From teiid-commits at lists.jboss.org Mon Jun 28 10:47:11 2010 Content-Type: multipart/mixed; boundary="===============2767256870481255312==" MIME-Version: 1.0 From: teiid-commits at lists.jboss.org To: teiid-commits at lists.jboss.org Subject: [teiid-commits] teiid SVN: r2309 - in branches/7.0.x: documentation/admin-guide/src/main/docbook/en-US/content and 2 other directories. Date: Mon, 28 Jun 2010 10:47:11 -0400 Message-ID: <201006281447.o5SElBfi006729@svn01.web.mwc.hst.phx2.redhat.com> --===============2767256870481255312== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: shawkins Date: 2010-06-28 10:47:10 -0400 (Mon, 28 Jun 2010) New Revision: 2309 Added: branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content/= performance.xml branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/en= titlements.xml Modified: branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content/= security.xml branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference.= xml Log: adding doc content and correcting javadoc Modified: branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement= .java =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java = 2010-06-28 14:43:04 UTC (rev 2308) +++ branches/7.0.x/client/src/main/java/org/teiid/jdbc/TeiidStatement.java = 2010-06-28 14:47:10 UTC (rev 2309) @@ -64,7 +64,7 @@ /** * Obtain the query planner debug log from the last command = * executed on this Statement, if it was requested with - * OPTION DEBUG. If no debug output was requested, this = + * SHOWPLAN DEBUG. If no debug output was requested, this = * method will return null. = * @return Debug log or null if no log exists */ Added: branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/cont= ent/performance.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content= /performance.xml (rev 0) +++ branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content= /performance.xml 2010-06-28 14:47:10 UTC (rev 2309) @@ -0,0 +1,28 @@ + \ No newline at end of file Property changes on: branches/7.0.x/documentation/admin-guide/src/main/docb= ook/en-US/content/performance.xml ___________________________________________________________________ Name: svn:mime-type + text/plain Modified: branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/c= ontent/security.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content= /security.xml 2010-06-28 14:43:04 UTC (rev 2308) +++ branches/7.0.x/documentation/admin-guide/src/main/docbook/en-US/content= /security.xml 2010-06-28 14:47:10 UTC (rev 2309) @@ -3,7 +3,7 @@ Teiid Security The Teiid system provides a range of built-in and extensible securi= ty features to enable the - secure access of data. =C2=A0 + secure access of data. Authentication JDBC clients may use simple passwords to authenticate a user. @@ -11,6 +11,13 @@ identity of the user can be discerned by the password credential alone.= =C2=A0In any case it is up to the configured security domain to determine whethe= r a user can be authenticated. + = + By default, access to Teiid is NOT secure. The default logi= n modules are only = + backed by file based authentication, which has a well known user = + name and password. + The same is true for making connections to the Admin Console appl= ication. = + We DO NOT recommend leaving the default security profile as defin= ed when you = + are exposing sensitive data. Authorization @@ -59,6 +66,14 @@ Details of the failed attempt including invalid users, which domains were consulted, etc. will be in the server log with appropriate levels of severity. + + The security-domain defined for the JDBC connection and Admi= n connections are separate. + The default name of JDBC connection's security-domain is "teii= d-security". The default name for Admin connection + is "jmx-console". For the Admin connection's security domain, = the user is allowed = + to change which LoginModule that "jmx-console" pointing to, ho= wever should not change the name of the domain, as this name is + shared between the "admin-console" application. + = + = Built-in LoginModules JBossAS provides several LoginModules for common authentication n= eeds, such as authenticating from text files or LDAP. @@ -71,12 +86,52 @@ If you want use a your own Custom Login module, check out the = Developer's Guide for instructions. + = - - The security-domain defined for the JDBC connection and Admi= n connections are separate. - The default name of JDBC connection's security-domain is "teii= d-security". The default name for Admin connection - is "jmx-console". For the Admin connection's security domain, = the user is allowed = - to change which LoginModule that "jmx-console" pointing to, ho= wever should not change the name of the domain, as this name is - shared between the "admin-console" application. - = + = + + Configuring SSL + The Teiid's configuration file = + <jboss-install>/server/<profile>/deploy/teiid/te= iid-jboss-beans.xml, = + contains the properties to configure SSL. + + There are two separate connection profiles: + JDBC Connection - The JdbcSslConfigurati= on bean configuration defines this. + Admin Connection - The AdminSslConfigura= tion bean configuration defines this. + + Example Configuration + + false + cert.keystore + passwd + JKS + SSLv3 + false + cert.truststore + passwd + + 1-way + true +]]> = + + + Properties + sslEnabled - true|false, SSL usage either turn= ed ON or OFF + sslProtocol- Type of SSL protocol to be used. = Default is SSLv3 + keystoreType - Keystore type created by the ke= ytool. Default "JKS" is used. + authenticationMode - anonymous|1-way|2-way, T= ype of SSL mode, see = + above about different SSL modes available. + keymanagementAlgorithm - Type of key algorithm= used. Default = + is based upon the VM, e.g. "SunX509" + keystoreFilename - The file name of the keysto= re, which contains the = + private key of the Server. This must be available in the class= path of Teiid Server + keystorePassword - password for the keystore.