[JBoss JIRA] Created: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[JBoss JIRA] Created:...

Ramesh Reddy (JIRA)

Thursday, 19 August 2010 Thu, 19 Aug '10

12:40 p.m.

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Show replies by date

Barry LaFond (JIRA)

Friday, 20 August Fri, 20 Aug

7:06 a.m.

New subject: [JBoss JIRA] Assigned: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond reassigned TEIIDDES-568: ------------------------------------- Assignee: Barry LaFond

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Barry LaFond (JIRA)

7:06 a.m.

New subject: [JBoss JIRA] Updated: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond updated TEIIDDES-568: ---------------------------------- Fix Version/s: 7.1 Priority: Critical (was: Major)

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

8:58 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- But as you've pointed out, there's only one valid configuration for both of these resources (read-only), so leaving the other "allow" elements in the vdb.xml seems, again as you've noted, "error prone". I know it means yet another schema change, but it seems like it would be more appropriate to add two new attributes to the enclosing "data-policy" attribute (or whatever it's called now), especially since these are hard-coded resource names and therefore they'd have no need to show up in the "mapped-role-name" section (again, or whatever it's called now).

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

9 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- Oops, I forgot to clarify in my above comment that the "error prone"-ness would still exist for the server-side user configuring the vdb.xml manually, not the client-side user using the tooling.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Steve Hawkins (JIRA)

9:40 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Steve Hawkins commented on TEIIDDES-568: ---------------------------------------- In general there is not just a single valid configuration. The needed access would usually be determined along the lines of: do clients in this role use ODBC and need access to ODBC metadata? If yes, then pg_catalog should allow read. do clients in this role use JDBC tools that need access to JDBC metadata? If yes, then a subset of sys should be allow read (which implies pg_catalog should also be readable). do clients in this role need access to all metadata including system procedures (refreshMatViews, getresource, etc.)? If yes then sys should allow read (which implies the previous two). Notice for the middle (and most common) need for metadata access, that only a subset of sys is actually necessary. What Ramesh is suggesting here is to ignore the difference between to the last two. Alternative approaches include: 1. allow sys/pg_catalog access always, but filter entries that the user does not have a permission for. System procedures, such as refreshMatView, would check permissions against the target view rather than expecting a permission to be applied to itself. If this is taken one step further into resolving then it allow for even "select *" queries when only a subset of the columns is visible. 2. create a JDBC schema (similar to pg_catalog) to have appropriate views for all JDBC database metadata queries. Allowing access to JDBC/ODBC metadata would then be equivalent. There would then be three levels of system access {full, metadata, none}. Also whatever the applicable permissions are would be added to an existing role, not create a new one. So in any case there are no addition mapped-role-names.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Barry LaFond (JIRA)

9:44 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond commented on TEIIDDES-568: --------------------------------------- I kinda agree with initial request and the note that on the Server side, users can muck with the "permissions" anyway since "sys" and "pg_catalog" represent metadata the same as any other resource. Adding this functionality was pretty easy since it didn't touch the VDB structure at all. Attached a copy of the coded results in the Wizard.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Barry LaFond (JIRA)

9:46 a.m.

New subject: [JBoss JIRA] Updated: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond updated TEIIDDES-568: ---------------------------------- Attachment: NewDataRoleWizard.jpg

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

9:54 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- Not sure if I understood all of Steve's comment, but isn't it still true that it would never really be appropriate to have create, update, or delete access to this information? What if a user were to mark any of those attributes as true? That's the area where it seems like error might occur. Even if we hardcode to ignore these values, it seems confusing to provide them in the first place.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Ramesh Reddy (JIRA)

Sunday, 22 August Sun, 22 Aug

7:09 p.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIIDDES-568: --------------------------------------- Unless user is manually editing the vdb.xml file, they are not going to see them through tooling. JOPR will only let's admin change the mapped-role-name. If they are editing manually and add the write access, it would end up in failure if they are not using data roles.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

Monday, 23 August Mon, 23 Aug

9:55 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- So it sounds like we are in agreement, although I'm not sure I understand the "if they are not using data roles" qualifier. The manual editing of the file is exactly what I am concerned about. I know tooling is the preferred way to make changes, but the ability to make those changes manually is still important. So unless I'm missing something important from your last comment, it seems we should eliminate the extraneous attributes to avoid any possibility of accidental failure. Providing the read ability for system tables using the current elements and attributes implies the create/update/delete elements are also applicable. If they're not, then we should provide a different mechanism, such as the new attributes I was suggesting, to provide this read access.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Ramesh Reddy (JIRA)

10:08 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIIDDES-568: --------------------------------------- read as "even if they are using the data roles". The onerous is on the user to fully understand if they manually edit this file. I do not care you put in the all the allow element fragments, by default they are "deny" anyway.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

10:17 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- I don't understand your resistance to what I'm suggesting; it's a simple change, isn't it? I think you intended to use the word "onus", but it's ironic you used "onerous" instead :-) Why not ensure the manual editing experience is not "onerous" to the user by making a simple change that protects them from making a mistake that will cause a subsequent failure at runtime? Again, the default values aren't the concern; it's when they change those defaults...

