Example 11 with PermissionMetaData
use of org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData in project teiid by teiid.
the class TestColumnMasking method testProcedureMask1.
@Test
public void testProcedureMask1() throws Exception {
DataPolicyMetadata policy1 = new DataPolicyMetadata();
PermissionMetaData pmd11 = new PermissionMetaData();
pmd11.setResourceName("pm1.sp1.e1");
// takes presedence
pmd11.setOrder(1);
pmd11.setMask("null");
policy1.addPermission(pmd11);
policy1.setName("other-role");
context.getAllowedDataPolicies().put("other-role", policy1);
HardcodedDataManager dataManager = new HardcodedDataManager();
dataManager.addData("EXEC pm1.sp1()", new List<?>[] { Arrays.asList("a", 1), Arrays.asList("b", 2) });
ProcessorPlan plan = helpGetPlan(helpParse("exec pm1.sp1()"), RealMetadataFactory.example1Cached(), new DefaultCapabilitiesFinder(), context);
List<?>[] expectedResults = new List<?>[] { Arrays.asList(null, 1), Arrays.asList(null, 2) };
helpProcess(plan, context, dataManager, expectedResults);
}
Also used :
DataPolicyMetadata(org.teiid.adminapi.impl.DataPolicyMetadata)
List(java.util.List)
DefaultCapabilitiesFinder(org.teiid.query.optimizer.capabilities.DefaultCapabilitiesFinder)
PermissionMetaData(org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)
Test(org.junit.Test)
Example 12 with PermissionMetaData
use of org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData in project teiid by teiid.
the class TestColumnMasking method testSubqueryTableMaskRecursive.
@Test(expected = QueryPlannerException.class)
public void testSubqueryTableMaskRecursive() throws Exception {
DataPolicyMetadata policy1 = new DataPolicyMetadata();
PermissionMetaData pmd11 = new PermissionMetaData();
pmd11.setResourceName("pm1.g1.e2");
// takes presedence
pmd11.setOrder(1);
pmd11.setMask("(select min(e2) from pm1.g1)");
policy1.addPermission(pmd11);
policy1.setName("other-role");
context.getAllowedDataPolicies().put("other-role", policy1);
HardcodedDataManager dataManager = new HardcodedDataManager();
ProcessorPlan plan = helpGetPlan(helpParse("select g2.e2 from pm1.g1 as g2"), RealMetadataFactory.example1Cached(), new DefaultCapabilitiesFinder(), context);
helpProcess(plan, context, dataManager, null);
}
Also used :
DataPolicyMetadata(org.teiid.adminapi.impl.DataPolicyMetadata)
DefaultCapabilitiesFinder(org.teiid.query.optimizer.capabilities.DefaultCapabilitiesFinder)
PermissionMetaData(org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)
Test(org.junit.Test)
Example 13 with PermissionMetaData
use of org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData in project teiid by teiid.
the class RowBasedSecurityHelper method getRowBasedFilters.
public static Criteria getRowBasedFilters(QueryMetadataInterface metadata, final GroupSymbol group, CommandContext cc, boolean constraintsOnly) throws QueryMetadataException, TeiidComponentException, TeiidProcessingException {
Map<String, DataPolicy> policies = cc.getAllowedDataPolicies();
if (policies == null || policies.isEmpty()) {
return null;
}
boolean user = false;
ArrayList<Criteria> crits = null;
Object metadataID = group.getMetadataID();
String fullName = metadata.getFullName(metadataID);
for (Map.Entry<String, DataPolicy> entry : policies.entrySet()) {
DataPolicyMetadata dpm = (DataPolicyMetadata) entry.getValue();
PermissionMetaData pmd = dpm.getPermissionMap().get(fullName);
if (pmd == null) {
continue;
}
String filterString = pmd.getCondition();
if (filterString == null) {
continue;
}
if (constraintsOnly && Boolean.FALSE.equals(pmd.getConstraint())) {
continue;
}
Criteria filter = resolveCondition(metadata, group, fullName, entry, pmd, filterString);
if (!dpm.isAnyAuthenticated()) {
user = true;
}
if (crits == null) {
crits = new ArrayList<Criteria>(2);
}
crits.add(filter);
}
if (crits == null || crits.isEmpty()) {
return null;
}
Criteria result = null;
if (crits.size() == 1) {
result = crits.get(0);
} else {
result = new CompoundCriteria(CompoundCriteria.OR, crits);
}
if (group.getDefinition() != null) {
ExpressionMappingVisitor emv = new RecontextVisitor(group);
PreOrPostOrderNavigator.doVisit(result, emv, PreOrPostOrderNavigator.PRE_ORDER, true);
}
// we treat this as user deterministic since the data roles won't change. this may change if the logic becomes dynamic
if (user) {
cc.setDeterminismLevel(Determinism.USER_DETERMINISTIC);
}
Expression ex = QueryRewriter.rewriteExpression(result, cc, metadata, true);
if (ex instanceof Criteria) {
return (Criteria) ex;
}
return QueryRewriter.rewriteCriteria(new ExpressionCriteria(ex), cc, metadata);
}
Also used :
ExpressionMappingVisitor(org.teiid.query.sql.visitor.ExpressionMappingVisitor)
Expression(org.teiid.query.sql.symbol.Expression)
DataPolicyMetadata(org.teiid.adminapi.impl.DataPolicyMetadata)
LanguageObject(org.teiid.query.sql.LanguageObject)
DataPolicy(org.teiid.adminapi.DataPolicy)
Map(java.util.Map)
HashMap(java.util.HashMap)
PermissionMetaData(org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)
Example 14 with PermissionMetaData
use of org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData in project teiid by teiid.
