| Level | Technologies | Target Product | Product Versions | Source |
|---|---|---|---|---|
Beginners |
Teiid, Defining data roles |
DV |
DV 6.0+ |
vdb-dataroles demonstrates how to use data roles to control access to data. This includes read-only and read-write access as well as the use of row-based filters and column masking.
In this example, the vdb is defined with three different data access rules.
-
ReadOnly - this restricts access of vdb to only read i.e selects. This role is given to everybody who has a login credetial (use the user called "user" to login with password "user"). Furthermore there are restrictions as to what customers and columns can be read.
-
ReadWrite access - this role gives read access, and also adds write access. This access is given only to users with the "superuser" JAAS role. (use user called "portfolio" to login with password "portfolio")
-
Prices access - this role is used to give access to price listings. Its purpose is to demonstrate the use of a generic role (empty) for controlling access to information.
See the portfolio-dataroles-vdb.xml for extra xml elements defined for define the above roles. For more information check out Reference Guide’s Data Roleschapter.
|
Note
|
This example relies upon the vdb-datafederation example and that it needs to be deployed prior to running this example. Therefore, read the vdb-datafederation’s README and follow its directions before continuing. |
Refer to vdb-datafederation/README.adoc to run vdb-datafederation.
The following 2 users, and their roles, need to be configured.
| Usernames | Usernames |
|---|---|
portfolio |
superuser |
user |
user,prices |
Open a command line and navigate to the "bin" directory under the root directory of the Teiid server. run the ./add-user.sh (.bat) script for each user. The following prompts need to be answered:
-
"b" Application User
-
UserName
-
Password
-
roles (comma seperated)
Alternatively, the following is a quick way to create security user
$ ./bin/add-user.sh -a -u portfolio -p password1! -g superuser
$ ./bin/add-user.sh -a -u user -p password1! -g pricesTo start the server, open a command line and navigate to the "bin" directory under the root directory of the Teiid server and run:
./standalone.sh //For Linux
standalone.bat //for WindowsIf Teiid isn’t configured in the default configuration, append the following arguments to the command to specify the configuration -c {configuration.file}
./standalone.sh -c standalone-teiid.xmlCopy the following files to the "/standalone/deployments" directory
src/vdb/portfolio-dataroles-vdb.xml src/vdb/portfolio-dataroles-vdb.xml.dodeploy
Open the admin console(http://localhost:9990/console) to make sure the VDB is deployed. See Query Demonstrations below to demonstrate data roles.
-
Change your working directory to "${quickstart.install.dir}/simpleclient"
-
Use the simpleclient example to run the following queries:
Example: mvn exec:java -Dvdb="Portfolio-dataroles" -Dsql="example query" -Dusername="xx" -Dpassword="xx"
-
this should execute correctly
select * from product-
this will fail with data access error saying that "the user named "user" is not allowed write access".
insert into product (id, symbol,company_name) values (2000,'RHT','Red Hat')-
note that the SSN is null and there are no customers from 'New York'
select * from customer-
this demonstrates the use of hasRole({role}) call, and should display the prices
Select * from StockPricesSince this simpleclient example defaults user and password to user/user, modify the call to include the user name and password on the command line where user name "portfolio" and password "portfolio" and re-execute the above:
Example: mvn exec:java -Dvdb="Portfolio-dataroles" -Dusername="portfolio" -Dpassword="portfolio" -Dsql="example query"
-
should be the same result as above
-
should succeed, since allow create is true
-
should show all values, since the row condition is true and SSN column mask simply returns the SSN.
-
should display the symbols, but not the prices,