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Ramesh Reddy (JIRA)

10:37 a.m.

New subject: [JBoss JIRA] Issue Comment Edited: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Ramesh Reddy edited comment on TEIIDDES-568 at 8/23/10 11:36 AM: ----------------------------------------------------------------- read as "even if they are using the data roles". The onus is on the user to fully understand if they manually edit this file. I do not care you put in the all the allow element fragments, by default they are "deny" anyway. was (Author: rareddy): read as "even if they are using the data roles". The onerous is on the user to fully understand if they manually edit this file. I do not care you put in the all the allow element fragments, by default they are "deny" anyway.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Ramesh Reddy (JIRA)

10:55 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIIDDES-568: --------------------------------------- Simple or not is not question. Is this needed or not is the question. I do not think we do not need to add any extra complexity than it already is. The current schema allows to specify the roles the way you want it. If user went out of the way to define these erroneous "allow" fragments on the system as "true", then as I said before they will end up in failure. Even in my original comment, my concern was not these extra "allows", my concern about error was about coarse-grained security vs fine-grained security on these system models. In the fine-grained security, for example user may add "allow" for procedures table but not "procedure parameters" table. That will result in a error. I wanted to avoid those kind situations by only defining them coarse-grained. Also note these system models may be static in nature, but they did change their names system --> sys and pg_catalog is new. So, we are not ruling out that there is not going to another system "like" model in the future in Teiid runtime. My personal preference is not write logic to compensate for user's lack knowledge. I very much prefer to compensate with tools and documentation.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

John Verhaeg (JIRA)

11:27 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] John Verhaeg commented on TEIIDDES-568: --------------------------------------- "So, we are not ruling out that there is not going to another system "like" model in the future" Which should just mean another attribute for that model. Again, what's the big deal? "My personal preference is not write logic to compensate for user's lack knowledge. I very much prefer to compensate with tools and documentation" That's exactly the problem. A simple text editor IS a valid tool. Not compensating for a user's lack of knowledge is just another way of saying it's not user-friendly, and somehow that's okay. Most of the XML files I've seen that run on a JBoss server are documented internally with comments before sample statements that a user can uncomment and use as a template. The amount of effort necessary to write documentation for this would be pretty much identical to the amount of time to write the logic to handle it. Again, I don't get the resistance to making a small change to prevent headaches in the future for users and even our own help desks.

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Barry LaFond (JIRA)

Tuesday, 24 August Tue, 24 Aug

9:33 a.m.

New subject: [JBoss JIRA] Resolved: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond resolved TEIIDDES-568. ----------------------------------- Resolution: Done Added check-box (default = TRUE) allowing users to include/exclude the SYS and PG_CATALOG models in data role permissions

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Steve Hawkins (JIRA)

10:32 a.m.

New subject: [JBoss JIRA] Commented: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

Barry LaFond (JIRA)

Monday, 30 August Mon, 30 Aug

10:48 a.m.

New subject: [JBoss JIRA] Closed: (TEIIDDES-568) Provide the ability to control the data role access to the system tables

[ https://jira.jboss.org/browse/TEIIDDES-568?page=com.atlassian.jira.plugin... ] Barry LaFond closed TEIIDDES-568. ---------------------------------

...

Provide the ability to control the data role access to the system tables ------------------------------------------------------------------------ Key: TEIIDDES-568 URL: https://jira.jboss.org/browse/TEIIDDES-568 Project: Teiid Designer Issue Type: Task Components: VDB & Execution Reporter: Ramesh Reddy Assignee: Barry LaFond Priority: Critical Fix For: 7.1 Attachments: NewDataRoleWizard.jpg Currently the Designer does not provide a mechanism to control the system tables through "data roles" wizard. This needs to be provided. Since the system tables are read only these guys only need "readonly" permission. Since the "pg_catalog" is also another variation of "system" tables that needs to controlled also. However, "pg_catalog" is dynamic view model added during the deployment time and Designer does not have access to it. Since 1) providing the fine grained control over system schema is error prone in providing metadata or not 2) pg_catalog is not available we propose that this metadata on tooling is controlled through single boolean field (check box) called "Allow access to system tables". The default of this should be "true" As result of checking this box, the following XML fragment needs to be vdb.xml file <permission> <resource-name>sys</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission> <permission> <resource-name>pg_catalog</resource-name> <allow-create>false</allow-create> <allow-read>true</allow-read> <allow-update>false</allow-update> <allow-delete>false</allow-delete> </permission>

5723

days inactive

5734

days old

teiid-designer-issues@lists.jboss.org

Manage subscription

18 comments

4 participants

tags (0)

participants (4)

Barry LaFond (JIRA)
John Verhaeg (JIRA)
Ramesh Reddy (JIRA)
Steve Hawkins (JIRA)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[JBoss JIRA] Created: (TEIIDDES-568) Provide the ability to control the data role access to the system tables