From teiid-commits at lists.jboss.org Mon Jun 28 10:47:11 2010
Content-Type: multipart/mixed; boundary="===============6033235617862645271=="
MIME-Version: 1.0
From: teiid-commits at lists.jboss.org
To: teiid-commits at lists.jboss.org
Subject: [teiid-commits] teiid SVN: r2309 - in branches/7.0.x:
documentation/admin-guide/src/main/docbook/en-US/content and 2 other
directories.
Date: Mon, 28 Jun 2010 10:47:11 -0400
Message-ID: <201006281447.o5SElBfi006729@svn01.web.mwc.hst.phx2.redhat.com>
--===============6033235617862645271==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: shawkins
Date: 2010-06-28 10:47:10 -0400 (Mon, 28 Jun 2010)
New Revision: 2309
Added:
branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content/=
performance.xml
branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/en=
titlements.xml
Modified:
branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java
branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content/=
security.xml
branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference.=
xml
Log:
adding doc content and correcting javadoc
Modified: branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement=
.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java =
2010-06-28 14:43:04 UTC (rev 2308)
+++ branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java =
2010-06-28 14:47:10 UTC (rev 2309)
@@ -64,7 +64,7 @@
/**
* Obtain the query planner debug log from the last command =
* executed on this Statement, if it was requested with
- * OPTION DEBUG. If no debug output was requested, this =
+ * SHOWPLAN DEBUG. If no debug output was requested, this =
* method will return null. =
* @return Debug log or null if no log exists
*/
Added: branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/cont=
ent/performance.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content=
/performance.xml (rev 0)
+++ branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content=
/performance.xml 2010-06-28 14:47:10 UTC (rev 2309)
@@ -0,0 +1,28 @@
+
\ No newline at end of file
Property changes on: branches/7.0.x/documentation/admin-guide/src/main/docb=
ook/en-US/content/performance.xml
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Modified: branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/c=
ontent/security.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content=
/security.xml 2010-06-28 14:43:04 UTC (rev 2308)
+++ branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content=
/security.xml 2010-06-28 14:47:10 UTC (rev 2309)
@@ -3,7 +3,7 @@
Teiid SecurityThe Teiid system provides a range of built-in and extensible securi=
ty features to enable the
- secure access of data. =C2=A0
+ secure access of data.
AuthenticationJDBC clients may use simple passwords to authenticate a user.
@@ -11,6 +11,13 @@
identity of the user can be discerned by the password credential alone.=
=C2=A0In
any case it is up to the configured security domain to determine whethe=
r a user can be
authenticated.
+ =
+ By default, access to Teiid is NOT secure. The default logi=
n modules are only =
+ backed by file based authentication, which has a well known user =
+ name and password.
+ The same is true for making connections to the Admin Console appl=
ication. =
+ We DO NOT recommend leaving the default security profile as defin=
ed when you =
+ are exposing sensitive data.Authorization
@@ -59,6 +66,14 @@
Details of the failed attempt including invalid users, which
domains were consulted, etc. will be in the server log with appropriate
levels of severity.
+
+ The security-domain defined for the JDBC connection and Admi=
n connections are separate.
+ The default name of JDBC connection's security-domain is "teii=
d-security". The default name for Admin connection
+ is "jmx-console". For the Admin connection's security domain, =
the user is allowed =
+ to change which LoginModule that "jmx-console" pointing to, ho=
wever should not change the name of the domain, as this name is
+ shared between the "admin-console" application.
+ =
+ =
Built-in LoginModulesJBossAS provides several LoginModules for common authentication n=
eeds, such as authenticating from text files or LDAP.
@@ -71,12 +86,52 @@
If you want use a your own Custom Login module, check out the =
Developer's Guide for instructions.
+ =
-
- The security-domain defined for the JDBC connection and Admi=
n connections are separate.
- The default name of JDBC connection's security-domain is "teii=
d-security". The default name for Admin connection
- is "jmx-console". For the Admin connection's security domain, =
the user is allowed =
- to change which LoginModule that "jmx-console" pointing to, ho=
wever should not change the name of the domain, as this name is
- shared between the "admin-console" application.
- =
+ =
+
+ Configuring SSL
+ The Teiid's configuration file =
+ <jboss-install>/server/<profile>/deploy/teiid/te=
iid-jboss-beans.xml, =
+ contains the properties to configure SSL.
+
+ There are two separate connection profiles:
+ JDBC Connection - The JdbcSslConfigurati=
on bean configuration defines this.
+ Admin Connection - The AdminSslConfigura=
tion bean configuration defines this.
+
+ Example Configuration
+
+ false
+ cert.keystore
+ passwd
+ JKS
+ SSLv3
+ false
+ cert.truststore
+ passwd
+
+ 1-way
+ true
+]]> =
+
+
+ Properties
+ sslEnabled - true|false, SSL usage either turn=
ed ON or OFF
+ sslProtocol- Type of SSL protocol to be used. =
Default is SSLv3
+ keystoreType - Keystore type created by the ke=
ytool. Default "JKS" is used.
+ authenticationMode - anonymous|1-way|2-way, T=
ype of SSL mode, see =
+ above about different SSL modes available.
