LinkedHashSet<String> results = new LinkedHashSet<String>(resources); + for(DataPolicy p:commandContext.getAllowedDataPolicies().values()) { + DataPolicyMetadata policy = (DataPolicyMetadata)p; + + if (results.isEmpty()) { + break; + } + + Iterator<String> i = results.iterator(); + while (i.hasNext()) { + if (policy.allows(i.next(), action)) { + i.remove(); + } + } + } + return results; + } + + @Override + public boolean hasRole(String roleName, CommandContext context) { + return context.getAllowedDataPolicies().containsKey(roleName); + } + + @Override + public boolean isTempAccessable(PermissionType action, String resource, + Context context, CommandContext commandContext) { + for(DataPolicy p:commandContext.getAllowedDataPolicies().values()) { + DataPolicyMetadata policy = (DataPolicyMetadata)p; + + if (policy.isAllowCreateTemporaryTables() != null) { + return policy.isAllowCreateTemporaryTables(); + } + } + return allowCreateTemporaryTablesByDefault; + } + + public void setAllowCreateTemporaryTablesByDefault( + boolean allowCreateTemporaryTablesByDefault) { + this.allowCreateTemporaryTablesByDefault = allowCreateTemporaryTablesByDefault; + } + + public void setAllowFunctionCallsByDefault(boolean allowFunctionCallsDefault) { + this.allowFunctionCallsByDefault = allowFunctionCallsDefault; + } + + @Override + public boolean validateCommand(CommandContext commandContext) { + return !commandContext.getVdb().getDataPolicies().isEmpty(); + } + +} Property changes on: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java ___________________________________________________________________ Added: svn:mime-type + text/plain Copied: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DefaultAuthorizationValidator.java (from rev 3202, branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java) =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DefaultAuthorizationValidator.java (rev 0) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DefaultAuthorizationValidator.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -0,0 +1,77 @@ +/* + * JBoss, Home of Professional Open Source. + * See the COPYRIGHT.txt file distributed with this work for information + * regarding copyright ownership. Some portions may be licensed + * to Red Hat, Inc. under one or more contributor license agreements. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA. + */ + +package org.teiid.dqp.internal.process; + +import org.teiid.PolicyDecider; +import org.teiid.api.exception.query.QueryValidatorException; +import org.teiid.core.TeiidComponentException; +import org.teiid.query.metadata.QueryMetadataInterface; +import org.teiid.query.sql.lang.Command; +import org.teiid.query.util.CommandContext; + +/** + * The default Teiid authorization validator + */ +public class DefaultAuthorizationValidator implements AuthorizationValidator { + + private boolean enabled = true; + private PolicyDecider policyDecider; + + public DefaultAuthorizationValidator() { + } + + @Override + public void validate(Command command, QueryMetadataInterface metadata, CommandContext commandContext) throws QueryValidatorException, TeiidComponentException { + if (enabled && policyDecider.validateCommand(commandContext)) { + AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(this.policyDecider, commandContext); + Request.validateWithVisitor(visitor, metadata, command); + } + } + + @Override + public boolean hasRole(String roleName, CommandContext commandContext) { + if (!enabled) { + return true; + } + return this.policyDecider.hasRole(roleName, commandContext); + } + + public void setPolicyDecider(PolicyDecider policyDecider) { + this.policyDecider = policyDecider; + } + + public PolicyDecider getPolicyDecider() { + return policyDecider; + } + + @Override + public boolean isEnabled() { + return enabled; + } + + @Override + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } + +} Property changes on: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/DefaultAuthorizationValidator.java ___________________________________________________________________ Added: svn:mime-type + text/plain Modified: branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/Request.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/Request.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/dqp/internal/process/Request.