<= /para> + truststoreFilename - if "authenticationMode" i= s chosen = + as "2-way", then this property must be provided. This is the t= ruststore that contains the = + public key for the client. Depending upon how you created the = keystore and truststores, = + this may be same file as defined under "keystoreFilename" pro= perty. + truststorePassword - password for the truststo= re. + = + = + \ No newline at end of file Modified: branches/7.0.x/documentation/reference/src/main/docbook/en-US/Ref= erence.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference= .xml 2010-06-28 14:43:04 UTC (rev 2308) +++ branches/7.0.x/documentation/reference/src/main/docbook/en-US/Reference= .xml 2010-06-28 14:47:10 UTC (rev 2309) @@ -53,6 +53,7 @@ + Added: branches/7.0.x/documentation/reference/src/main/docbook/en-US/conten= t/entitlements.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/e= ntitlements.xml (rev 0) +++ branches/7.0.x/documentation/reference/src/main/docbook/en-US/content/e= ntitlements.xml 2010-06-28 14:47:10 UTC (rev 2309) @@ -0,0 +1,122 @@ + + +%CustomDTD; +]> + + Data Roles + Data roles, also called entitlements, are sets of permissions th= at are defined = + per VDB that dictate data access (create, read, update, delete). The = use of data roles is controlled system wide with the property in = + <jboss-install>/server/<profile>/deploy/teiid/teiid-= jboss-beans.xml file + in bean configuration section of RuntimeEngineDeployer wi= th property useEntitlements. + = + Once data roles are enabled, the access permissions defined in a= VDB will be enforced by the Teiid Server. + = + + Permissions + + To process a SELECT statement or a stored proc= edure execution, the user account requires the following access rights: + READ - on the Table(s) being access= ed or the procedure being called. + READ - on every column referenced.<= /para> + = + = + + To process an INSERT statement, the user accou= nt requires the following access rights: + CREATE - on the Table being inserte= d into. + CREATE - on every column being inse= rted on that Table. + = + = + + To process an UPDATE statement, the user accou= nt requires the following access rights: + UPDATE - on the Table being updated= . + UPDATE - on every column being upda= ted on that Table. + READ - on every column referenced i= n the criteria. + = + = + + To process a DELETE statement, the user account r= equires the following access rights: + DELETE - on the Table being deleted= . + READ - on every column referenced i= n the criteria. + = + + + + XML Definition + Data roles are defined inside the vdb.xml file (in= side the .vdb Zip archive under META-INF/vdb.xml) if you used Designer. = + This example will show a sample "vdb.xml" file with few simple data ru= les. + = + For example, if a VDB defines a table "TableA" in schema "modelN= ame" with columns (column1, column2) - note that the column types do not ma= tter. And we wish to define three roles "RoleA", "RoleB", "RoleC" with fol= lowing permissions: + + RoleA has privileges to read, write access to TableA, = but can not delete. + RoleB has no privileges that allow access to TableA + RoleC has privileges that only allow read access to Ta= bleA.column1 + + + vdb.xml defining RoleA, RoleB, and RoleC + + + + + + + + + Allow all, except Delete + + + modelName.TableA + + + + + + + modelName.TableA.colum1 + + + + + + + modelName.TableA.column2 + + + + + + role1 + + + + + Allow read only + + + modelName.TableA + + + + + modelName.TableA.colum1 + + + + role2 + +]]> = + = + The above XML defined two data roles, "RoleA" which allows everyt= hing except delete on the table, "RoleC" that = + allows only read operation on the table. Since Teiid uses deny by defau= lt, there is no explict data-policy entry needed for "RoleB". The "mapped-= role-name" defines the "role" to whom these policies are applicable. Each d= ata-policy = + must define a "role" to be enforced by the Teiid Server. + = + For assigning the roles to your users, in the JBoss AS, = + check out the instructions for the selected Login Module. Check "Admin = Guide" for configuring Login Modules. = + = + "vdb.xml" file is checked against the schema file vdb-deplo= yer.xsd, check the documents sections of the Teiid kit + to find a copy of the schema file. + = + Currently there is no GUI tooling support in the Designer o= r any other management tool to create this data roles = + permissions xml, however this is in our roadmap for future releases to = provide. + + + \ No newline at end of file Property changes on: branches/7.0.x/documentation/reference/src/main/docboo= k/en-US/content/entitlements.xml ___________________________________________________________________ Name: svn:mime-type + text/plain --===============2767256870481255312==--