Author: shawkins Date: 2011-04-15 17:19:47 -0400 (Fri, 15 Apr 2011) New Revision: 3097 Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml trunk/build/kits/jboss-container/teiid-releasenotes.html trunk/documentation/developer-guide/src/main/docbook/en-US/content/udf.xml trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java trunk/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java trunk/engine/src/main/java/org/teiid/query/function/FunctionDescriptor.java trunk/engine/src/main/java/org/teiid/query/function/FunctionTree.java trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java Log: TEIID-1550 adding support for permission checks against functions Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml =================================================================== --- trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-04-15 21:19:47 UTC (rev 3097) @@ -119,8 +119,10 @@ <property name="lobChunkSizeInKB">100</property> <!-- Turn on role checking based upon the data roles defined in VDBs. (default true) --> <property name="useDataRoles">true</property> - <!-- Sets whether temporary table usage is enabled by default (default true) --> + <!-- Sets whether temporary table usage is allowed by default with data roles enabled. If false, the user must have a role that grants creates temporary table rights to use temporary tables. (default true) --> <property name="allowCreateTemporaryTablesByDefault">true</property> + <!-- Sets whether functions may be called by default with data roles enabled. If false, a specific permission must exist to call the function. (default true) --> + <property name="allowFunctionCallsByDefault">true</property> <!-- Long running query threshold, after which a alert can be generated by tooling if configured--> <property name="queryThresholdInSecs">600</property> <!-- Maximum rows allowed from a source query. -1 indicates no limit. (default -1)--> Modified: trunk/build/kits/jboss-container/teiid-releasenotes.html =================================================================== --- trunk/build/kits/jboss-container/teiid-releasenotes.html 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/build/kits/jboss-container/teiid-releasenotes.html 2011-04-15 21:19:47 UTC (rev 3097) @@ -51,7 +51,8 @@ <LI><B>Cost based back-off</B> - for cost based dependent joins if the number of independent values is too large, then the join will be performed as normal. </UL> <LI><B>Enhanced Sort Join</B> - the partitioned merge join was replaced with an enhanced sort join. The enhanced sort join will use the actual row counts from each side of the relation to perform a index based join if one side is small enough, a partial sort of the larger side and a repeated merge join if the tuples are unbalanced but one side is not small enough to form an index, or a standard sort merge join if the tuples are balanced. - <LI><B>JDK1.5 JDBC Client JAR</B> - A retro-translated Teiid client JDBC jar now available to use with JDK 1.5 VM. Note only JDBC API supported, not Admin API. + <LI><B>JDK1.5 JDBC Client JAR</B> - A retro-translated Teiid client JDBC jar now available to use with JDK 1.5 VM. Note only the JDBC API is supported, not the Admin API, or retrieving query plans as XML. + <LI><B>Security Improvements</B> - UDF and pushdown functions can now be protected with data roles. Also the CommandContext can provide the Subject for custom security checks in UDFs. </UL> <h2><a name="Compatibility">Compatibility Issues</a></h2> @@ -122,6 +123,7 @@ <LI>SocketConfiguration.maxSocketThreads will interpret a setting of 0 to mean use the system default of max available processors. Both the ODBC and JDBC transports now default to the 0 setting. <LI>maxReserveBatchColumns and maxProcessingBatchesColumns will interpret a setting of -1 to mean auto-calculate acceptable values given the max heap and other information. See the admin guide for more. <LI>The default for org.teiid.useValueCache has changed to false, since typical installations will not greatly benefit from the additional lookup cost. + <LI>The property RuntimeEngineDeployer.allowFunctionCallsByDefault was added so that Teiid 7.4 behavior is compatible with Teiid 7.3. Set this property to false to require permissions for function calls when data roles are enabled. </ul> <h4>from 7.2</h4> Modified: