[
https://issues.jboss.org/browse/TEIID-3554?page=com.atlassian.jira.plugin...
]
Steven Hawkins commented on TEIID-3554:
---------------------------------------
If so, would be good if the role that is in the VDB that controls the
access be written to audit log, but not put into the exception. So when its denied, only
care what role thats important (and what the user doesn't have).
The logic is not set up that way. A user has an associated set of roles and the
permissions of those roles are checked. There is no general mapping of resource to
permission across all roles known to a vdb (and the same permission could appear in many
roles).
Additionally, when access is given, the role that was used for access
Here again the same permission could appear in many roles that a user has. Which one is
tested first does not matter. Reporting the full set will can further slow down
permission processing.
Also, if the VDB is sequenced, a report could be run between metadata
and audit log to analyze for any differences.
I don't follow you here. Anything you would want to analyze could be done
statically.
It would be a backdoor check to make sure no one changes the the VDB
and gives access that isn't modeled thru the standard process.
Can you elaborate on this scenario? Are you expecting that the metadata, the roles, the
role mappings, etc. can be compromised? How would that happen and what non-compromised
artifact are you comparing against?
Audit log is missing details related to what role was applied and
what info was allowed or denied
-------------------------------------------------------------------------------------------------
Key: TEIID-3554
URL:
https://issues.jboss.org/browse/TEIID-3554
Project: Teiid
Issue Type: Quality Risk
Components: Server
Affects Versions: 8.7.1.6_2
Reporter: Van Halbert
Assignee: Steven Hawkins
Attachments: portfolioroles_data.xlsx
Using the dynamicvdb-dataroles quick start as the basis for triggering the audit log.
Executing the view query: "Select * from StockPrice" . The query will only
present the "price" column value when the user has the "prices" role.
When performing queries with a user (name=teiidUser) that doesn't have the
"prices" role versus one that does (name=portfolio), doesn't provide any
discerning information in the audit log to indicate that a role was applied to the data.
Attaching excel file of the audit log data.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)