[jira] [Commented] (CALCITE-2194) Ability to hide a schema

Fri, 09 Mar 2018 17:22:41 -0800 

    [ 
https://issues.apache.org/jira/browse/CALCITE-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393933#comment-16393933
 ] 

Julian Hyde commented on CALCITE-2194:
--------------------------------------

I've not looked at the code, but the specification is this: if UserA uses a 
view V in a query, and that view is owned by UserB, then the objects within 
that view are accessed with the privileges of UserB. If V references another 
view V2 owned by UserC then the process continues...

This is how access control for views works in many systems, for example in 
Oracle, and is regarded as the standard. Note that there is no such thing as 
INDIRECT_SELECT, you just swap hats to a new security principal. 
INDIRECT_SELECT is not capable of dealing with the case of a query referencing 
a view referencing a view (or anything with more than 2 levels).

> Ability to hide a schema
> ------------------------
>
>                 Key: CALCITE-2194
>                 URL: https://issues.apache.org/jira/browse/CALCITE-2194
>             Project: Calcite
>          Issue Type: New Feature
>          Components: core
>    Affects Versions: 1.16.0
>            Reporter: Piotr Bojko
>            Assignee: Piotr Bojko
>            Priority: Minor
>
> See: 
> [https://mail-archives.apache.org/mod_mbox/calcite-dev/201711.mbox/ajax/%3C6F6E52D4-6860-4384-A1CB-A2301D05394D%40apache.org%3E]
> I've looked into the core and the notion of an user could be hard to achieved 
> now. 
> Though, I am able to implement the "hidden schema" feature through following 
> changes:
>  # JsonSchema - add a holder for the feature, boolean flag or flags field 
> with enum (CACHED which now exists as a separate flag - some deprecation 
> could be needed, HIDDEN)
>  # CalciteSchema - pass through of a flag
>  # RelOptSchema - pass through of a flag
>  # CalciteCatalogReader - pass through of a flag
>  # Other derivatives of RelOptSchema - mocked value, false
>  # RelOptTable and impl - pass through of a flag
>  # SqlValidatorImpl - validation whether object from hidden schema is used 
> (in the same places like validateAccess)
>  # ViewTableMacro.apply ->  Schemas.analyzeView -> 
> CalcitePrepareImpl.analyzeView -> CalcitePrepareImpl.parse_ -> 
> CalcitePrepareImpl.CalcitePrepareImpl - this path of execution should build 
> SqlValidatorImpl which has the check from point 7 disabled- 
> Such feature could be useful for end users. 
> If the solution is ok - I can contribute it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to