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -254,6 +254,7 @@ context.setSubject(workContext.getSubject()); this.context.setSession(workContext.getSession()); this.context.setRequestId(this.requestId); + this.context.setDQPWorkContext(this.workContext); } @Override @@ -262,7 +263,10 @@ if (!DATA_ROLE.equalsIgnoreCase(roleType)) { return false; } - return authorizationValidator.hasRole(roleName, workContext); + if (this.authorizationValidator == null) { + return true; + } + return authorizationValidator.hasRole(roleName, context); } public void setUserRequestConcurrency(int userRequestConcurrency) { @@ -465,7 +469,9 @@ protected void validateAccess(Command command) throws QueryValidatorException, TeiidComponentException { createCommandContext(command); - this.authorizationValidator.validate(command, metadata, workContext, context); + if (this.authorizationValidator != null) { + this.authorizationValidator.validate(command, metadata, context); + } } } Modified: branches/7.4.x/engine/src/main/java/org/teiid/query/util/CommandContext.java =================================================================== --- branches/7.4.x/engine/src/main/java/org/teiid/query/util/CommandContext.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/main/java/org/teiid/query/util/CommandContext.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -26,6 +26,7 @@ import java.util.Collections; import java.util.HashSet; import java.util.LinkedList; +import java.util.Map; import java.util.Properties; import java.util.Random; import java.util.Set; @@ -33,11 +34,14 @@ import javax.security.auth.Subject; +import org.teiid.adminapi.DataPolicy; import org.teiid.adminapi.Session; +import org.teiid.adminapi.VDB; import org.teiid.api.exception.query.QueryProcessingException; import org.teiid.common.buffer.BufferManager; import org.teiid.core.TeiidComponentException; import org.teiid.core.util.ArgCheck; +import org.teiid.dqp.internal.process.DQPWorkContext; import org.teiid.dqp.internal.process.PreparedPlan; import org.teiid.dqp.internal.process.SessionAwareCache; import org.teiid.dqp.internal.process.SessionAwareCache.CacheID; @@ -120,9 +124,11 @@ private Subject subject; private HashSet<Object> dataObjects; - public Session session; + private Session session; - public RequestID requestId; + private RequestID requestId; + + private DQPWorkContext dqpWorkContext; } private GlobalState globalState = new GlobalState(); @@ -591,4 +597,22 @@ this.globalState.requestId = requestId; } + public void setDQPWorkContext(DQPWorkContext workContext) { + this.globalState.dqpWorkContext = workContext; + } + + @Override + public Map<String, DataPolicy> getAllowedDataPolicies() { + return this.globalState.dqpWorkContext.getAllowedDataPolicies(); + } + + @Override + public VDB getVdb() { + return this.globalState.dqpWorkContext.getVDB(); + } + + public DQPWorkContext getDQPWorkContext() { + return this.globalState.dqpWorkContext; + } + } Modified: branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java =================================================================== --- branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -29,8 +29,7 @@ import java.util.HashSet; import java.util.Set; -import org.junit.BeforeClass; -import org.junit.Ignore; +import org.junit.Before; import org.junit.Test; import org.teiid.adminapi.DataPolicy; import org.teiid.adminapi.DataPolicy.PermissionType; @@ -40,7 +39,6 @@ import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData; import org.teiid.api.exception.query.QueryParserException; import org.teiid.api.exception.query.QueryResolverException; -import org.teiid.api.exception.query.QueryValidatorException; import org.teiid.core.TeiidComponentException; import org.teiid.query.metadata.QueryMetadataInterface; import org.teiid.query.parser.QueryParser; @@ -58,10 +56,12 @@ public class TestAuthorizationValidationVisitor { public static final String CONN_ID = "connID"; //$NON-NLS-1$ - private static CommandContext context = new CommandContext(); + private CommandContext context; - @BeforeClass public static void oneTimeSetup() { + @Before public void setup() { + context = new CommandContext(); context.setSession(new SessionMetadata()); + context.setDQPWorkContext(new DQPWorkContext()); } PermissionMetaData addResource(PermissionType type, boolean flag, String resource) { @@ -179,9 +179,10 @@ HashMap<String, DataPolicy> policies = new HashMap<String, DataPolicy>(); policies.put(policy.getName(), policy); - - AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(policies, context); //$NON-NLS-1$ - visitor.setAllowFunctionCallsByDefault(false); + this.context.getDQPWorkContext().setPolicies(policies); + DataRolePolicyDecider dataRolePolicyDecider = new DataRolePolicyDecider(); + dataRolePolicyDecider.setAllowFunctionCallsByDefault(false); + AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(dataRolePolicyDecider, context); //$NON-NLS-1$ ValidatorReport report = Validator.validate(command, metadata, visitor); if(report.hasItems()) { ValidatorFailure firstFailure = report.getItems().iterator().next(); @@ -289,11 +290,11 @@ } @Test public void testSelectIntoTarget_e1_NotAccessible() throws Exception { - helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm2.g2 FROM pm2.g1", RealMetadataFactory.example1Cached(), new String[] {"pm2.g2.e2","pm2.g2.e4","pm2.g2.e3"}, RealMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm2.g2 FROM pm2.g1", RealMetadataFactory.example1Cached(), new String[] {"pm2.g2", "pm2.g2.e2","pm2.g2.e4","pm2.g2.e3"}, RealMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ } @Test public void testSelectIntoTarget_e1e2_NotAccessible() throws Exception { - helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm3.g2 FROM pm2.g1", RealMetadataFactory.example1Cached(), new String[] {"pm3.g2.e4", "pm3.g2.e3"},RealMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ + helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm3.g2 FROM pm2.g1", RealMetadataFactory.example1Cached(), new String[] {"pm3.g2", "pm3.g2.e4", "pm3.g2.e3"},RealMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ } @Test public void testTempTableSelectInto() throws Exception { @@ -326,28 +327,4 @@ helpTest(examplePolicyBQT(), "alter trigger on SmallA_2589 INSTEAD OF UPDATE enabled", RealMetadataFactory.exampleBQTCached(), new String[] {}, RealMetadataFactory.exampleBQTVDB()); //$NON-NLS-1$ //$NON-NLS-2$ } - private void helpTestLookupVisibility(boolean visible) throws QueryParserException, QueryValidatorException, TeiidComponentException { - VDBMetaData vdb = RealMetadataFactory.example1VDB(); - vdb.getModel("pm1").setVisible(visible); //$NON-NLS-1$ - AuthorizationValidationVisitor mvvv = new AuthorizationValidationVisitor(new HashMap<String, DataPolicy>(), context); //$NON-NLS-1$ - String sql = "select lookup('pm1.g1', 'e1', 'e2', 1)"; //$NON-NLS-1$ - Command command = QueryParser.getQueryParser().parseCommand(sql); - Request.validateWithVisitor(mvvv, RealMetadataFactory.example1Cached(), command); - } - - @Ignore("visibility no longer ristricts access") - @Test public void testLookupVisibility() throws Exception { - helpTestLookupVisibility(true); - } - - @Ignore("visibility no longer ristricts access") - @Test public void testLookupVisibilityFails() throws Exception { - try { - helpTestLookupVisibility(false); - fail("expected exception"); //$NON-NLS-1$ - } catch (QueryValidatorException e) { - assertEquals("Group does not exist: pm1.g1", e.getMessage()); //$NON-NLS-1$ - } - } - } Modified: branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java =================================================================== --- branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -242,7 +242,9 @@ serverRequest.initialize(request, BufferManagerFactory.getStandaloneBufferManager(), null, new FakeTransactionService(), null, workContext, prepPlanCache); serverRequest.setMetadata(capFinder, metadata, null); - serverRequest.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true, true)); + DefaultAuthorizationValidator drav = new DefaultAuthorizationValidator(); + drav.setEnabled(false); + serverRequest.setAuthorizationValidator(drav); serverRequest.processRequest(); assertNotNull(serverRequest.processPlan); Modified: branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java =================================================================== --- branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2011-06-06 20:23:11 UTC (rev 3224) +++ branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2011-06-07 01:21:33 UTC (rev 3225) @@ -82,7 +82,12 @@ request.initialize(message, BufferManagerFactory.getStandaloneBufferManager(), null,new FakeTransactionService(), TEMP_TABLE_STORE, workContext, null); request.initMetadata(); - request.setAuthorizationValidator(new DataRoleAuthorizationValidator(true, true, true)); + DefaultAuthorizationValidator drav = new DefaultAuthorizationValidator(); + DataRolePolicyDecider drpd = new DataRolePolicyDecider(); + drpd.setAllowCreateTemporaryTablesByDefault(true); + drpd.setAllowFunctionCallsByDefault(true); + drav.setPolicyDecider(drpd); + request.setAuthorizationValidator(drav); request.validateAccess(command); } @@ -136,7 +141,9 @@ request.initialize(message, Mockito.mock(BufferManager.class), new FakeDataManager(), new FakeTransactionService(), TEMP_TABLE_STORE, workContext, null); - request.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true, true)); + DefaultAuthorizationValidator drav = new DefaultAuthorizationValidator(); + drav.setEnabled(false); + request.setAuthorizationValidator(drav); request.processRequest(); return request; }