-
1. Re: Disable use of data roles in Teiid 8
rareddy Jun 21, 2012 12:39 PM (in response to rokhmanov)Andriy,
Unfortunately the documentation is in-correct. The only way to disable check of data roles system wide currently is to overwrite the default "AuthrozationValidator" and configure a new one, which require coding and configuration change. May be this restriction can be reviewed and bring back old functionality?
Ramesh.. -
2. Re: Disable use of data roles in Teiid 8
shawkins Jun 21, 2012 12:56 PM (in response to rareddy)I would vote for adding it back in a slightly modified form. We should removed the set/isEnabled methods off of the AuthorizationValidator interface and all the user to set a DisabledAutorizationValidator (just like you are suggesting to Andriy).
-
3. Re: Disable use of data roles in Teiid 8
rareddy Jun 21, 2012 1:09 PM (in response to shawkins)So, the enable/disable works independently to control whether it is custom Authorization Validator Vs Default Authorization Validator. That sounds good. Looks like Teiid can also use little better documentation on how to write and deploy Custom Authorization and Custom Policy Decider modules.
Andriy, can log a JIRA for above?
Thanks
Ramesh..
-
4. Re: Disable use of data roles in Teiid 8
rokhmanov Jun 21, 2012 2:45 PM (in response to rareddy)Sure, I'll log JIRA request today. I was interested in disable of data roles functionality because on every attempt to update the data through teiid I was getting error that the particular user is not authorized for the operation (sorry, don't remember the exact message).
It seems that I simply put teiid-security-roles.properties and teiid-security-users.properties files on wrong place. The Teiid 8.0 dist has them under modules\org\jboss\teiid\main\conf, and seems Teiid 8.1 will have them now under domain\configuration or standalone\configuration folders, that's my confusion. This probably has to be updated in Installation Guide ( https://docs.jboss.org/author/display/teiid80final/Installation+Guide ) and in Teiid Security - Login Modules ( https://docs.jboss.org/author/display/teiid80final/LoginModules ).
Unfortunately even after properties files were placed correctly, I was still getting this error in server.log on every execution of "WITH ..." SQL statement:
TEIID30492 Remote org.teiid.api.exception.query.QueryValidatorException: TEIID30492 User <user@teiid-security> is not entitled to action <CREATE_TEMPORARY_TABLES> for 1 or more of the groups/elements/procedures.
In addition to enabled "allow-create", "allow-read", "allow-update" permissions in my VDB, I've tried to add this clause: <allow-create-temp-tables>true</allow-create-temporary-tables>, like explained here ( https://docs.jboss.org/author/display/teiid80final/XML+Definition ), but got this error:
13:32:12,912 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC00001: Failed to start service jboss.deployment.unit."portfolio-vdb.xml".
...
Caused by: org.xml.sax.SAXParseException; lineNumber: 39; columnNumber: 37; cvc-complex-type.2.4.a: Invalid content was found starting with element 'allow-create-temporary-tables'. One of '{allow-delete, allow-execute, allow-alter}' is expected.
I had to remove all data-role and permission stuff from my VDB for now, this way I am able to proceed (by default everyone logged to Teiid has full permissions), so global disable switch is not a hot item for me for now (thought it is a convenient feature). I will be more concerned about proper permissions for temp tables, it will be important soon.
Do you want me to include this documentation discrepancies I just explained in my JIRA or you have them already?
-
5. Re: Disable use of data roles in Teiid 8
shawkins Jun 21, 2012 3:02 PM (in response to rokhmanov)I hadn't considered that a common table expression would be seen as a temp table by the validator. I don't think we should be doing that and a JIRA is warrented there.
The 8.1 docs are located at https://docs.jboss.org/author/display/TEIID/Home that's the "trunk" of confluence. We'll check to see if the installation guide has been updated, but things are running slowly for me now. We'll just create a single catch all JIRA for the doc updates.
Also the roles doc should show an example of setting the temp table permission to clarify its usage. When in doubt, you can always check against the schema which we put in the kit under the docs/teiid/schema/vdb-deployer.xsd
Steve
-
6. Re: Disable use of data roles in Teiid 8
rokhmanov Jun 21, 2012 5:57 PM (in response to rokhmanov)I made a TEIID-2082 for global roles configuration and documentation updates. Thanks!
-
7. Re: Disable use of data roles in Teiid 8
shawkins Jun 22, 2012 9:52 AM (in response to rokhmanov)https://issues.jboss.org/browse/TEIID-2082 has been resolved and the role xml and customization docs have been updated. You will now be able to just remove the setting for the teiid subsystem policy-decider-module and that will disable all role checking.