[teiid-issues] [JBoss JIRA] (TEIID-5802) Row based security and column masking don't work correctly for materialized tables (views)
Steven Hawkins (Jira)
issues at jboss.org
Wed Aug 14 08:57:00 EDT 2019
[ https://issues.jboss.org/browse/TEIID-5802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13770767#comment-13770767 ]
Steven Hawkins commented on TEIID-5802:
---------------------------------------
No, I wouldn't add user scoped materializations back as that just introduces a different set of problems. The most conceptually simple and consistent approach is to by pass our security checks when building a materialized view target table and stipulate in the docs that materialization target tables act as their own top level entities for the purposes of column/row security. But obviously that would be a big change for those used to the current behavior to the materialization being populated with security applied based upon whomever triggers the load, so it would need some kind of a flag.
We are not alone in this problem, for example with pg: https://www.spinics.net/lists/pgsql/msg186919.html
> Row based security and column masking don't work correctly for materialized tables (views)
> ------------------------------------------------------------------------------------------
>
> Key: TEIID-5802
> URL: https://issues.jboss.org/browse/TEIID-5802
> Project: Teiid
> Issue Type: Bug
> Components: Query Engine
> Affects Versions: 12.0
> Environment: teiid-12.0.0 on WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final)
> Reporter: Dmitrii Pogorelov
> Assignee: Steven Hawkins
> Priority: Blocker
>
> Row based security doesn't work for materialized tables (views). For example, having the following permissions for materialized views.test_view1 and views.test_view2 views according to query plan Teiid applies ApplySecurity rule only for views.test_view2 view but should also apply for views.test_view1 view:
> {code:xml}
> <data-role name="role1" any-authenticated="true" allow-create-temporary-tables="true">
> <description>Allow read only</description>
> <permission>
> <resource-name>dsp</resource-name>
> <allow-read>true</allow-read>
> </permission>
> <permission>
> <resource-name>views.test_view1</resource-name>
> <allow-read>true</allow-read>
> <condition constraint="false">col2 > 1</condition>
> </permission>
> <permission>
> <resource-name>views.test_view2</resource-name>
> <allow-read>true</allow-read>
> <condition constraint="false">col0 = 'sa'</condition>
> </permission>
> </data-role>
> {code}
> The same situation is for column masking feature, see below.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the teiid-issues
mailing list