Managing Authorizations in Teiid

There are two classes of authorizations defined in a Teiid system that will enforce different access privileges by the Teiid runtime.

 

  1. Administrative Privileges
  2. Entitlements (data roles)

 

Before we explore what each type of the authorization can control, and how a user can configure them, the user must configure and enable at least one membership domain, so that user authentications can be performed. If a user identity mechanism is not enabled, please follow these directions to configure a membership domain.

 

Note that authorization privileges are always granted to user's "group(s)" not to the individual user. Make sure correct group information is available from membership domain  for the user to whom the authorizations are to be granted. Authorizations in Teiid are controlled by the following properties in the "<teiid-install>/deploy.properties file.

#
# Authorization Service Settings
#
auth.check_entitlements=false
auth.adminRolesFile=./deploy/admin-roles.properties

Administrative Privileges

 

Administrative privileges control the access to call  Admin API based functions that are used to configure, monitor and manage  Teiid resources. These privileges are configured in a property file defined by the property below

auth.adminRolesFile=./deploy/admin-roles.properties

This property file must be in the following format (a default property file is supplied with the install)

# This role grants full permissions to any configuration, runtime-management and monitoring of the system
Admin.SystemAdmin=group1@file

# This role grants runtime-management and monitoring of the system
Admin.ProductAdmin=group2@file

# This role grants only monitoring of the system.
Admin.ReadOnlyAdmin=

Teiid supports three distinct administrative roles that can be assigned to a user's group

  • SystemAdmin - has permissions to configure and monitor all the resources, like a superUser.
  • ProductAdmin - has permissions to start and stop services and monitor system health, but does not have privileges to change configuration or to deploy a VDB, etc.
  • ReadOnlyAdmin - has permissions to monitor system health. Runtime management and configuration is not allowed. Most users fall into this category.


In the property file each role takes a comma separated list of fully qualified group names (group@domain) of the user(s) that are qualified to make the respective administrative calls. The Teiid runtime must be restarted before the changes will take effect.

 

Entitlements

Entitlements, also called Data Roles, are a set of rules and permissions that are defined per VDB that dictate data access (create, read,  update, delete) permissions for the schema defined by the VDB. Entitlements are controlled system wide with the property

auth.check_entitlements=true|false

Once the entitlements are enabled, the access permissions defined by each VDB will then be enforced by the Teiid system.

 

For example, if a VDB schema defined a table like below in its model files

modelName.TableA (
   column1 VARCHAR,
   column2 INT
)

you can define data access rules for this VDB such that

 

  • UserA has privileges to read, write access to TableA, but not delete.
  • UserB has privileges that allow no access to TableA
  • UserC has privileges that only allow read-only access to TableA.column1


   A sample XML file that defines the above permissions will  look like

<?xml version="1.0" encoding="UTF-8"?>

<realm>

  <roles>

    <data-role>
      <name>Sample</name>
      <vdb-name>myVDB</vdb-name>
      <vdb-version>1</vdb-version>
      <description />

      <permissions>
        <permission>
          <resource-name>modelName.TableA</resource-name>          
          <allow-create />
          <allow-read />
          <allow-update />
        </permission>

        <permission>
          <resource-name>modelName.TableA.colum1</resource-name>
          <allow-create />
          <allow-read />
          <allow-update />
        </permission>

        <permission>
          <resource-name>modelName.TableA.column2</resource-name>
          <allow-create />
          <allow-read />
          <allow-update />
        </permission>
      </permissions>

      <principals>
        <group>group1@file</group>
      </principals>
    </data-role>

    <data-role>
      <name>Sample</name>
      <vdb-name>myVDB</vdb-name>
      <vdb-version>1</vdb-version>
      <description />

      <permissions>
        <permission>
          <resource-name>modelName.TableA</resource-name>          
          <allow-read />
        </permission>

        <permission>
          <resource-name>modelName.TableA.colum1</resource-name>
          <allow-read />
        </permission>
      </permissions>

      <principals>
        <group>group2@file</group>
      </principals>
    </data-role>

  </roles>

</realm>

 

The above xml assumes that UserA belongs to "group1@file" group and UserC belongs to "group2@file" group and UserB does not belong to either "group1@file" or "group2@file" groups.

 

The above XML roles file must be named as  "dataroles.xml" and must be available inside the VDB archive at the root location. The "dataroles.xml" file is checked against xml schema "authorizations.xsd", which is attached at the end of this document.

 

Any graphical XML editor  can be used to create this file. There is a link to the above sample file at the end of this document. Once you have created the "dataroles.xml" file, open the VDB archive file using a ZIP archive utility and add this file in the root location. Then deploy the VDB to Teiid runtime and enable entitlements by supplying the following property in the "<teiid-install>/deploy.properties" file and restart the system.

 

auth.check_entitlements=true

 

Note: Currently there is no GUI tooling support in the Designer or any other management tool to create this data roles permissions file, however we would very much like to do so. If you are interested in contributing please let us know.