the class ColumnMaskingHelper method maskColumn.
private static Expression maskColumn(ElementSymbol col, GroupSymbol unaliased, QueryMetadataInterface metadata, ExpressionMappingVisitor emv, Map<String, DataPolicy> policies, CommandContext cc) throws TeiidComponentException, TeiidProcessingException {
Object metadataID = col.getMetadataID();
String fullName = metadata.getFullName(metadataID);
final GroupSymbol group = col.getGroupSymbol();
String elementType = metadata.getElementRuntimeTypeName(col.getMetadataID());
Class<?> expectedType = DataTypeManager.getDataTypeClass(elementType);
List<WhenThen> cases = null;
Collection<GroupSymbol> groups = Arrays.asList(unaliased);
for (Map.Entry<String, DataPolicy> entry : policies.entrySet()) {
DataPolicyMetadata dpm = (DataPolicyMetadata) entry.getValue();
PermissionMetaData pmd = dpm.getPermissionMap().get(fullName);
if (pmd == null) {
continue;
}
String maskString = pmd.getMask();
if (maskString == null) {
continue;
}
Criteria condition = null;
if (pmd.getCondition() != null) {
condition = RowBasedSecurityHelper.resolveCondition(metadata, group, metadata.getFullName(group.getMetadataID()), entry, pmd, pmd.getCondition());
} else {
condition = QueryRewriter.TRUE_CRITERIA;
}
Expression mask = (Expression) pmd.getResolvedMask();
if (mask == null) {
try {
mask = QueryParser.getQueryParser().parseExpression(pmd.getMask());
for (SubqueryContainer container : ValueIteratorProviderCollectorVisitor.getValueIteratorProviders(mask)) {
container.getCommand().pushNewResolvingContext(groups);
QueryResolver.resolveCommand(container.getCommand(), metadata, false);
}
ResolverVisitor.resolveLanguageObject(mask, groups, metadata);
ValidatorReport report = Validator.validate(mask, metadata, new ValidationVisitor());
if (report.hasItems()) {
ValidatorFailure firstFailure = report.getItems().iterator().next();
// $NON-NLS-1$
throw new QueryMetadataException(QueryPlugin.Event.TEIID31139, QueryPlugin.Util.gs(QueryPlugin.Event.TEIID31139, dpm.getName(), fullName) + " " + firstFailure);
}
if (mask.getType() != expectedType) {
mask = ResolverUtil.convertExpression(mask, elementType, metadata);
}
pmd.setResolvedMask(mask.clone());
if (!dpm.isAnyAuthenticated()) {
// we treat this as user deterministic since the data roles won't change. this may change if the logic becomes dynamic
// TODO: this condition may not even be used
cc.setDeterminismLevel(Determinism.USER_DETERMINISTIC);
}
} catch (QueryMetadataException e) {
throw e;
} catch (TeiidException e) {
throw new QueryMetadataException(QueryPlugin.Event.TEIID31129, e, QueryPlugin.Util.gs(QueryPlugin.Event.TEIID31129, dpm.getName(), fullName));
}
} else {
mask = (Expression) mask.clone();
}
if (group.getDefinition() != null) {
PreOrPostOrderNavigator.doVisit(mask, emv, PreOrPostOrderNavigator.PRE_ORDER, true);
}
if (cases == null) {
cases = new ArrayList<ColumnMaskingHelper.WhenThen>();
}
cases.add(new WhenThen(pmd.getOrder(), condition, mask));
}
if (cases == null) {
return col;
}
Collections.sort(cases);
List<Criteria> whens = new ArrayList<Criteria>();
List<Expression> thens = new ArrayList<Expression>();
for (WhenThen whenThen : cases) {
whens.add(whenThen.when);
