[teiid-issues] [JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS

Steven Hawkins (Jira) issues at jboss.org
Wed Nov 6 14:05:00 EST 2019 

    [ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13809212#comment-13809212 ] 

Steven Hawkins commented on TEIID-5798:
---------------------------------------

> also what about having two or more different conditions? We won't be able to support that with #2 right?

That is correct - and the code currently doesn't support that either given the way we flatten grants.

> I feel having multiple statements like shown in example is how I would think, so #1 seems like right direction for me.

Note that it's not the only direction.  Pg for example separates the notion of access control from row-based security policy: https://www.postgresql.org/docs/9.5/sql-createpolicy.html

More concrete examples of what this could look like:

>From above, multiple statements:

{code}
GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;

GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
{code}

- fairly consistent with our grammar, but not consistent with the current code.

Single statement:

{code}
GRANT SELECT,INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' FOR INSERT,UPDATE,DELETE TO odata;
{code}

- smallest change.  supports the enhancement requested, but not very powerful

Separate GRANT / Policy: see https://www.postgresql.org/docs/9.5/sql-createpolicy.html

- it would quite a bit of work to match that behavior / syntax

Actually our whole model for dealing with things like conditions and masks are currently very fragile.  They are assumed to be applied across the entire permission/grant.  For example if you do:

GRANT SELECT,INSERT ... CONDITION '...'

Then do:

REVOKE INSERT ... CONDITION

You retain the select permission, but the condition is gone entirely.  Introducing multi-statement handling definitely changes the semantics - such that if anyone is currently using multiple grants / revokes per resource, it would be a breaking change.


> Mixed PERMISSION GRANTS
> -----------------------
>
>                 Key: TEIID-5798
>                 URL: https://issues.jboss.org/browse/TEIID-5798
>             Project: Teiid
>          Issue Type: Enhancement
>          Components: Query Engine
>            Reporter: Christoph John
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>   Original Estimate: 6 hours
>  Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in  (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the teiid-issues mailing list