7 Replies Latest reply on Jun 22, 2012 9:52 AM by shawkins

    Disable use of data roles in Teiid 8

    rokhmanov

      From Teiid 8 documentation: https://docs.jboss.org/author/display/teiid80final/Data+Roles

      The use of data roles may be disabled system wide via the <jboss-install>/standalone/configuration/standalone-teiid.xml file, by setting the property useDataRoles to false in the configuration section of the RuntimeEngineDeployer.

       

      Looks like the "RuntimeEngineDeployer" configuration section is not exist in standalone-teiid.xml anymore. What will be the proper steps to disable the use of data roles in Teiid 8.* ?

       

      Thanks,

      Andriy

        • 1. Re: Disable use of data roles in Teiid 8
          rareddy

          Andriy,

           

          Unfortunately the documentation is in-correct. The only way to disable check of data roles system wide currently is to overwrite the default "AuthrozationValidator" and configure a new one, which require coding and configuration change. May be this restriction can be reviewed and bring back old functionality?


          Ramesh..

          • 2. Re: Disable use of data roles in Teiid 8
            shawkins

            I would vote for adding it back in a slightly modified form.  We should removed the set/isEnabled methods off of the AuthorizationValidator interface and all the user to set a DisabledAutorizationValidator (just like you are suggesting to Andriy).

            • 3. Re: Disable use of data roles in Teiid 8
              rareddy

              So, the enable/disable works independently to control whether it is custom Authorization Validator Vs Default Authorization Validator. That sounds good. Looks like Teiid can also use little better documentation on how to write and deploy Custom Authorization and Custom Policy Decider modules.

               

              Andriy, can log a JIRA for above?

               

              Thanks

               

              Ramesh..

              • 4. Re: Disable use of data roles in Teiid 8
                rokhmanov

                Sure, I'll log JIRA request today. I was interested in disable of data roles functionality because on every attempt to update the data through teiid I was getting error that the particular user is not authorized for the operation (sorry, don't remember the exact message).

                It seems that I simply put teiid-security-roles.properties and teiid-security-users.properties files on wrong place. The Teiid 8.0 dist has them under modules\org\jboss\teiid\main\conf, and seems Teiid 8.1 will have them now under domain\configuration or standalone\configuration folders, that's my confusion. This probably has to be updated in Installation Guide ( https://docs.jboss.org/author/display/teiid80final/Installation+Guide ) and in Teiid Security - Login Modules ( https://docs.jboss.org/author/display/teiid80final/LoginModules ).

                 

                Unfortunately even after properties files were placed correctly, I was still getting this error in server.log on every execution of "WITH ..." SQL statement:

                TEIID30492 Remote org.teiid.api.exception.query.QueryValidatorException: TEIID30492 User <user@teiid-security> is not entitled to action <CREATE_TEMPORARY_TABLES> for 1 or more of the groups/elements/procedures.

                 

                In addition to enabled "allow-create", "allow-read", "allow-update" permissions in my VDB, I've tried to add this clause: <allow-create-temp-tables>true</allow-create-temporary-tables>, like explained here ( https://docs.jboss.org/author/display/teiid80final/XML+Definition ), but got this error:

                13:32:12,912 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC00001: Failed to start service jboss.deployment.unit."portfolio-vdb.xml".

                ...

                Caused by: org.xml.sax.SAXParseException; lineNumber: 39; columnNumber: 37; cvc-complex-type.2.4.a: Invalid content was found starting with element 'allow-create-temporary-tables'. One of '{allow-delete, allow-execute, allow-alter}' is expected.

                 

                I had to remove all data-role and permission stuff from my VDB for now, this way I am able to proceed (by default everyone logged to Teiid has full permissions), so global disable switch is not a hot item for me for now (thought it is a convenient feature). I will be more concerned about proper permissions for temp tables, it will be important soon.

                 

                Do you want me to include this documentation discrepancies I just explained in my JIRA or you have them already?

                 

                • 5. Re: Disable use of data roles in Teiid 8
                  shawkins

                  I hadn't considered that a common table expression would be seen as a temp table by the validator.  I don't think we should be doing that and a JIRA is warrented there.

                   

                  The 8.1 docs are located at https://docs.jboss.org/author/display/TEIID/Home that's the "trunk" of confluence.  We'll check to see if the installation guide has been updated, but things are running slowly for me now.  We'll just create a single catch all JIRA for the doc updates.

                   

                  Also the roles doc should show an example of setting the temp table permission to clarify its usage.  When in doubt, you can always check against the schema which we put in the kit under the docs/teiid/schema/vdb-deployer.xsd

                   

                  Steve

                  • 6. Re: Disable use of data roles in Teiid 8
                    rokhmanov

                    I made a TEIID-2082 for global roles configuration and documentation updates. Thanks!

                    • 7. Re: Disable use of data roles in Teiid 8
                      shawkins

                      https://issues.jboss.org/browse/TEIID-2082 has been resolved and the role xml and customization docs have been updated.  You will now be able to just remove the setting for the teiid subsystem policy-decider-module and that will disable all role checking.