TEIID-2476: Exclude hidden tables/columns from metadata (filtering me…

…tadata based upon data roles, improving the performance of pg system queries, allowing admin access to see everything, adding a test for properties, expanding the check of key records)

admin/src/main/java/org/teiid/adminapi/DataPolicy.java

@@ -35,7 +35,8 @@ public enum Context {
 		DELETE,
 		FUNCTION,
 		ALTER,
-		STORED_PROCEDURE;
+		STORED_PROCEDURE, 
+		METADATA;
     }
 
 	public enum PermissionType {CREATE, READ, UPDATE, DELETE, ALTER, EXECUTE, DROP, LANGUAGE};

api/src/main/java/org/teiid/PolicyDecider.java

@@ -66,7 +66,7 @@ Set<String> getInaccessibleResources(PermissionType action,
 	 * @param commandContext
 	 * @return true if the access is allowed, otherwise false
 	 */
-	boolean isTempAccessable(PermissionType action, String resource,
+	boolean isTempAccessible(PermissionType action, String resource,
 			Context context, CommandContext commandContext);
 
 	/**

build/kits/jboss-as7/overlay/docs/teiid/teiid-releasenotes.html

@@ -224,12 +224,16 @@ <h2 class="western"><a name="Compatibility"></a>Compatibility Issues</h2>
 
 <h4 class="western">from ${project.version}</h4>  
 <ul>
+<li/>
+	<p style="margin-bottom: 0in">
+<a href='https://issues.jboss.org/browse/TEIID-2476'>TEIID-2476</a> - Exclude hidden tables/columns from metadata (filtering metadata based upon data roles,  improving the performance of pg system queries, allowing admin access to see everything, adding a test for properties, expanding the check of key records)
 <li/>
 	<p style="margin-bottom: 0in">
 <a href='https://issues.jboss.org/browse/TEIID-4512'>TEIID-4512</a> - Issue with older drivers and useStreamsForLobs (calling the old method if possible)
 <li/>
 	<p style="margin-bottom: 0in">
 <a href='https://issues.jboss.org/browse/TEIID-4532'>TEIID-4532</a> - Provide one-way or cryptographic hash functions (add and refining hash functions and removing the overlapping function)
+
 </ul>
 
 <h4 class="western">from  8.12.14.6_4</h4>  

engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidationVisitor.java

@@ -109,7 +109,7 @@ private void validateTemp(DataPolicy.PermissionType action, String resource, boo
 		Set<String> resources = Collections.singleton(resource);
 		logRequest(resources, context);
 
-    	boolean allowed = decider.isTempAccessable(action, schema?resource:null, context, commandContext);
+    	boolean allowed = decider.isTempAccessible(action, schema?resource:null, context, commandContext);
 
     	logResult(resources, context, allowed);
     	if (!allowed) {

engine/src/main/java/org/teiid/dqp/internal/process/AuthorizationValidator.java

@@ -24,6 +24,7 @@
 
 import org.teiid.api.exception.query.QueryValidatorException;
 import org.teiid.core.TeiidComponentException;
+import org.teiid.metadata.AbstractMetadataRecord;
 import org.teiid.query.metadata.QueryMetadataInterface;
 import org.teiid.query.sql.lang.Command;
 import org.teiid.query.util.CommandContext;
@@ -56,11 +57,18 @@ enum CommandType {
 	boolean validate(String[] originalSql, Command command, QueryMetadataInterface metadata, CommandContext commandContext, CommandType commandType) throws QueryValidatorException, TeiidComponentException;
 
 	/**
-	 * 
+	 * Uses the context or other information to determine if the current user has the given role name.
 	 * @param roleName
 	 * @param commandContext
 	 * @return true if the current user has the given role
 	 */
 	boolean hasRole(String roleName, CommandContext commandContext);
 
+	/**
+	 * Determines if the metadata record is accessible in system queries
+	 * @param record
+	 * @param commandContext
+	 * @return
+	 */
+	boolean isAccessible(AbstractMetadataRecord record, CommandContext commandContext);
 }

engine/src/main/java/org/teiid/dqp/internal/process/BaseExtractionTable.java

@@ -130,7 +130,7 @@ public RecordExtractionTable(RecordTable<T> baseTable, List<ElementSymbol> colum
 	public TupleSource processQuery(Query query, VDBMetaData vdb,
 			TransformationMetadata metadata, CommandContext cc) {
 		BaseIndexInfo<?> ii = baseTable.planQuery(query, query.getCriteria(), cc);
-		final SimpleIterator<T> iter = baseTable.processQuery(vdb, metadata.getMetadataStore(), ii, metadata);
+		final SimpleIterator<T> iter = baseTable.processQuery(vdb, metadata.getMetadataStore(), ii, metadata, cc);
 		return new ExtractionTupleSource<T>(ii.getNonCoveredCriteria(), iter, cc, vdb, metadata, this);
 	}
 
@@ -144,20 +144,29 @@ public ChildRecordExtractionTable(RecordTable<P> baseTable, List<ElementSymbol>
 		this.baseTable = baseTable;
 	}
 
+	protected boolean isValid(T result, CommandContext cc) {
+		return !(result instanceof AbstractMetadataRecord) || cc.getDQPWorkContext().isAdmin() || cc.getAuthorizationValidator().isAccessible((AbstractMetadataRecord)result, cc);
+	}
+
 	@Override
 	public TupleSource processQuery(Query query, VDBMetaData vdb,
-			final TransformationMetadata metadata, CommandContext cc) {
+			final TransformationMetadata metadata, final CommandContext cc) {
 		BaseIndexInfo<?> ii = baseTable.planQuery(query, query.getCriteria(), cc);
-		final SimpleIterator<P> iter = baseTable.processQuery(vdb, metadata.getMetadataStore(), ii, metadata);
+		final SimpleIterator<P> iter = baseTable.processQuery(vdb, metadata.getMetadataStore(), ii, metadata, cc);
 		while (ii.next != null) {
 			ii = ii.next;
 		}
 		return new ExtractionTupleSource<T>(ii.getNonCoveredCriteria(), new ExpandingSimpleIterator<P, T>(iter) {
 
-			SimpleIteratorWrapper<T> wrapper = new SimpleIteratorWrapper<T>(null);
+			SimpleIteratorWrapper<T> wrapper = new SimpleIteratorWrapper<T>(null) {
+				@Override
+				protected boolean isValid(T result) {
+					return ChildRecordExtractionTable.this.isValid(result, cc);
+				}
+			};
 
 			protected RecordTable.SimpleIterator<T> getChildIterator(P parent) {
-				Collection<? extends T> children = getChildren(parent);
+				Collection<? extends T> children = getChildren(parent, cc);
 				if (children.isEmpty()) {
 					return RecordTable.emptyIterator();
 				}
@@ -168,6 +177,6 @@ protected RecordTable.SimpleIterator<T> getChildIterator(P parent) {
 		}, cc, vdb, metadata, this);
 	}
 
-	protected abstract Collection<? extends T> getChildren(P parent);
+	protected abstract Collection<? extends T> getChildren(P parent, CommandContext cc);
 
 }

engine/src/main/java/org/teiid/dqp/internal/process/DataRolePolicyDecider.java

@@ -22,12 +22,11 @@
 
 package org.teiid.dqp.internal.process;
 