thens.add(whenThen.then);
}
SearchedCaseExpression sce = new SearchedCaseExpression(whens, thens);
sce.setElseExpression(col);
sce.setType(expectedType);
Expression mask = QueryRewriter.rewriteExpression(sce, cc, metadata, true);
return mask;
}
Also used :
ValidationVisitor(org.teiid.query.validator.ValidationVisitor)
ArrayList(java.util.ArrayList)
Criteria(org.teiid.query.sql.lang.Criteria)
ValidatorFailure(org.teiid.query.validator.ValidatorFailure)
DataPolicyMetadata(org.teiid.adminapi.impl.DataPolicyMetadata)
DataPolicy(org.teiid.adminapi.DataPolicy)
SubqueryContainer(org.teiid.query.sql.lang.SubqueryContainer)
QueryMetadataException(org.teiid.api.exception.query.QueryMetadataException)
ValidatorReport(org.teiid.query.validator.ValidatorReport)
TeiidException(org.teiid.core.TeiidException)
SearchedCaseExpression(org.teiid.query.sql.symbol.SearchedCaseExpression)
SearchedCaseExpression(org.teiid.query.sql.symbol.SearchedCaseExpression)
Expression(org.teiid.query.sql.symbol.Expression)
GroupSymbol(org.teiid.query.sql.symbol.GroupSymbol)
Map(java.util.Map)
PermissionMetaData(org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)
Example 15 with PermissionMetaData
use of org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData in project teiid by teiid.
the class DatabaseUtil method convert.
static PermissionMetaData convert(Permission from) {
PermissionMetaData pmd = new PermissionMetaData();
pmd.setResourceName(from.getResourceName());
pmd.setResourceType(DataPolicy.ResourceType.valueOf(from.getResourceType().name()));
pmd.setAllowAlter(from.hasPrivilege(Privilege.ALTER));
pmd.setAllowCreate(from.hasPrivilege(Privilege.INSERT));
pmd.setAllowDelete(from.hasPrivilege(Privilege.DELETE));
pmd.setAllowExecute(from.hasPrivilege(Privilege.EXECUTE));
pmd.setAllowRead(from.hasPrivilege(Privilege.SELECT));
pmd.setAllowUpdate(from.hasPrivilege(Privilege.UPDATE));
pmd.setAllowLanguage(from.hasPrivilege(Privilege.USAGE));
pmd.setCondition(from.getCondition());
pmd.setConstraint(from.isConditionAConstraint());
pmd.setMask(from.getMask());
pmd.setOrder(from.getMaskOrder());
return pmd;
}
Also used :
PermissionMetaData(org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)
Aggregations
PermissionMetaData (org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData)29
DataPolicyMetadata (org.teiid.adminapi.impl.DataPolicyMetadata)24
Test (org.junit.Test)20
List (java.util.List)14
DefaultCapabilitiesFinder (org.teiid.query.optimizer.capabilities.DefaultCapabilitiesFinder)13
DataPolicy (org.teiid.adminapi.DataPolicy)6
HashMap (java.util.HashMap)4
ArrayList (java.util.ArrayList)3
DQPWorkContext (org.teiid.dqp.internal.process.DQPWorkContext)3
CommandContext (org.teiid.query.util.CommandContext)3
Map (java.util.Map)2
Translator (org.teiid.adminapi.Translator)2
Expression (org.teiid.query.sql.symbol.Expression)2
Properties (java.util.Properties)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
ModelNode (org.jboss.dmr.ModelNode)1
DataPermission (org.teiid.adminapi.DataPolicy.DataPermission)1
ModelMetaData (org.teiid.adminapi.impl.ModelMetaData)1
VDBMetaData (org.teiid.adminapi.impl.VDBMetaData)1
VDBTranslatorMetaData (org.teiid.adminapi.impl.VDBTranslatorMetaData)1
