The Data Roles example is similar to the Data Federation example, but will demonstrate how data roles can be used to control access to data. This includes read-only and read-write access.
dynamicvdb-dataroles quickstart
All the code discussed in this tutorial is available in the
dynamicvdb-dataroles
quickstart.
See the README.md for directions to run the quick start.
In this example, the VDB (portfolio-vdb.xml) is defined with the following 2 different data access roles:
1) read-only - this role restricts access of the VDB to only read access (i.e., selects). This role is given to everybody who has a login credential (use the user called "user" with password "user").
2) read-write - this role give reads access, as well as, write access (i.e., insert/update/delete). This access is given only to users with "superuser" JAAS role (use the user called "portfolio" with password "portfolio").
The following is an example of the read-write data-role in the portfolio-vdb.xml:
<data-role name="ReadWrite">
<description>Allow Reads and Writes to tables and procedures</description>
<permission>
<resource-name>Accounts</resource-name>
<allow-create>false</allow-create>
<allow-read>true</allow-read>
<allow-update>true</allow-update>
</permission>
<permission>
<resource-name>MarketData</resource-name>
<allow-create>false</allow-create>
<allow-read>true</allow-read>
<allow-update>true</allow-update>
</permission>
<!--
This role must defined in the JAAS security domain, the sample UserRolesLoginModules based roles file provided
in this sample directory. copy these "teiid-security-roles.properties" and "teiid-security-users.proeprties"
into "<jboss-install>/modules/org/jboss/teiid/conf" directory and replace the old ones.
-->
<mapped-role-name>supervisor</mapped-role-name>
</data-role>
To see how the users and roles where defined for JAAS, see the src/security/teiid-security-roles.properties and src/security/teiid-security-users.properties files. The teiid-security-users.properties file will be used by JAAS to determine user credentials (i.e, login ID and Password) and the teiid-security-roles.properties file maps the username to the "<mapped-role-name>" element.