[
https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin...
]
Steven Hawkins updated TEIID-5798:
----------------------------------
Original Estimate: 6 hours
Remaining Estimate: 6 hours
Story Points: 3
Estimated Difficulty: Medium
Affects: Documentation (Ref Guide, User Guide, etc.),Release Notes
The current logic treats conditions as applicable to the policy regardless of how the
permissions are defined. This largely comports with the old designer happy path - there
was one permission/grant per object.
As Christoph shows in the example it make sense that multiple ddl statements can be used,
so that the meaning of the condition can be contextual to those operations.
For this to work the we have two choices.
1. To support multiple grant statements we have to undo the logic that effectively
combines permissions - internally we have the same assumption that everything about
securing an object can be expressed in a single permission object - and change the
security logic to also consider the operation when getting the conditions to apply.
Note that this would make things like masks also only have meaning when used on a grant
that includes select.
2. Expand the definition of a grant statement to optionally specify what operations the
condition is applicable to. This will have a similar amount of work to 1, but limits
things to a single conditional that is conditionally applied.
Mixed PERMISSION GRANTS
-----------------------
Key: TEIID-5798
URL:
https://issues.jboss.org/browse/TEIID-5798
Project: Teiid
Issue Type: Enhancement
Components: Query Engine
Reporter: Christoph John
Assignee: Steven Hawkins
Priority: Major
Fix For: 13.0
Original Estimate: 6 hours
Remaining Estimate: 6 hours
Hello,
I am currently trying to set a set of permissions on a table/view. Hence a condition on
INSERT,UPDATE,DELETE and an unconditioned SELECT.
However, it seems that conditioned and unconditioned GRANT statements do not work
together.
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC"
CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM
Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM
odata;
--
This message was sent by Atlassian Jira
(v7.13.8#713008)