10:40 a.m.
[
https://issues.jboss.org/browse/TEIID-2311?page=com.atlassian.jira.plugin...
]
Steven Hawkins commented on TEIID-2311:
---------------------------------------
Added the initial check-in of row-based security. The approach is basically as outlined
above. A permission element can now have a condition child:
<permission>
<resource-name>SCHEMA.TABLE</resource-name>
<condition>COLUMNA=user()</condition>
<allow-read>true</allow-read>
...
</permission>
The affected resource can be a table/view or procedure. Multiple conditions against the
same resource are accumulated disjuctively. Unlike data roles, the conditions are always
applied (not just at the user query). So it may be typical that the permissions are
written for an any authenticated role and generalized, such as shown above with the use of
the user function.
The condition can be any valid sql referencing the projected columns, but the current
implementation will not correctly handle subqueries for bulk inserts (that could be
addressed later if needed).
The condition is applied conjunctively to update/delete/select where clauses. That means
that those queries will only ever be effective against the subset of rows that pass the
condition, i.e. SELECT * FROM TBL WHERE blah AND condition
inserts and updates against tables are further validated so that the insert/change values
must pass the condition (evaluate to true) for the insert/update to succeed - this is
effectively the same a sql constraint. This will happen for all styles of insert/update -
insert with query expression, bulk insert/update, etc. However this can inhibit pushdown
in some circumstances as we have to check the values for each row. inserts/updates
against views are not checked with regards to the constraint.
Further changes may be necessary to ensure that performance is not unduly harmed when the
condition cannot be pushed down - most optimizations are already flexible about this case,
but we could more aggressively look at raising the criteria to produce a better plan.
Add simple row based security to data roles
-------------------------------------------
Key: TEIID-2311
URL: https://issues.jboss.org/browse/TEIID-2311
Project: Teiid
Issue Type: Feature Request
Components: Query Engine
Affects Versions: 8.2
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Fix For: 8.3
A common request is to implement row based security. The common workaround of modifying
transformations is generally not a good solution.
We should look at adding support for simple table filters and column masks.
To be effective, filtering permissions however would have to act differently than normal
data roles. They would need to be applied all the time - and not just against the end
user queries.
For example, for tables:
<permission>
<resource-name>SCHEMA.TABLE</resource-name>
<filter>COLUMNA=2</filter>
</permission>
Meaning allow the CRUD of the given row only if COLUMNA has the value of 2. Any valid
predicate against just the referenced table would be allowed as a filter. Each such
permission would be applied as an additional predicate any time the table is referenced
(in views, inserts, updates, deletes, etc.).
Allows would not be specified here as we want the filter to always specify inclusion.
Any applicable permissions in additional roles would be applied disjunctively - filter OR
filter.
We could possibly support column masks via case expressions, such as:
<permission>
<resource-name>SCHEMA.TABLE.COLUMN</resource-name>
<mask>CASE WHEN ...</mask>
</permission>
However this is slightly more complicated. Presumably the mask would only apply to
projection and makes more sense to be applied at the final output/user query (more like a
data role).
If we work the issue to specify the object type of a permission, then the name could
alternatively refer to datatype or even an extension property to make the masking a little
easier.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
4391
days inactive
4391
days old
0 comments
1 participants
participants (1)
-
Steven Hawkins (JIRA)