trunk/documentation/developer-guide/src/main/docbook/en-US/content/udf.xml =================================================================== --- trunk/documentation/developer-guide/src/main/docbook/en-US/content/udf.xml 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/documentation/developer-guide/src/main/docbook/en-US/content/udf.xml 2011-04-15 21:19:47 UTC (rev 3097) @@ -174,7 +174,7 @@ </listitem> </itemizedlist> <para>You may optionally add an additional <code>org.teiid.CommandContext</code> argument as the first parameter. - The <code>CommandContext</code> interface provides access to information about the current command, such as the executing user, the vdb, the session id, etc. + The <code>CommandContext</code> interface provides access to information about the current command, such as the executing user, Subject, the vdb, the session id, etc. This <code>CommandContext</code> parameter does not need to be delared in the function metadata.</para> <example> <title>Sample code</title> Modified: trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml =================================================================== --- trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/documentation/reference/src/main/docbook/en-US/content/dataroles.xml 2011-04-15 21:19:47 UTC (rev 3097) @@ -76,6 +76,13 @@ <para>To process a <emphasis>EXEC</emphasis> statement, the user account requires the following access rights:</para> <listitem> <para><emphasis>READ</emphasis> - on the Procedure being executed.</para></listitem> </orderedlist> + + <orderedlist> + <para>To process any function, the user account requires the following access rights:</para> + <listitem> <para><emphasis>READ</emphasis> - on the Function being called.</para> </listitem> + <note><para>For backwards compatibility RuntimeEngineDeployer.allowFunctionCallsByDefault located in the &jboss-beans; file in the <code>RuntimeEngineDeployer</code> section defaults to true. + This means that to actually require permissions for functions, you need to set this property to false.</para></note> + </orderedlist> </section> Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -35,6 +35,7 @@ import java.util.Set; import org.teiid.adminapi.DataPolicy; +import org.teiid.adminapi.DataPolicy.PermissionType; import org.teiid.adminapi.impl.DataPolicyMetadata; import org.teiid.api.exception.query.QueryMetadataException; import org.teiid.core.CoreConstants; @@ -49,6 +50,7 @@ import org.teiid.query.function.FunctionLibrary; import org.teiid.query.metadata.TempMetadataID; import org.teiid.query.resolver.util.ResolverUtil; +import org.teiid.query.sql.LanguageObject; import org.teiid.query.sql.lang.Create; import org.teiid.query.sql.lang.Delete; import org.teiid.query.sql.lang.Drop; @@ -75,12 +77,14 @@ INSERT, UPDATE, DELETE, + FUNCTION, STORED_PROCEDURE; } private HashMap<String, DataPolicy> allowedPolicies; private String userName; private boolean allowCreateTemporaryTablesDefault = true; + private boolean allowFunctionCallsByDefault = true; public AuthorizationValidationVisitor(HashMap<String, DataPolicy> policies, String user) { this.allowedPolicies = policies; @@ -91,6 +95,10 @@ boolean allowCreateTemporaryTablesDefault) { this.allowCreateTemporaryTablesDefault = allowCreateTemporaryTablesDefault; } + + public void setAllowFunctionCallsByDefault(boolean allowFunctionCallsDefault) { + this.allowFunctionCallsByDefault = allowFunctionCallsDefault; + } // ############### Visitor methods for language objects ################## @@ -123,7 +131,7 @@ logResult(resources, context, allowed); if (!allowed) { handleValidationError( - QueryPlugin.Util.getString("ERR.018.005.0095", userName, "CREATE_TEMPORARY_TABLES"), //$NON-NLS-1$ + QueryPlugin.Util.getString("ERR.018.005.0095", userName, "CREATE_TEMPORARY_TABLES"), //$NON-NLS-1$ //$NON-NLS-2$ symbols); } } @@ -177,6 +185,13 @@ } catch (TeiidProcessingException e) { handleException(e, obj); } + } else if (!allowFunctionCallsByDefault) { + String schema = obj.getFunctionDescriptor().getSchema(); + if (schema != null && !CoreConstants.SYSTEM_MODEL.equals(schema)) { + Map<String, Function> map = new HashMap<String, Function>(); + map.put(schema + '.' + obj.getFunctionDescriptor().getName(), obj); + validateEntitlements(PermissionType.READ, Context.FUNCTION, map); + } } } @@ -273,9 +288,9 @@ * @param actionCode The actions to validate for * @param