[teiid-designer-dev] Teiid/Teiid Designer Security

[Steven Hawkins]

Hell all,

There is still a lot of confusion about security floating around.  After another office conversation on Friday, it would be best to have an open discussion.  

First some perspective.  MetaMatrix documentation described the securitizing process in layers (an expanded version of this will be added to the Teiid docs):

1. Be selective about what metadata is imported - only modeled items can be accessed.  Most if not all customers do this.
2. Change the physical metadata - e.g. mark a table as non-updatable - this is enforced regardless.  Some customers would do this.
3. Mark models as non-visible if users should not have access to them.  This could be set at design time or on the vdb. Advanced customers would do this.
4. Apply data roles at deploy-time to visible models.  With roles/entitlement checking turned on a server is "locked down", since we are deny by default.  Roles must be created for every VDB to provide any access.  A few customers would do this.

To clarify how permissions are applied, please see the MetaMatrix documentation or http://docs.jboss.org/teiid/7.1.0.Final/reference/en-US/html_single/#entitlements for an updated explanation.  In short, permissions are applicable to every visible resource and only checked against what is accessed by the top level of the user query.  If visible virtual model B uses visible virtual model A which in turn accesses non-visible physical Z, then both A and B both should have roles/permissions applied because they are visible - B does not use the permissions of A.  Z does not need roles/permissions because it cannot be targeted by a user query regardless.  

It has been asserted there is an inherent security flaw with this approach.  That is simply not true.  Since we are deny-by-default, adding visible models (such as B) to a VDB is NOT "insecure" until the Designer user (or deployer in MetaMatrix) adds permissions to the applicable data roles.  Even then the notion of insecure would be based around the idea that permissions have been added inconsistently - for example, a particular column value from Z is readable in A, but not B.  As often as not this could be described as a feature.  This "application level" style of security makes it easy to present transformed values that would be otherwise be inaccessible with granular permissions.

I became aware the other day that we are changing the default visibility on physical models.  Just to make sure we understand that change better, please consider that having the default of physical models as non-visible only makes usage of VDBs without data roles (the majority use case) harder.  It does not make vdbs with data roles more secure.  Since we are deny by default, someone still has to take an explicit action to make a new model accessible when using roles.  There is also an issue that any virtual update procedure is not a perfect substitute for a performing an update on a physical table.  Virtual update procedures support insert into with a queryexpression 1 row at a time and do not allow referencing columns of view in either values or criteria.  Forcing the use of virtual layers is not the right approach, it is merely a recommendation based upon the ease of use of the design-time visibility setting.

With that said there have been a couple of issues raised relevant to security:

TEIID-1220 - came about because of discussions with Paul where it was clear that breaking with legacy will help usability.  Specifically having data role checking turned on requires every VDB to have roles, since this is now a design time and not a deploy time operation, it is especially onerous to go back and add roles as an afterthought to existing VDBs.  The simple fix is to turn data role checking on by default and to only check roles if a vdb has them.  This will be targeted to 7.1.1. An additional feature would be the ability to turn off role checking on a VDB through a managed property.  

TEIIDDES-568 - SYS and pg_catalog schemas are not yet covered by the data-role editor. 

TEIIDDES-577 - should non-visible models not be shown in the data-role editor?

In these latter cases there are a couple of alternative approaches that may help clarify some of the security confusion.  The first observation is that the visibility mechanism is no longer easy to differentiate since both visibility and data roles are set at design time.  A possible simplification is to not use the coarse grained notion of visibility for data access restrictions.  Instead if a user wants to make a model (or any resource non-visible) that would be the same as creating a data role ("default") that does not have permissions for model.  That role would need a mapping or a boolean attribute to denote that any authenticated user has the role.  

Visibility checking is applied differently than roles - visibility also limited what is returned through the system tables and is also considered at resolving time (a non-visible table reference must be fully qualified).  I can find no precedent for roles having a similar effect.  That is all entries will be visible in metadata and resolvable against partial names and "SELECT *".  There are other examples of being able to mark a table as hidden, which means that it will not show up in the system metadata but is otherwise accessible.  If we do apply visibility likewise, then the visibility role concepts are distinct.

Steve