[teiid-issues] [JBoss JIRA] (TEIID-3255) Support PicketBox / XACML authorization

[Ramesh Reddy (JIRA)]

    [ https://issues.jboss.org/browse/TEIID-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028066#comment-13028066 ] 

Ramesh Reddy commented on TEIID-3255:
-------------------------------------

Do you have proposal as to how it fits/overlays with current security framework and any prototypes?

> Support PicketBox / XACML authorization
> ---------------------------------------
>
>                 Key: TEIID-3255
>                 URL: https://issues.jboss.org/browse/TEIID-3255
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: OData
>    Affects Versions: 8.9
>            Reporter: John Muller
>            Assignee: Steven Hawkins
>
> We would like the OData, OData4, JDBC, and ODBC transports of Teiid to act as an XACML policy enforcement point for all CRUD operations (as well as execute stored procedures).  Looking through old JIRAs:
> https://issues.jboss.org/browse/TEIID-1031
> it looks like this was considered back in the mid-2010 timeframe, but wasn't fully thought through.  With XACML 3.0, it's possible to use Multiple Decision Profile to get all policy decisions for a given user / resource (or just everything for a user for multiple resources).  Our idea here is to have Teiid set the action to be one of (SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|EXECUTE) and the resource to be the fully qualified table (vdbName, SchemaName, TableName) plus a map of projected columns by the query.  While this doesn't solve row-based restrictions, it would solve column / object based restrictions.  MDP could be used to get policy decisions for all objects under a given schema.
> Thoughts?



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)