[teiid-issues] [JBoss JIRA] Commented: (TEIID-1327) API request: Fine grained security
Steven Hawkins (JIRA)
jira-events at lists.jboss.org
Wed Nov 10 11:38:01 EST 2010
[ https://jira.jboss.org/browse/TEIID-1327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562549#action_12562549 ]
Steven Hawkins commented on TEIID-1327:
---------------------------------------
A possible interface in the Teiid api could be:
public interface RoleProvider {
public enum PermissionType {CREATE, READ, UPDATE, DELETE};
public Set<String> getInaccessibleResources(PermissionType action, Set<String> resources, CommandContext commandContext);
public boolean hasRole(String name, CommandContext commandContext);
}
I'm assuming that there is only a need to configure a single custom RoleProvider across all of Teiid. The resource names are same table/procedure/column fqn's checked against the built-in Teiid roles. The same user query could consult the getInaccessibleResources multiple times (e.g. for each subquery) - this is just to keep the visitation logic simple.
The hasRole function will be used by the hasRole security function.
If roles are not defined on a vdb, but a custom RoleProvider is configured (probably based upon mc injection) we would consult that instance instead.
If roles are defined on a vdb and a custom RoleProvider is defined, I would be inclined to consult both.
An alternative design would be have the interface directly supply a role set (probably defined as a map of role name to DataPolicy instances). However that approach is a little less flexible from an implementation perspective.
Any thoughts?
> API request: Fine grained security
> -----------------------------------
>
> Key: TEIID-1327
> URL: https://jira.jboss.org/browse/TEIID-1327
> Project: Teiid
> Issue Type: Feature Request
> Components: Query Engine
> Affects Versions: 7.1
> Reporter: Mark Addleman
> Assignee: Steven Hawkins
> Fix For: 7.3
>
>
> I'd like an API to implement fine grained security checks. The use case is to create a permission from each table+column requested, each stored procedure and other database objects and validate the user id and permission against an external security manager.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list