3 Replies Latest reply on Feb 21, 2017 2:32 PM by jrod2016

Prevent queries directly against a Model which is marked 'visible=false'

jrod2016 Feb 20, 2017 5:00 PM

Consider the following model definition:

<model name="GoSalesModel" type="PHYSICAL" visible="false">
  <property name="importer.useFullSchemaName" value="false"/>
  <property name="importer.tableTypes" value="TABLE,VIEW"/>
  <property name="importer.includeSynonyms" value="true"/>
  <property name="importer.schemaPattern" value="GOSALES"/>
  <source name="gosales" translator-name="adfOracle" connection-jndi-name="java:/goSalesDataSource"/>
</model>

Since it's been marked as visible=false, I'd expect that the following should fail:

select * from GoSalesModel.Product;

However, that query brings back data.

My use case is that I'd like to define views on top of GoSalesModel and access the underlying data only from those views:

<model name="GoSalesViews" type="PHYSICAL" visible="true">
  <source name="gosalesView" translator-name="adfOracle" connection-jndi-name="java:/goSalesDataSource"/>
  <metadata type="DDL">
  <![CDATA[CREATE VIEW Product AS SELECT product.product_number AS PRODUCT_NUMBER, product.base_product_number AS BASE_PRODUCT_NUMBER, product.introduction_date AS INTRODUCTION_DATE, product.discontinued_date AS DISCONTINUED_DATE, product.product_type_code AS PRODUCT_TYPE_CODE, product.product_color_code AS PRODUCT_COLOR_CODE, product.product_size_code AS PRODUCT_SIZE_CODE, product.product_brand_code AS PRODUCT_BRAND_CODE FROM GoSalesModel.product PRODUCT]]>
  </metadata>
</model>

i.e. only the following query should bring back data:

select * from GoSalesViews.Product;

How can I make this happen?

Thanks,

John

1. Re: Prevent queries directly against a Model which is marked 'visible=false'

rareddy Feb 20, 2017 8:07 PM (in response to jrod2016)

That is by design, the "visible" flag only applies to the metadata. If you want to deny access to the whole model, then create a "data role" and deny access to every one. For ex:

    <data-role name="DenyAll" any-authenticated="true">
        <permission>
            <resource-name>GoSalesModel</resource-name>
            <allow-create>false</allow-create>
            <allow-read>false</allow-read>
            <allow-update>false</allow-update>
            <allow-delete>false</allow-delete>
            <allow-execute>false</allow-execute>
        </permission>
    </data-role>

read more about data roles at Data Roles · Teiid Documentation

2. Re: Prevent queries directly against a Model which is marked 'visible=false'

shawkins Feb 20, 2017 8:17 PM (in response to rareddy)

Ramesh beat me to the punch on the answer, but we need to clarify that when data roles are used Teiid denies by default. So you need to add permissions to GoSalesView, rather than take them away from GoSalesModel.
1 of 1 people found this helpful
Actions
3. Re: Prevent queries directly against a Model which is marked 'visible=false'

jrod2016 Feb 21, 2017 2:32 PM (in response to rareddy)

Excellent! That worked. Thanks guys.
Actions

Go to original post