0

We are using standalone-vdb.xml domain to create a vdb and then make it accessible through Jupiter for other users.

Now based on the xml file below as an example, we created the VIEW "customer_view" from the table "Export2.customer_table" and they are both accessible from the Jupiter. However, we only want the VIEWS to be accessible and not the physical tables which property can be used to hide the tables and only expose the VIEWS for the end user.

Any one have a clue which property can do that? I tried to find it from the documentation but couldn't find any mentioning for that. we are using WildFly Full 17.0.1 through the HAL management interface in a Docker container environment and Postgresql database.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<vdb name="stock" version="1">
    <description>The VDB</description>
    <property name="UseConnectorMetadata" value="true" />
    <model visible="true" name="Export2">  
        <property name="importer.useFullSchemaName" value="false"/>
        <property name="importer.schemaPattern" value="public"/>
        <property name="importer.tableTypes" value="TABLES,VIEW"/>        
        <source name="stockDS" translator-name="postgresql" connection-jndi-name="java:jboss/datasources/stockDS"/>
    </model>
    <model visible="true" name="Data" type="VIRTUAL">
        <metadata type="DDL"><![CDATA[
        CREATE VIEW customer_view (
            field_names string,
            field_description string
        ) AS
        SELECT variable_name, variable_description
         FROM Export2.customer_table;
        ]]> </metadata>
    </model> 
<data-role name="RoleA" any-authenticated="true">
     <description>Allow Reads and Writes to tables and procedures</description>
 
     <permission>
         <resource-name>Export2.customer_table</resource-name>
         <allow-create>true</allow-create>
         <allow-read>true</allow-read>
         <allow-update>true</allow-update>
     </permission>
     <mapped-role-name>Admin</mapped-role-name>
 </data-role>   
</vdb>
Alexis_543
  • 33
  • 8

1 Answers1

1

see http://teiid.github.io/teiid-documents/master/content/reference/r_xml-deployment-mode.html

you need to define the model with visibility to false like

<model visible="false" name="Export2">

note that this will remove the metadata exposure from any APIs, however, if someone knows the schema they still can use the same connection to issue the query and see the data. If you want to avoid that then you need to look into data security policies to avoid any access.

Ramesh Reddy
  • 554
  • 1
  • 3
  • 8
  • Thank you, it works. However, I would like to know if there is any possibility to limit the visibility to only virtual "Views"? and if not. what are you referring to by "data security policies" is it the "Data roles"? – Alexis_543 Jul 08 '21 at 18:12
  • You place the above visibility flag on all the physical models and leave the virtual models, then only "views" are visible. Yes, I am talking about "data roles" from the security prespective. – Ramesh Reddy Jul 08 '21 at 22:18
  • Hi Ramesh, After I made the suggested change above it seems that the user "Admin" can only access what is permitted through the data roles, meaning the "Export2.customer_table" as it should. However, the View named "customer_view" is also hidden which is not what I wanted as I think the "Views" will always be visible to any user who can access the VDB isn't it?. I found in the documentation something about setting the "the environment/system property org.teiid.metadataRequiresPermission to false" still I am not positive if that is the one I am missing. can you give any hint what I'm missing? – Alexis_543 Aug 03 '21 at 14:58
  • If you enable `data-role` then they are subject to access restrictions. If you remove the `` section in above -vdb.xml it should be fine. – Ramesh Reddy Aug 05 '21 at 21:51