Bug 780648 (SOA-3086)

Summary: Provide a data role injection point where a different implementation could be used for role validation
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Van Halbert <vhalbert>
Component: EDSAssignee: Van Halbert <vhalbert>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.2.0 GACC: ajf, shawkins, vhalbert
Target Milestone: ---   
Target Release: 5.2.0 ER1   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3086
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-26 18:23:49 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Van Halbert 2011-05-25 10:37:26 UTC 
project_key: SOA

Provide a data role injection point where a different implementation could be used for role validation.   This interface would provide full control of the validation, instead of receiving parts of the sql to validate.   As per our meeting, Steve can probably describe this feature better and talk to the true requirement.
Comment 1 Van Halbert 2011-05-25 10:38:46 UTC 
Link: Added: This issue Cloned to TEIID-1607
Comment 2 Van Halbert 2011-05-25 10:39:49 UTC 
Security: Added: Public
Comment 3 Steven Hawkins 2011-05-31 14:19:50 UTC 
Again, I'm not on-board with making this a blocker unless we are specific about the requirements.  We're already at the end of the development window, but we don't fully understand the customer needs.  What can be done in the near-term is to just reintroduce changes to have pluggable role validation, but that still leaves open issues of:

-how many calls are being made to the custom implementation (1 per user query?) currently we make at least 1 call for each query/subquery/function call.
-do they need the ability to modify the incoming query (this is the most problematic)
-do they need to specific mechanism to conveys denials (they had indicated a potential conversational approach to refine the submitted query) or will the exception text of a SQLException be sufficient.

There are possibly more.
Comment 5 Steven Hawkins 2011-05-31 18:33:43 UTC 
Just to clarify, if one call per user query is required, that will take a little bit more effort.  ~ 1 day.  Like I say the current logic may make many calls per user query.
Comment 7 Van Halbert 2011-06-14 20:01:32 UTC 
Labels: Added: EDS
Comment 8 David Le Sage 2011-07-15 05:53:36 UTC 
Release Notes Docs Status: Added: Not Yet Documented
Writer: Added: dlesage
Comment 9 David Le Sage 2011-09-28 00:42:52 UTC 
Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Release Notes Text: Added: https://issues.jboss.org/browse/SOA-3086

There is now a data role injection point at which a different implementation can be used for role validation. This interface provides full control of the validation, instead of receiving SQL to validate.
Comment 10 Van Halbert 2011-10-26 18:23:49 UTC 
The unit test:  branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java
validates the default implementation of a PolicyDecider - DataRolePolicyDecider.