[teiid-designer-issues] [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables
[
https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin...
]
Ramesh Reddy commented on TEIIDDES-568:
---------------------------------------
Simple or not is not question. Is this needed or not is the question. I do not think we do
not need to add any extra complexity than it already is. The current schema allows to
specify the roles the way you want it. If user went out of the way to define these
erroneous "allow" fragments on the system as "true", then as I said
before they will end up in failure.
Even in my original comment, my concern was not these extra "allows", my concern
about error was about coarse-grained security vs fine-grained security on these system
models. In the fine-grained security, for example user may add "allow" for
procedures table but not "procedure parameters" table. That will result in a
error. I wanted to avoid those kind situations by only defining them coarse-grained.
Also note these system models may be static in nature, but they did change their names
system --> sys and pg_catalog is new. So, we are not ruling out that there is not going
to another system "like" model in the future in Teiid runtime.
My personal preference is not write logic to compensate for user's lack knowledge. I
very much prefer to compensate with tools and documentation.
Provide the ability to control the data role access to the system
tables
------------------------------------------------------------------------
Key: TEIIDDES-568
URL: https://jira.jboss.org/browse/TEIIDDES-568
Project: Teiid Designer
Issue Type: Task
Components: VDB & Execution
Reporter: Ramesh Reddy
Assignee: Barry LaFond
Priority: Critical
Fix For: 7.1
Attachments: NewDataRoleWizard.jpg
Currently the Designer does not provide a mechanism to control the system tables through
"data roles" wizard. This needs to be provided. Since the system tables are read
only these guys only need "readonly" permission. Since the
"pg_catalog" is also another variation of "system" tables that needs
to controlled also. However, "pg_catalog" is dynamic view model added during the
deployment time and Designer does not have access to it.
Since
1) providing the fine grained control over system schema is error prone in providing
metadata or not
2) pg_catalog is not available
we propose that this metadata on tooling is controlled through single boolean field
(check box) called "Allow access to system tables". The default of this should
be "true"
As result of checking this box, the following XML fragment needs to be vdb.xml file
<permission>
<resource-name>sys</resource-name>
<allow-create>false</allow-create>
<allow-read>true</allow-read>
<allow-update>false</allow-update>
<allow-delete>false</allow-delete>
</permission>
<permission>
<resource-name>pg_catalog</resource-name>
<allow-create>false</allow-create>
<allow-read>true</allow-read>
<allow-update>false</allow-update>
<allow-delete>false</allow-delete>
</permission>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira