[JBoss JIRA] (TEIID-5840) Add validation of grant / revoke targets
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5840?page=com.atlassian.jira.plugin... ]
Steven Hawkins commented on TEIID-5840:
---------------------------------------
There are two cases where someone may want the loosely coupled functionality:
- individually permission foreign temporary tables, which won't yet be defined in metadata. The workaround would be to use a grant that specifies the catch all DATABASE type, which then would not validate the target. If a table, procedure, schema, etc. are specified we'll expect that it should be resolvable.
- with multi-schema import from a source to individually permission the "sub" schemas:
teiidSchema."foreignSchema.tableName" - however with the change in TEIID-5841 we won't make that check anymore as to prevent any ambiguity in resource names.
> Add validation of grant / revoke targets
> ----------------------------------------
>
> Key: TEIID-5840
> URL: https://issues.jboss.org/browse/TEIID-5840
> Project: Teiid
> Issue Type: Quality Risk
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
>
> We should be more pedantic about the targets of GRANT/REVOKE as they now specify both object type and name. Currently a grant against a non-existent target will still succeed - this is hold over from the loosely coupled permissioning model from designer.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5842) Better define the schema object namespaces
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5842?page=com.atlassian.jira.plugin... ]
Steven Hawkins updated TEIID-5842:
----------------------------------
Original Estimate: 2 hours
Remaining Estimate: 2 hours
> Better define the schema object namespaces
> ------------------------------------------
>
> Key: TEIID-5842
> URL: https://issues.jboss.org/browse/TEIID-5842
> Project: Teiid
> Issue Type: Quality Risk
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 2 hours
> Remaining Estimate: 2 hours
>
> Right now tables/views, procedures, and functions are in separate namespaces. There are three downsides
> - procedural to relational mapping effectively puts procedures and tables in the same namespace
> - the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
> - creating a virtual function defined by teiid procedure language (which we should be more strict about) is represented in system metadata as a procedure, but is resolvable as a function of the same name
> We either need to put everything in the same namespace, or be more exacting with the permission logic.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5842) Better define the schema object namespaces
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5842?page=com.atlassian.jira.plugin... ]
Steven Hawkins updated TEIID-5842:
----------------------------------
Story Points: 1
Estimated Difficulty: Low
Affects: Documentation (Ref Guide, User Guide, etc.)
As part of TEIID-5841 the security logic will now consider resource type as well. The only other thing to do here then is to make sure our other naming nuances are documented (function defined by a procedure and I believe the proc relational already is).
> Better define the schema object namespaces
> ------------------------------------------
>
> Key: TEIID-5842
> URL: https://issues.jboss.org/browse/TEIID-5842
> Project: Teiid
> Issue Type: Quality Risk
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
>
> Right now tables/views, procedures, and functions are in separate namespaces. There are three downsides
> - procedural to relational mapping effectively puts procedures and tables in the same namespace
> - the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
> - creating a virtual function defined by teiid procedure language (which we should be more strict about) is represented in system metadata as a procedure, but is resolvable as a function of the same name
> We either need to put everything in the same namespace, or be more exacting with the permission logic.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5842) Better define the schema object namespaces
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5842?page=com.atlassian.jira.plugin... ]
Work on TEIID-5842 started by Steven Hawkins.
---------------------------------------------
> Better define the schema object namespaces
> ------------------------------------------
>
> Key: TEIID-5842
> URL: https://issues.jboss.org/browse/TEIID-5842
> Project: Teiid
> Issue Type: Quality Risk
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
>
> Right now tables/views, procedures, and functions are in separate namespaces. There are three downsides
> - procedural to relational mapping effectively puts procedures and tables in the same namespace
> - the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
> - creating a virtual function defined by teiid procedure language (which we should be more strict about) is represented in system metadata as a procedure, but is resolvable as a function of the same name
> We either need to put everything in the same namespace, or be more exacting with the permission logic.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5844) Schema level permissions are not checked proactively for foreign temporary tables
by Steven Hawkins (Jira)
Steven Hawkins created TEIID-5844:
-------------------------------------
Summary: Schema level permissions are not checked proactively for foreign temporary tables
Key: TEIID-5844
URL: https://issues.jboss.org/browse/TEIID-5844
Project: Teiid
Issue Type: Quality Risk
Components: Query Engine
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Fix For: 13.x
Anyone with the permission to create a temporary table can create a foreign temporary table. From there we'll check the permissions on operations against the schema. It would be nice to error out on the create temporary table if the user is not going to be sufficient permissioned to use it. It's currently not the case, but if we ever have source level side effects from create foreign temp, then it becomes important to prevent the create as well.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5843) Support xml[] with xmltable
by Steven Hawkins (Jira)
Steven Hawkins created TEIID-5843:
-------------------------------------
Summary: Support xml[] with xmltable
Key: TEIID-5843
URL: https://issues.jboss.org/browse/TEIID-5843
Project: Teiid
Issue Type: Bug
Components: Query Engine
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Fix For: 13.0
Trying to retrieve a value as an xml array works different than retrieving just xml - as we are first flattening the array value to string. It should work the same way, or at least throw an exception indicating that it doesn't work.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5842) Better define the schema object namespaces
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5842?page=com.atlassian.jira.plugin... ]
Steven Hawkins updated TEIID-5842:
----------------------------------
Description:
Right now tables/views, procedures, and functions are in separate namespaces. There are three downsides
- procedural to relational mapping effectively puts procedures and tables in the same namespace
- the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
- creating a virtual function defined by teiid procedure language (which we should be more strict about) is represented in system metadata as a procedure, but is resolvable as a function of the same name
We either need to put everything in the same namespace, or be more exacting with the permission logic.
