]
Steven Hawkins resolved TEIID-5734.
-----------------------------------
Resolution: Done
Corrected by also applying the re-aliasing logic to the condition for masking.
A workaround is to not use a condition, but a full masking expression:
{code}
<condition>case when vw.employee.id>2 then 'Blocked' else
vw.employee.taxid end</condition>
{code}
Planning errors with masking due to unaliased column references
---------------------------------------------------------------
Key: TEIID-5734
URL:
https://issues.jboss.org/browse/TEIID-5734
Project: Teiid
Issue Type: Bug
Components: Query Engine
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Priority: Critical
Fix For: 12.2, 11.2.3, 12.1.2
The ColumnMaskingHelper is creating expressions using the unaliased source name. This
implicitly is relying on other logic, such as the raising of an access node to compensate
for that. If however a view layer with masking is used that has no access nodes or cannot
be removed, then exceptions will occur if it appears in the user query aliased and with
constructs above, such as an order by.
For example with the vdb:
{code}
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<vdb name="odatacm" version="1">
<description>Test column masking for Odata </description>
<property name="validationDateTime" value="Thu May 02 14:13:21 CDT
2019"/>
<property name="validationVersion" value="8.12.13"/>
<model name="vw" type="VIRTUAL">
<metadata type="DDL"><![CDATA[
CREATE VIEW employee (
id integer,
name string,
taxid string,
taxid_cd string,
CONSTRAINT pk_id PRIMARY KEY(id)
) OPTIONS(UPDATABLE 'TRUE')
AS
SELECT
1 AS id, 'Debbie' AS name, '123456789' AS taxid, 'SSN' AS
taxid_cd
UNION
SELECT
2 AS id, 'Mide' AS name, '234567891' AS taxid, 'FED' AS
taxid_cd
UNION
SELECT
3 AS id, 'DJS' AS name, '345678912' AS taxid, 'FED' AS
taxid_cd
UNION
SELECT
4 AS id, 'Joe' AS name, '456789123' AS taxid, 'SSN' AS
taxid_cd;
]]></metadata>
</model>
<data-role allow-create-temporary-tables="false"
any-authenticated="true" grant-all="false" name="Data Role
1">
<description/>
<permission>
<resource-name>vw.employee.taxid</resource-name>
<condition>vw.employee.id>2</condition>
<mask order="0">'Blocked'</mask>
</permission>
<permission>
<resource-name>vw</resource-name>
<allow-create>false</allow-create>
<allow-read>true</allow-read>
<allow-update>false</allow-update>
<allow-delete>false</allow-delete>
<allow-execute>false</allow-execute>
<allow-alter>false</allow-alter>
</permission>
<permission>
<resource-name>sysadmin</resource-name>
<allow-create>false</allow-create>
<allow-read>false</allow-read>
<allow-update>false</allow-update>
<allow-delete>false</allow-delete>
<allow-execute>false</allow-execute>
<allow-alter>false</allow-alter>
</permission>
</data-role>
</vdb>
{code}
and the query "select * from employee as e order by id" is issued, then an
exception will be returned:
TEIID30259 Cannot introduce new expressions [vw.employee.id] in duplicate removal
Which is a safe guard to prevent further planning errors - note the unaliased / fully
qualified name in the exception message.