auditContext The {@link AuthorizationService} to use when resource auditing is done. */ - protected void validateEntitlements(Collection<? extends Symbol> symbols, DataPolicy.PermissionType actionCode, Context auditContext) { - Map<String, Symbol> nameToSymbolMap = new HashMap<String, Symbol>(); - for (Symbol symbol : symbols) { + protected void validateEntitlements(Collection<? extends LanguageObject> symbols, DataPolicy.PermissionType actionCode, Context auditContext) { + Map<String, LanguageObject> nameToSymbolMap = new HashMap<String, LanguageObject>(); + for (LanguageObject symbol : symbols) { try { String fullName = null; Object metadataID = null; @@ -305,24 +320,31 @@ } } - if (!nameToSymbolMap.isEmpty()) { - Collection<String> inaccessibleResources = getInaccessibleResources(actionCode, nameToSymbolMap.keySet(), auditContext); - if(inaccessibleResources.size() > 0) { - List<Symbol> inaccessibleSymbols = new ArrayList<Symbol>(inaccessibleResources.size()); - for (String name : inaccessibleResources) { - inaccessibleSymbols.add(nameToSymbolMap.get(name)); - } - - // CASE 2362 - do not include the names of the elements for which the user - // is not authorized in the exception message - - handleValidationError( - QueryPlugin.Util.getString("ERR.018.005.0095", userName, actionCode), //$NON-NLS-1$ - inaccessibleSymbols); - } - } + validateEntitlements(actionCode, auditContext, nameToSymbolMap); } + private void validateEntitlements(DataPolicy.PermissionType actionCode, + Context auditContext, Map<String, ? extends LanguageObject> nameToSymbolMap) { + if (nameToSymbolMap.isEmpty()) { + return; + } + Collection<String> inaccessibleResources = getInaccessibleResources(actionCode, nameToSymbolMap.keySet(), auditContext); + if(inaccessibleResources.isEmpty()) { + return; + } + List<LanguageObject> inaccessibleSymbols = new ArrayList<LanguageObject>(inaccessibleResources.size()); + for (String name : inaccessibleResources) { + inaccessibleSymbols.add(nameToSymbolMap.get(name)); + } + + // CASE 2362 - do not include the names of the elements for which the user + // is not authorized in the exception message + + handleValidationError( + QueryPlugin.Util.getString("ERR.018.005.0095", userName, actionCode), //$NON-NLS-1$ + inaccessibleSymbols); + } + /** * Out of resources specified, return the subset for which the specified not have authorization to access. */ Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -59,6 +59,7 @@ private transient AuthorizationValidator authorizationValidator; private transient MetadataProvider metadataProvider; + private boolean allowFunctionCallsByDefault; @ManagementProperty(description="Max active plans (default 20). Increase this value, and max threads, on highly concurrent systems - but ensure that the underlying pools can handle the increased load without timeouts.") public int getMaxActivePlans() { @@ -147,7 +148,7 @@ * Whether temporary table usage is enabled by default. * @return <code>true</code> if temporary table usage is enabled by default. */ - @ManagementProperty(description="Sets whether temporary table usage is enabled by default. (default true)") + @ManagementProperty(description="Sets whether temporary table usage is allowed by default with data roles enabled. If false, the user must have a role that grants creates temporary table rights to use temporary tables. (default true)") public boolean isAllowCreateTemporaryTablesByDefault() { return allowCreateTemporaryTablesByDefault; } @@ -157,6 +158,19 @@ this.allowCreateTemporaryTablesByDefault = allowCreateTemporaryTablesByDefault; } + /** + * Whether functions are callable by default + * @return <code>true</code> if function usage is enabled by default. + */ + @ManagementProperty(description="Sets whether functions may be called by default with data roles enabled. If false, a specific permission must exist to call the function. (default true)") + public boolean isAllowFunctionCallsByDefault() { + return allowFunctionCallsByDefault; + } + + public void setAllowFunctionCallsByDefault(boolean allowFunctionCallsDefault) { + this.allowFunctionCallsByDefault = allowFunctionCallsDefault; + } + @ManagementProperty(description="Long running query threshold, after which a alert can be generated by tooling if configured") public int getQueryThresholdInSecs() { return queryThresholdInSecs; Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -670,7 +670,7 @@ this.config = config; this.authorizationValidator = config.getAuthorizationValidator(); if (this.authorizationValidator == null) { - this.authorizationValidator = new DataRoleAuthorizationValidator(config.getUseDataRoles(), config.isAllowCreateTemporaryTablesByDefault()); + this.authorizationValidator = new DataRoleAuthorizationValidator(config.getUseDataRoles(), config.isAllowCreateTemporaryTablesByDefault(), config.isAllowFunctionCallsByDefault()); } this.chunkSize = config.getLobChunkSizeInKB() * 1024; Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DataRoleAuthorizationValidator.