[teiid-issues] [JBoss JIRA] (TEIID-5802) Row based security and column masking don't work correctly for materialized tables (views)

Steven Hawkins (Jira) issues at jboss.org
Fri Aug 9 10:54:00 EDT 2019


    [ https://issues.jboss.org/browse/TEIID-5802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13769130#comment-13769130 ] 

Steven Hawkins commented on TEIID-5802:
---------------------------------------

Now that I'm remembering this problem more there is a reason why we simply warn of this scenario.  When you create a materialized target table the only way to preserve the masking / row security is to transitively determine all possible applications from the constituent tables/views and attempt to re-apply them to the materialization target table created without any security applied transitively as well.  In general this is very difficult - for example many of the columns that have row based security may not even be exposed by the materialized view (which at a minimum requires creating an intermediate view), or are involved in aggregation, etc.  

What you have here is a simple enough of a case, such that you could envision Teiid creating a materialization target table as a superset, then apply the row/column security on top of that.  However with additional complexity that will quickly not work.

I agree though that things are in a weird middle ground.  Materialization target tables are being created with potentially mixed application of row/column security based upon whoever the calling user that triggers the load.  The simplest way to make this consistent is to create the materialization target tables without any security applied transitively, but without some automated process of applying security on top it would be up to the user to redefine the security on the materialization target.  

There was a legacy feature of scoping materialized views to a user, but was removed by TEIID-5427 as it did not align with any materialization management strategy.

> Row based security and column masking don't work correctly for materialized tables (views)
> ------------------------------------------------------------------------------------------
>
>                 Key: TEIID-5802
>                 URL: https://issues.jboss.org/browse/TEIID-5802
>             Project: Teiid
>          Issue Type: Bug
>          Components: Query Engine
>    Affects Versions: 12.0
>         Environment: teiid-12.0.0 on WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final)
>            Reporter: Dmitrii Pogorelov
>            Assignee: Steven Hawkins
>            Priority: Blocker
>
> Row based security doesn't work for materialized tables (views). For example, having the following permissions for materialized views.test_view1 and views.test_view2 views according to query plan Teiid applies ApplySecurity rule only for views.test_view2 view but should also apply for views.test_view1 view:
> {code:xml}
>     <data-role name="role1" any-authenticated="true" allow-create-temporary-tables="true">
>         <description>Allow read only</description>
>         <permission>
>             <resource-name>dsp</resource-name>
>             <allow-read>true</allow-read>
>         </permission>
>         <permission>
>             <resource-name>views.test_view1</resource-name>
>             <allow-read>true</allow-read>
>             <condition constraint="false">col2 > 1</condition>
>         </permission>
>         <permission>
>             <resource-name>views.test_view2</resource-name>
>             <allow-read>true</allow-read>
>             <condition constraint="false">col0 = 'sa'</condition>
>         </permission>
>     </data-role>
> {code}
> The same situation is for column masking feature, see below.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)


More information about the teiid-issues mailing list