[JBoss JIRA] (TEIID-5842) Better define the schema object namespaces
by Steven Hawkins (Jira)
Steven Hawkins created TEIID-5842:
-------------------------------------
Summary: Better define the schema object namespaces
Key: TEIID-5842
URL: https://issues.jboss.org/browse/TEIID-5842
Project: Teiid
Issue Type: Quality Risk
Components: Query Engine
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Fix For: 13.0
Right now tables/views, procedures, and functions are in separate namespaces. There are two downsides
- procedural to relational mapping effectively puts procedures and tables in the same namespace
- the default logic in the permission system does not check the resource type, so there is an assumption that the names won't conflict.
We either need to put everything in the same namespace, or be more exacting with the permission logic.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5822) Move off of gitbook
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5822?page=com.atlassian.jira.plugin... ]
Work on TEIID-5822 stopped by Steven Hawkins.
---------------------------------------------
> Move off of gitbook
> -------------------
>
> Key: TEIID-5822
> URL: https://issues.jboss.org/browse/TEIID-5822
> Project: Teiid
> Issue Type: Task
> Components: Documentation
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.x
>
>
> The gitbook cli tools are now deprecated. An update to the pdf logic has caused the travis builds to break - we need to use an old node js version because the gitbook stuff uses old constructs, but that means an older distribution - which calibre does not support anymore. For now I can look at customizing the calibre install, but longer term we need to get off of gitbook publishing.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5841) Authorization of table name that contain .
by Steven Hawkins (Jira)
Steven Hawkins created TEIID-5841:
-------------------------------------
Summary: Authorization of table name that contain .
Key: TEIID-5841
URL: https://issues.jboss.org/browse/TEIID-5841
Project: Teiid
Issue Type: Bug
Components: Query Engine
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Fix For: 13.0
We have a long standing issue with the permission system mostly due to the initial api design - we only pass fully qualified names to the policy decider in the from of schema.table. If the table name contains '.' the policy decider simplistically walks up each segment - which effectively introduces inappropriate checks.
For example if we have:
view "a.b" and view "a", when we check permissions for "a.b" we'll first check for the a.b resource, then the a resource - which is not appropriate. This behavior in part was likely initially due to multi-schema import scenarios, such that the imported table names would be qualified by source schema name. Then you could add permissions against that partially qualified name teiidSchema.sourceSchema. That will no longer be possible if we implement TEIID-5840
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Steven Hawkins commented on TEIID-5798:
---------------------------------------
> Is there a difference between above vs previous multiple statements?
Current behavior with multiple statements:
{code}
GRANT SELECT,INSERT ... CONDITION 'cond 1'; -- add the condition to all operations
{code}
{code}
GRANT DELETE ... CONDITION 'cond 2'; -- throws an exception complaining about the already existing condition
{code}
{code}
REVOKE X ... -- but nothing specified about the condition, so it remains
{code}
{code}
REVOKE SELECT ... CONDITION -- removes the condition from all operations regardless of what is specified in the revoke
{code}
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Ramesh Reddy (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Ramesh Reddy commented on TEIID-5798:
-------------------------------------
Is there a difference between above vs previous multiple statements?
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Steven Hawkins commented on TEIID-5798:
---------------------------------------
> I read that as bug rather than breaking change.
Ill defined perhaps. It is simply that conditions and masks are scoped to the entire "permission" internally.
> Still like multiple statements, basically underneath when we flatten we should not flatten on table/proc, but the combination of table/proc and operations supported on it.
Just keep in mind that is actually a large change and breaks the apis and how multiple grants / revokes are currently handled (not that it's currently a great way of doing things).
Given the amount of work involved it may be better to think about adopting/following the pg model for condition/mask. As is we'd have to come up with our own definitions for the following:
{code}
GRANT SELECT,INSERT ... CONDITION 'cond 1';
GRANT DELETE ... CONDITION 'cond 2';
{code}
{code}
REVOKE DELETE ... -- but nothing specified about the "delete condition". Does it linger, or go away?
{code}
{code}
GRANT SELECT ... CONDITION 'cond 3'; -- would this be an exception (similar to today), or like pg would we support combinations of conditions within the same role. Currently we only combine across roles.
{code}
{code}
REVOKE SELECT ... CONDITION -- presumably the insert condition remains
{code}
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Ramesh Reddy (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Ramesh Reddy commented on TEIID-5798:
-------------------------------------
> such that if anyone is currently using multiple grants / revokes per resource, it would be a breaking change.
I read that as bug rather than breaking change. Still like multiple statements, basically underneath when we flatten we should not flatten on table/proc, but the combination of table/proc and operations supported on it.
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Ramesh Reddy (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Ramesh Reddy updated TEIID-5798:
--------------------------------
Description:
Hello,
I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
However, it seems that conditioned and unconditioned GRANT statements do not work together.
{code}
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
{code}
was:
Hello,
I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
However, it seems that conditioned and unconditioned GRANT statements do not work together.
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Steven Hawkins (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Steven Hawkins commented on TEIID-5798:
---------------------------------------
> also what about having two or more different conditions? We won't be able to support that with #2 right?
That is correct - and the code currently doesn't support that either given the way we flatten grants.
> I feel having multiple statements like shown in example is how I would think, so #1 seems like right direction for me.
Note that it's not the only direction. Pg for example separates the notion of access control from row-based security policy: https://www.postgresql.org/docs/9.5/sql-createpolicy.html
More concrete examples of what this could look like:
>From above, multiple statements:
{code}
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
{code}
- fairly consistent with our grammar, but not consistent with the current code.
Single statement:
{code}
GRANT SELECT,INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' FOR INSERT,UPDATE,DELETE TO odata;
{code}
- smallest change. supports the enhancement requested, but not very powerful
Separate GRANT / Policy: see https://www.postgresql.org/docs/9.5/sql-createpolicy.html
- it would quite a bit of work to match that behavior / syntax
Actually our whole model for dealing with things like conditions and masks are currently very fragile. They are assumed to be applied across the entire permission/grant. For example if you do:
GRANT SELECT,INSERT ... CONDITION '...'
Then do:
REVOKE INSERT ... CONDITION
You retain the select permission, but the condition is gone entirely. Introducing multi-statement handling definitely changes the semantics - such that if anyone is currently using multiple grants / revokes per resource, it would be a breaking change.
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month
[JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS
by Ramesh Reddy (Jira)
[ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin... ]
Ramesh Reddy commented on TEIID-5798:
-------------------------------------
I feel having multiple statements like shown in example is how I would think, so #1 seems like right direction for me. #2 only going to leave with more complex statement, also what about having two or more different conditions? We won't be able to support that with #2 right?
> Mixed PERMISSION GRANTS
> -----------------------
>
> Key: TEIID-5798
> URL: https://issues.jboss.org/browse/TEIID-5798
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Reporter: Christoph John
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 13.0
>
> Original Estimate: 6 hours
> Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 1 month