+ keymanagementAlgorithm - Type of key algorithm=
used. Default =
+ is based upon the VM, e.g. "SunX509"
+ keystoreFilename - The file name of the keysto=
re, which contains the =
+ private key of the Server. This must be available in the class=
path of Teiid Server
+ keystorePassword - password for the keystore.<=
/para>
+ truststoreFilename - if "authenticationMode" i=
s chosen =
+ as "2-way", then this property must be provided. This is the t=
ruststore that contains the =
+ public key for the client. Depending upon how you created the =
keystore and truststores, =
+ this may be same file as defined under "keystoreFilename" pro=
perty.
+ truststorePassword - password for the truststo=
re.
+ =
+ =
+
\ No newline at end of file
Modified: branches/7.0.x/documentation/reference/src/main/docbook/en-US/Ref=
erence.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference=
.xml 2010-06-28 14:43:04 UTC (rev 2308)
+++ branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference=
.xml 2010-06-28 14:47:10 UTC (rev 2309)
@@ -53,6 +53,7 @@
+
Added: branches/7.0.x/documentation/reference/src/main/docbook/en-US/conten=
t/entitlements.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/e=
ntitlements.xml (rev 0)
+++ branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/e=
ntitlements.xml 2010-06-28 14:47:10 UTC (rev 2309)
@@ -0,0 +1,122 @@
+
+
+%CustomDTD;
+]>
+
+ Data Roles
+ Data roles, also called entitlements, are sets of permissions th=
at are defined =
+ per VDB that dictate data access (create, read, update, delete). The =
use of data roles is controlled system wide with the property in =
+ <jboss-install>/server/<profile>/deploy/teiid/teiid-=
jboss-beans.xml file
+ in bean configuration section of RuntimeEngineDeployer wi=
th property useEntitlements.
+ =
+ Once data roles are enabled, the access permissions defined in a=
VDB will be enforced by the Teiid Server.
+ =
+
+ Permissions
+
+ To process a SELECT statement or a stored proc=
edure execution, the user account requires the following access rights:
+ READ - on the Table(s) being access=
ed or the procedure being called.
+ READ - on every column referenced.<=
/para>
+ =
+ =
+
+ To process an INSERT statement, the user accou=
nt requires the following access rights:
+ CREATE - on the Table being inserte=
d into.
+ CREATE - on every column being inse=
rted on that Table.
+ =
+ =
+
+ To process an UPDATE statement, the user accou=
nt requires the following access rights:
+ UPDATE - on the Table being updated=
.
+ UPDATE - on every column being upda=
ted on that Table.
+ READ - on every column referenced i=
n the criteria.
+ =
+ =
+
+ To process a DELETE statement, the user account r=
equires the following access rights:
+ DELETE - on the Table being deleted=
.
+ READ - on every column referenced i=
n the criteria.
+ =
+
+
+
+ XML Definition
+ Data roles are defined inside the vdb.xml file (in=
side the .vdb Zip archive under META-INF/vdb.xml) if you used Designer. =
+ This example will show a sample "vdb.xml" file with few simple data ru=
les.
+ =
+ For example, if a VDB defines a table "TableA" in schema "modelN=
ame" with columns (column1, column2) - note that the column types do not ma=
tter. And we wish to define three roles "RoleA", "RoleB", "RoleC" with fol=
lowing permissions:
+
+ RoleA has privileges to read, write access to TableA, =
but can not delete.
+ RoleB has no privileges that allow access to TableA
+ RoleC has privileges that only allow read access to Ta=
bleA.column1
+
+
+ vdb.xml defining RoleA, RoleB, and RoleC
+
+
+
+
+
+
+
+
+ Allow all, except Delete
+
+
+ modelName.TableA
+
+
+
+
+
+
+ modelName.TableA.colum1
+
+
+
+
+
+
+ modelName.TableA.column2
+
+
+
+
+
+ role1
+
+
+
+
+ Allow read only
+
+
+ modelName.TableA
+
+
+
+
+ modelName.TableA.colum1
+
+
+
+ role2
+
+]]> =
+ =
+ The above XML defined two data roles, "RoleA" which allows everyt=
hing except delete on the table, "RoleC" that =
+ allows only read operation on the table. Since Teiid uses deny by defau=
lt, there is no explict data-policy entry needed for "RoleB". The "mapped-=
role-name" defines the "role" to whom these policies are applicable. Each d=
ata-policy =
+ must define a "role" to be enforced by the Teiid Server.
+ =
+ For assigning the roles to your users, in the JBoss AS, =
+ check out the instructions for the selected Login Module. Check "Admin =
Guide" for configuring Login Modules. =
+ =
+ "vdb.xml" file is checked against the schema file vdb-deplo=
yer.xsd, check the documents sections of the Teiid kit
+ to find a copy of the schema file.
+ =
+ Currently there is no GUI tooling support in the Designer o=
r any other management tool to create this data roles =
+ permissions xml, however this is in our roadmap for future releases to =
provide.
+
+
+
\ No newline at end of file
Property changes on: branches/7.0.x/documentation/reference/src/main/docboo=
k/en-US/content/entitlements.xml
___________________________________________________________________
Name: svn:mime-type
+ text/plain
--===============6033235617862645271==--