[teiid-issues] [JBoss JIRA] (TEIID-5792) Permissions don't work with virtual procedures' ResultSet

Steven Hawkins (Jira) issues at jboss.org
Wed Jul 17 11:04:00 EDT 2019 

    [ https://issues.jboss.org/browse/TEIID-5792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13760203#comment-13760203 ] 

Steven Hawkins commented on TEIID-5792:
---------------------------------------

The scope of this is actually larger.  Suppose I directly issue:

call proc(...)

If there are columns that I'm not entitled to on the result set, that would error.  Just like with select *, we'd have to also introduce resolving changes to omit those result set columns from being returned to the client.  Then what if all result set columns are not accessible?  Does the result set convey the row count and have no columns, or should it be completely empty.  

In short expecting the vdb developer to wrap things in a view clarifies this greatly.





> Permissions don't work with virtual procedures' ResultSet
> ---------------------------------------------------------
>
>                 Key: TEIID-5792
>                 URL: https://issues.jboss.org/browse/TEIID-5792
>             Project: Teiid
>          Issue Type: Enhancement
>          Components: Query Engine
>    Affects Versions: 12.0
>         Environment: teiid-12.0.0 on WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final)
>            Reporter: Dmitrii Pogorelov
>            Assignee: Steven Hawkins
>            Priority: Major
>
> Teiid doesn't work with ResultSet of a virtual procedure. For example, if we have procs.testProc virtual procedure which can return two values in ResultSet: a and b and we specify a permission for one of these columns in ResultSet, the permission won't work:
> {code:xml}
>         <permission>
>             <resource-name>procs.testProc.a</resource-name>
>             <allow-read>false</allow-read>
>         </permission>
> {code}
> I think it would be great to set permissions also for ResultSets of virtual procedures, so AuthorizationValidationVisitor.validateEntitlements method for a GroupSymbol, which is a procedure, should analyze also its ResultSet. At the same time permissions work for virtual views and we can set permissions for some views' columns separately.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list