[
https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin...
]
Steven Hawkins commented on TEIID-5798:
---------------------------------------
I read that as bug rather than breaking change.
Ill defined perhaps. It is simply that conditions and masks are scoped to the entire
"permission" internally.
Still like multiple statements, basically underneath when we flatten
we should not flatten on table/proc, but the combination of table/proc and operations
supported on it.
Just keep in mind that is actually a large change and breaks the apis and how multiple
grants / revokes are currently handled (not that it's currently a great way of doing
things).
Given the amount of work involved it may be better to think about adopting/following the
pg model for condition/mask. As is we'd have to come up with our own definitions for
the following:
{code}
GRANT SELECT,INSERT ... CONDITION 'cond 1';
GRANT DELETE ... CONDITION 'cond 2';
{code}
{code}
REVOKE DELETE ... -- but nothing specified about the "delete condition". Does
it linger, or go away?
{code}
{code}
GRANT SELECT ... CONDITION 'cond 3'; -- would this be an exception (similar to
today), or like pg would we support combinations of conditions within the same role.
Currently we only combine across roles.
{code}
{code}
REVOKE SELECT ... CONDITION -- presumably the insert condition remains
{code}
Mixed PERMISSION GRANTS
-----------------------
Key: TEIID-5798
URL:
https://issues.jboss.org/browse/TEIID-5798
Project: Teiid
Issue Type: Enhancement
Components: Query Engine
Reporter: Christoph John
Assignee: Steven Hawkins
Priority: Major
Fix For: 13.0
Original Estimate: 6 hours
Remaining Estimate: 6 hours
Hello,
I am currently trying to set a set of permissions on a table/view. Hence a condition on
INSERT,UPDATE,DELETE and an unconditioned SELECT.
However, it seems that conditioned and unconditioned GRANT statements do not work
together.
{code}
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC"
CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM
Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM
odata;
{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)