[teiid-issues] [JBoss JIRA] Commented: (TEIID-1327) API request: Fine grained security

Steven Hawkins (JIRA) jira-events at lists.jboss.org
Wed Nov 10 11:38:01 EST 2010 

    [ https://jira.jboss.org/browse/TEIID-1327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562549#action_12562549 ] 

Steven Hawkins commented on TEIID-1327:
---------------------------------------

A possible interface in the Teiid api could be:

public interface RoleProvider {
	
	public enum PermissionType {CREATE, READ, UPDATE, DELETE};
	
	public Set<String> getInaccessibleResources(PermissionType action, Set<String> resources, CommandContext commandContext);
	
	public boolean hasRole(String name, CommandContext commandContext);

}

I'm assuming that there is only a need to configure a single custom RoleProvider across all of Teiid.  The resource names are same table/procedure/column fqn's checked against the built-in Teiid roles.  The same user query could consult the getInaccessibleResources multiple times (e.g. for each subquery) - this is just to keep the visitation logic simple.
The hasRole function will be used by the hasRole security function.

If roles are not defined on a vdb, but a custom RoleProvider is configured (probably based upon mc injection) we would consult that instance instead.  
If roles are defined on a vdb and a custom RoleProvider is defined, I would be inclined to consult both.

An alternative design would be have the interface directly supply a role set (probably defined as a map of role name to DataPolicy instances).  However that approach is a little less flexible from an implementation perspective.

Any thoughts?

> API request:  Fine grained security
> -----------------------------------
>
>                 Key: TEIID-1327
>                 URL: https://jira.jboss.org/browse/TEIID-1327
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: Query Engine
>    Affects Versions: 7.1
>            Reporter: Mark Addleman
>            Assignee: Steven Hawkins
>             Fix For: 7.3
>
>
> I'd like an API to implement fine grained security checks.  The use case is to create a permission from each table+column requested, each stored procedure and other database objects and validate the user id and permission against an external security manager.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list