was:
Right now tables/views, procedures, and functions are in separate namespaces. There are two downsides
- procedural to relational mapping effectively puts procedures and tables in the same namespace
- the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
We either need to put everything in the same namespace, or be more exacting with the permission logic.
> Better define the schema object namespaces
> ------------------------------------------
>
> Key: TEIID-5842
> URL: https://issues.jboss.org/browse/TEIID-5842
> Project: Teiid
> Issue Type: Quality Risk
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
>
> Right now tables/views, procedures, and functions are in separate namespaces. There are three downsides
> - procedural to relational mapping effectively puts procedures and tables in the same namespace
> - the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
> - creating a virtual function defined by teiid procedure language (which we should be more strict about) is represented in system metadata as a procedure, but is resolvable as a function of the same name
> We either need to put everything in the same namespace, or be more exacting with the permission logic.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5841) Authorization of table name that contain .
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5841?page=com.atlassian.jira.plugin... ]
Steven Hawkins commented on TEIID-5841:
---------------------------------------
This actually extends beyond just table names as column level permissions have the same issue - column "s"."t"."c" can conflict with table "s"."t.c". To address this I'm changing the PolicyDecider to operate over metadata records instead. The logic down in the DataPolicyMetadata will change as well, but since it's in admin, which does not depend on api (the dependency goes the other way) it will need to still use strings but add the resource type.
> Authorization of table name that contain .
> ------------------------------------------
>
> Key: TEIID-5841
> URL: https://issues.jboss.org/browse/TEIID-5841
> Project: Teiid
> Issue Type: Bug
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> We have a long standing issue with the permission system mostly due to the initial api design - we only pass fully qualified names to the policy decider in the from of schema.table. If the table name contains '.' the policy decider simplistically walks up each segment - which effectively introduces inappropriate checks.
> For example if we have:
> view "a.b" and view "a", when we check permissions for "a.b" we'll first check for the a.b resource, then the a resource - which is not appropriate. This behavior in part was likely initially due to multi-schema import scenarios, such that the imported table names would be qualified by source schema name. Then you could add permissions against that partially qualified name teiidSchema.sourceSchema. That will no longer be possible if we implement TEIID-5840
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5841) Authorization of table name that contain .
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5841?page=com.atlassian.jira.plugin... ]
Steven Hawkins updated TEIID-5841:
----------------------------------
Original Estimate: 6 hours
Remaining Estimate: 6 hours
Story Points: 5
Sprint: DV Sprint 54
> Authorization of table name that contain .
> ------------------------------------------
>
> Key: TEIID-5841
> URL: https://issues.jboss.org/browse/TEIID-5841
> Project: Teiid
> Issue Type: Bug
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> We have a long standing issue with the permission system mostly due to the initial api design - we only pass fully qualified names to the policy decider in the from of schema.table. If the table name contains '.' the policy decider simplistically walks up each segment - which effectively introduces inappropriate checks.
> For example if we have:
> view "a.b" and view "a", when we check permissions for "a.b" we'll first check for the a.b resource, then the a resource - which is not appropriate. This behavior in part was likely initially due to multi-schema import scenarios, such that the imported table names would be qualified by source schema name. Then you could add permissions against that partially qualified name teiidSchema.sourceSchema. That will no longer be possible if we implement TEIID-5840
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5841) Authorization of table name that contain .
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5841?page=com.atlassian.jira.plugin... ]
Work on TEIID-5841 started by Steven Hawkins.
---------------------------------------------
> Authorization of table name that contain .
> ------------------------------------------
>
> Key: TEIID-5841
> URL: https://issues.jboss.org/browse/TEIID-5841
> Project: Teiid
> Issue Type: Bug
> Components: Query Engine
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
>
> We have a long standing issue with the permission system mostly due to the initial api design - we only pass fully qualified names to the policy decider in the from of schema.table. If the table name contains '.' the policy decider simplistically walks up each segment - which effectively introduces inappropriate checks.
> For example if we have:
> view "a.b" and view "a", when we check permissions for "a.b" we'll first check for the a.b resource, then the a resource - which is not appropriate. This behavior in part was likely initially due to multi-schema import scenarios, such that the imported table names would be qualified by source schema name. Then you could add permissions against that partially qualified name teiidSchema.sourceSchema. That will no longer be possible if we implement TEIID-5840
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month