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -34,11 +34,13 @@ private boolean useEntitlements; private boolean allowCreateTemporaryTablesByDefault; + private boolean allowFunctionCallsByDefault; public DataRoleAuthorizationValidator(boolean useEntitlements, - boolean allowCreateTemporaryTablesByDefault) { + boolean allowCreateTemporaryTablesByDefault, boolean allowFunctionCallsByDefault) { this.useEntitlements = useEntitlements; this.allowCreateTemporaryTablesByDefault = allowCreateTemporaryTablesByDefault; + this.allowFunctionCallsByDefault = allowFunctionCallsByDefault; } @Override @@ -46,6 +48,7 @@ if (useEntitlements && !workContext.getVDB().getDataPolicies().isEmpty()) { AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(workContext.getAllowedDataPolicies(), workContext.getUserName()); visitor.setAllowCreateTemporaryTablesDefault(allowCreateTemporaryTablesByDefault); + visitor.setAllowFunctionCallsByDefault(allowFunctionCallsByDefault); Request.validateWithVisitor(visitor, metadata, command); } } Modified: trunk/engine/src/main/java/org/teiid/query/function/FunctionDescriptor.java =================================================================== --- trunk/engine/src/main/java/org/teiid/query/function/FunctionDescriptor.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/query/function/FunctionDescriptor.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -52,6 +52,7 @@ private Class<?> returnType; private boolean requiresContext; private FunctionMethod method; + private String schema; //TODO: remove me - we need to create a proper schema for udf and system functions // This is transient as it would be useless to invoke this method in // a different VM. This function descriptor can be used to look up @@ -70,7 +71,15 @@ this.requiresContext = requiresContext; this.method = method; } - + + public String getSchema() { + return schema; + } + + public void setSchema(String schema) { + this.schema = schema; + } + public String getName() { return this.method.getName(); } Modified: trunk/engine/src/main/java/org/teiid/query/function/FunctionTree.java =================================================================== --- trunk/engine/src/main/java/org/teiid/query/function/FunctionTree.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/main/java/org/teiid/query/function/FunctionTree.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -223,6 +223,7 @@ } FunctionDescriptor descriptor = createFunctionDescriptor(source, method, inputTypes, types); + descriptor.setSchema(schema); // Store this path in the function tree int index = -1; Modified: trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java =================================================================== --- trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -27,7 +27,6 @@ import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.Set; import org.junit.Ignore; @@ -41,11 +40,16 @@ import org.teiid.api.exception.query.QueryResolverException; import org.teiid.api.exception.query.QueryValidatorException; import org.teiid.core.TeiidComponentException; +import org.teiid.query.function.FunctionLibrary; +import org.teiid.query.function.FunctionTree; import org.teiid.query.metadata.QueryMetadataInterface; +import org.teiid.query.optimizer.FakeFunctionMetadataSource; import org.teiid.query.parser.QueryParser; import org.teiid.query.resolver.QueryResolver; +import org.teiid.query.sql.LanguageObject; import org.teiid.query.sql.lang.Command; -import org.teiid.query.sql.symbol.Symbol; +import org.teiid.query.sql.symbol.ElementSymbol; +import org.teiid.query.unittest.FakeMetadataFacade; import org.teiid.query.unittest.FakeMetadataFactory; import org.teiid.query.validator.Validator; import