[teiid-issues] [JBoss JIRA] Resolved: (TEIID-952) Column level security capabilities

Steven Hawkins (JIRA) jira-events at lists.jboss.org
Tue Jan 25 13:29:49 EST 2011 

     [ https://issues.jboss.org/browse/TEIID-952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steven Hawkins resolved TEIID-952.
----------------------------------

        Labels: security  (was: )
    Resolution: Rejected


Marking as rejected unless an implementation proposal and compelling use case are provided.  In any case, this has a limited scope - only user level SELECT * queries, which are typically avoided by application logic.  

There has also never been clarity on how this should work.  Past proposals if someone issues a SELECT * query against a table containing a read protected value:

1. return empty data.  
However there is no clear indication to the user that his data has been altered.

2. to remove un-privileged columns in SELECT *, but leave the metadata as is.
This is the most straight-forward, but I can't find any precedent for this behavior and it is logically inconsistent with the reported metadata. 

3. change the metadata (as reported by the system tables and in resultset metadata, etc.) to remove un-privileged columns and remove hidden columns from top level SELECT * queries.  
This is only clearly correct if the user lacks all permissions against the column (select/insert/update).  with mixed permissions it's unclear if the column should be hidden.  This also introduces complications with the system table logic that assumes we can create cached forms of the odbc metadata - since the data is not specific to a given user.

The workaround is also quite simple, just remove the offending column(s) by entering the full SELECT clause.

> Column level security capabilities
> ----------------------------------
>
>                 Key: TEIID-952
>                 URL: https://issues.jboss.org/browse/TEIID-952
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: Query Engine
>            Reporter: Marc Shirley
>              Labels: security
>
> Request for the ability to enforce column level security as in the following example.  This would be on the top most surface level affecting only the clients visibility to the columns.
> User has access to col1, col2, and col3 out of a 6 column table.  When a "SELECT *" is performed against the table, only those columns the user has access to are returned (col1, col2, and col3).  

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list