[JBoss JIRA] (TEIID-5792) Permissions don't work with virtual procedures' ResultSet
by Dmitrii Pogorelov (Jira)
[ https://issues.jboss.org/browse/TEIID-5792?page=com.atlassian.jira.plugin... ]
Dmitrii Pogorelov commented on TEIID-5792:
------------------------------------------
[~shawkins] hm... If we set permissions for resultset of a procedure explicitly then we should specify requested columns. I mean if use the command:
call proc(...)
and set a permission for a resultset we should wrap the call in select to specify cols which we want to request. Otherwise we should return an error as it's done for views. For views if we use "select *" and have restrictions on columns we will get error until we specify allowed columns. The same approach should be used for procedures, we should throw out an error until client specify allowed result set. That is if user sets permissions for a procedure the user expects that client will request explicitly columns otherwise we should show error.
> Permissions don't work with virtual procedures' ResultSet
> ---------------------------------------------------------
>
> Key: TEIID-5792
> URL: https://issues.jboss.org/browse/TEIID-5792
> Project: Teiid
> Issue Type: Enhancement
> Components: Query Engine
> Affects Versions: 12.0
> Environment: teiid-12.0.0 on WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final)
> Reporter: Dmitrii Pogorelov
> Assignee: Steven Hawkins
> Priority: Major
>
> Teiid doesn't work with ResultSet of a virtual procedure. For example, if we have procs.testProc virtual procedure which can return two values in ResultSet: a and b and we specify a permission for one of these columns in ResultSet, the permission won't work:
> {code:xml}
> <permission>
> <resource-name>procs.testProc.a</resource-name>
> <allow-read>false</allow-read>
> </permission>
> {code}
> I think it would be great to set permissions also for ResultSets of virtual procedures, so AuthorizationValidationVisitor.validateEntitlements method for a GroupSymbol, which is a procedure, should analyze also its ResultSet. At the same time permissions work for virtual views and we can set permissions for some views' columns separately.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)