org.teiid.query.validator.ValidatorFailure; @@ -121,8 +125,8 @@ svc.addPermission(addResource(DataPolicy.PermissionType.DELETE, "pm1.g4.e1")); //$NON-NLS-1$ svc.addPermission(addResource(DataPolicy.PermissionType.DELETE, "pm1.g4.e2")); //$NON-NLS-1$ - // pm1.sq2 svc.addPermission(addResource(DataPolicy.PermissionType.READ, "pm1.sq1")); //$NON-NLS-1$ + svc.addPermission(addResource(DataPolicy.PermissionType.READ, "foo.xyz")); //$NON-NLS-1$ return svc; } @@ -157,18 +161,21 @@ policies.put(policy.getName(), policy); AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(policies, "test"); //$NON-NLS-1$ + visitor.setAllowFunctionCallsByDefault(false); ValidatorReport report = Validator.validate(command, metadata, visitor); if(report.hasItems()) { - ValidatorFailure firstFailure = (ValidatorFailure) report.getItems().iterator().next(); + ValidatorFailure firstFailure = report.getItems().iterator().next(); // strings - Set expected = new HashSet(Arrays.asList(expectedInaccesible)); + Set<String> expected = new HashSet<String>(Arrays.asList(expectedInaccesible)); // elements - Set actual = new HashSet(); - Iterator iter = firstFailure.getInvalidObjects().iterator(); - while(iter.hasNext()) { - Symbol symbol = (Symbol) iter.next(); - actual.add(symbol.getName()); + Set<String> actual = new HashSet<String>(); + for (LanguageObject obj : firstFailure.getInvalidObjects()) { + if (obj instanceof ElementSymbol) { + actual.add(((ElementSymbol)obj).getName()); + } else { + actual.add(obj.toString()); + } } assertEquals(expected, actual); } else if(expectedInaccesible.length > 0) { @@ -183,6 +190,13 @@ helpTest(exampleAuthSvc2(), "create local temporary table x (y string)", FakeMetadataFactory.example1Cached(), new String[] {"x"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ } + @Test public void testFunction() throws Exception { + FunctionLibrary funcLibrary = new FunctionLibrary(FakeMetadataFactory.SFM.getSystemFunctions(), new FunctionTree("foo", new FakeFunctionMetadataSource())); + FakeMetadataFacade metadata = new FakeMetadataFacade(FakeMetadataFactory.example1Cached().getStore(), funcLibrary); + //helpTest(exampleAuthSvc1(), "SELECT e1 FROM pm1.g1 where xyz() > 0", metadata, new String[] {}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ + helpTest(exampleAuthSvc2(), "SELECT e1 FROM pm1.g2 where xyz() > 0", metadata, new String[] {"xyz()"}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ + } + @Test public void testEverythingAccessible() throws Exception { helpTest(exampleAuthSvc1(), "SELECT e1 FROM pm1.g1", FakeMetadataFactory.example1Cached(), new String[] {}, FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ } Modified: trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java =================================================================== --- trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -243,7 +243,7 @@ serverRequest.initialize(request, BufferManagerFactory.getStandaloneBufferManager(), null, new FakeTransactionService(), null, workContext, prepPlanCache); serverRequest.setMetadata(capFinder, metadata, null); - serverRequest.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true)); + serverRequest.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true, true)); serverRequest.processRequest(); assertNotNull(serverRequest.processPlan); Modified: trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java =================================================================== --- trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2011-04-15 21:17:56 UTC (rev 3096) +++ trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2011-04-15 21:19:47 UTC (rev 3097) @@ -79,7 +79,7 @@ request.initialize(message, null, null,new FakeTransactionService(),null, workContext, null); request.initMetadata(); - request.setAuthorizationValidator(new DataRoleAuthorizationValidator(true, true)); + request.setAuthorizationValidator(new DataRoleAuthorizationValidator(true, true, true)); request.validateAccess(command); } @@ -133,7 +133,7 @@ request.initialize(message, Mockito.mock(BufferManager.class), new FakeDataManager(), new FakeTransactionService(), null, workContext, null); - request.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true)); + request.setAuthorizationValidator(new DataRoleAuthorizationValidator(false, true, true)); request.processRequest(); return request; }