[teiid-issues] [JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS

Steven Hawkins (Jira) issues at jboss.org
Tue Nov 5 19:51:00 EST 2019 

     [ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steven Hawkins updated TEIID-5798:
----------------------------------
       Original Estimate: 6 hours
      Remaining Estimate: 6 hours
            Story Points: 3
    Estimated Difficulty: Medium
                 Affects: Documentation (Ref Guide, User Guide, etc.),Release Notes


The current logic treats conditions as applicable to the policy regardless of how the permissions are defined. This largely comports with the old designer happy path - there was one permission/grant per object.  

As Christoph shows in the example it make sense that multiple ddl statements can be used, so that the meaning of the condition can be contextual to  those operations.

For this to work the we have two choices.  

1. To support multiple grant statements we have to undo the logic that effectively combines permissions - internally we have the same assumption that everything about securing an object can be expressed in a single permission object - and change the security logic to also consider the operation when getting the conditions to apply.

Note that this would make things like masks also only have meaning when used on a grant that includes select.

2. Expand the definition of a grant statement to optionally specify what operations the condition is applicable to.  This will have a similar amount of work to 1, but limits things to a single conditional that is conditionally applied.

> Mixed PERMISSION GRANTS
> -----------------------
>
>                 Key: TEIID-5798
>                 URL: https://issues.jboss.org/browse/TEIID-5798
>             Project: Teiid
>          Issue Type: Enhancement
>          Components: Query Engine
>            Reporter: Christoph John
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>   Original Estimate: 6 hours
>  Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in  (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the teiid-issues mailing list