[teiid-issues] [JBoss JIRA] (TEIID-5798) Mixed PERMISSION GRANTS

Wed Nov 6 15:03:00 EST 2019

    [ https://issues.jboss.org/browse/TEIID-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13809235#comment-13809235 ] 

Steven Hawkins commented on TEIID-5798:
---------------------------------------

> I read that as bug rather than breaking change.

Ill defined perhaps.  It is simply that conditions and masks are scoped to the entire "permission" internally.

>  Still like multiple statements, basically underneath when we flatten we should not flatten on table/proc, but the combination of table/proc and operations supported on it.

Just keep in mind that is actually a large change and breaks the apis and how multiple grants / revokes are currently handled (not that it's currently a great way of doing things).

Given the amount of work involved it may be better to think about adopting/following the pg model for condition/mask.  As is we'd have to come up with our own definitions for the following:

{code}
GRANT SELECT,INSERT ... CONDITION 'cond 1';
GRANT DELETE ... CONDITION 'cond 2';
{code}

{code}
REVOKE DELETE ... -- but nothing specified about the "delete condition".  Does it linger, or go away?
{code}

{code}
GRANT SELECT ... CONDITION 'cond 3'; -- would this be an exception (similar to today), or like pg would we support combinations of conditions within the same role.  Currently we only combine across roles.
{code}

{code}
REVOKE SELECT ... CONDITION -- presumably the insert condition remains
{code}

> Mixed PERMISSION GRANTS
> -----------------------
>
>                 Key: TEIID-5798
>                 URL: https://issues.jboss.org/browse/TEIID-5798
>             Project: Teiid
>          Issue Type: Enhancement
>          Components: Query Engine
>            Reporter: Christoph John
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 13.0
>
>   Original Estimate: 6 hours
>  Remaining Estimate: 6 hours
>
> Hello,
> I am currently trying to set a set of permissions on a table/view. Hence a condition on INSERT,UPDATE,DELETE and an unconditioned SELECT.
> However, it seems that conditioned and unconditioned GRANT statements do not work together.
> {code}
> GRANT INSERT,UPDATE,DELETE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" CONDITION 'UserDefinedProducts_SRC.fkProfile in  (SELECT Account.idProfile FROM Account WHERE Account.uuidUser = LEFT(user(), 36) )' TO odata;
> GRANT SELECT ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" TO odata;
> REVOKE ALTER,EXECUTE ON TABLE "my_nutri_diary.UserDefinedProducts_SRC" FROM odata;
> {code}

--
This message was sent by Atlassian Jira
(v7.13.8#713008)