[teiid-issues] [JBoss JIRA] (TEIID-2471) Allow permission conditions and masking to be pluggable

Steven Hawkins (JIRA) jira-events at lists.jboss.org
Fri May 17 15:23:06 EDT 2013 

    [ https://issues.jboss.org/browse/TEIID-2471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775134#comment-12775134 ] 

Steven Hawkins commented on TEIID-2471:
---------------------------------------

There are a couple of considerations/paths to choose from here:

1. introduce an interface similar to the AuthorizationValidator/PolicyDecider to provide runtime control
2. allow the dataroles to in part or in whole be read in / updated through the metadata repository or other metadata extension.

Unlike the authorization validation, which is performed only at the user query level and can easily be validated with each query access, the row/column logic is applied deeper in planning.  Validating would require the interface to indicate if any row/column filter/mask had changed since the plan was formed and/or widen the EventDistributor logic to include a policy change event.  There is also the related performance concern of caching the resolved/validate language object form of the respective expressions, which is hard to generalize for an interface.

I'm more inclined to go with the latter approach and work out any details of on-demand modifications to the policy later.  However the plugablity of metadata repositories doesn't match the declaration of data roles - which are vdb scoped.  We may want to introduce another vdb extension point for pluggable role metadata.


                
> Allow permission conditions and masking to be pluggable
> -------------------------------------------------------
>
>                 Key: TEIID-2471
>                 URL: https://issues.jboss.org/browse/TEIID-2471
>             Project: Teiid
>          Issue Type: Sub-task
>          Components: Query Engine
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>             Fix For: 8.4
>
>
> The AuthorizationValidator or similar interface should allow for alternative implementations to be plugged in for providing permission conditions and column masking.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list