Link: Added: This issue Cloned to TEIID-1607

Security: Added: Public

Again, I'm not on-board with making this a blocker unless we are specific about the requirements.  We're already at the end of the development window, but we don't fully understand the customer needs.  What can be done in the near-term is to just reintroduce changes to have pluggable role validation, but that still leaves open issues of:

-how many calls are being made to the custom implementation (1 per user query?) currently we make at least 1 call for each query/subquery/function call.
-do they need the ability to modify the incoming query (this is the most problematic)
-do they need to specific mechanism to conveys denials (they had indicated a potential conversational approach to refine the submitted query) or will the exception text of a SQLException be sufficient.

There are possibly more.

Just to clarify, if one call per user query is required, that will take a little bit more effort.  ~ 1 day.  Like I say the current logic may make many calls per user query.

Labels: Added: EDS

Release Notes Docs Status: Added: Not Yet Documented
Writer: Added: dlesage

Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Release Notes Text: Added: https://issues.jboss.org/browse/SOA-3086

There is now a data role injection point at which a different implementation can be used for role validation. This interface provides full control of the validation, instead of receiving SQL to validate. 

The unit test:  branches/7.4.x/engine/src/test/java/org/teiid/dqp/internal/process/TestAuthorizationValidationVisitor.java
validates the default implementation of a PolicyDecider - DataRolePolicyDecider.