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Iterator;
-import java.util.List;
 import java.util.Set;
 
 import org.teiid.CommandContext;
@@ -49,19 +48,20 @@ public Set<String> getInaccessibleResources(PermissionType action,
 		if (action == PermissionType.EXECUTE && context == Context.FUNCTION && allowFunctionCallsByDefault) {
 			return Collections.emptySet();
 		}
-		List<DataPolicy> policies = new ArrayList<DataPolicy>(commandContext.getAllowedDataPolicies().values());
+		Collection<DataPolicy> policies = commandContext.getAllowedDataPolicies().values();
 		int policyCount = policies.size();
 		boolean[] exclude = new boolean[policyCount];
 		outer:for (Iterator<String> iter = resources.iterator(); iter.hasNext();) {
 			String resource = iter.next();
 			Arrays.fill(exclude, false);
 			int excludeCount = 0;
 			while (resource.length() > 0) {
+				Iterator<DataPolicy> policyIter = policies.iterator();
 				for (int j = 0; j < policyCount; j++) {
+					DataPolicyMetadata policy = (DataPolicyMetadata)policyIter.next();
 					if (exclude[j]) {
 						continue;
 					}
-					DataPolicyMetadata policy = (DataPolicyMetadata)policies.get(j);
 					if (policy.isGrantAll()) {
 						if (policy.getSchemas() == null) {
 							resources.clear();
@@ -106,7 +106,7 @@ public boolean hasRole(String roleName, CommandContext context) {
 	}
 
 	@Override
-	public boolean isTempAccessable(PermissionType action, String resource,
+	public boolean isTempAccessible(PermissionType action, String resource,
 			Context context, CommandContext commandContext) {
 		if (resource != null) {
 			return getInaccessibleResources(action, new HashSet<String>(Arrays.asList(resource)), context, commandContext).isEmpty();

engine/src/main/java/org/teiid/dqp/internal/process/DataTierManagerImpl.java

@@ -293,19 +293,20 @@ public void fillRow(List<Object> row, Table table,
 				row.add(table.isSystem());
 				row.add(table.isMaterialized());
 				row.add(null);
+				row.add(table.getParent().getUUID());
 			}
 		});
         name = SystemAdminTables.MATVIEWS.name();
         columns = getColumns(tm, name);
         systemAdminTables.put(SystemAdminTables.MATVIEWS, new RecordExtractionTable<Table>(new TableSystemTable(1, 2, columns) {
         	@Override
         	protected boolean isValid(Table s, VDBMetaData vdb,
-        			List<Object> rowBuffer, Criteria condition)
+        			List<Object> rowBuffer, Criteria condition, CommandContext cc)
         			throws TeiidProcessingException, TeiidComponentException {
         		if (s == null || !s.isMaterialized()) {
         			return false;
         		}
-        		return super.isValid(s, vdb, rowBuffer, condition);
+        		return super.isValid(s, vdb, rowBuffer, condition, cc);
         	}
         }, columns) {
 
@@ -387,6 +388,7 @@ public void fillRow(List<Object> row, Procedure proc,
 				row.add(proc.getUUID());
 				row.add(proc.getAnnotation());
 				row.add(null);
+				row.add(proc.getParent().getUUID());
 			}
 		});
         name = SystemTables.FUNCTIONS.name();
@@ -416,8 +418,8 @@ public void fillRow(List<Object> row, FunctionMethod proc,
 
         	@Override
         	public SimpleIterator<Datatype> processQuery(VDBMetaData vdb,
-        			CompositeMetadataStore metadataStore, BaseIndexInfo<?> ii, TransformationMetadata metadata) {
-        		return processQuery(vdb, metadataStore.getDatatypes(), ii);
+        			CompositeMetadataStore metadataStore, BaseIndexInfo<?> ii, TransformationMetadata metadata, CommandContext commandContext) {
+        		return processQuery(vdb, metadataStore.getDatatypes(), ii, commandContext);
         	}
         }, columns) {
 
@@ -501,7 +503,7 @@ public void fillRow(List<Object> row, BaseColumn param,
         	}
 
         	@Override
-        	protected Collection<? extends BaseColumn> getChildren(final Procedure parent) {
+        	protected Collection<? extends BaseColumn> getChildren(final Procedure parent, CommandContext cc) {
         		Collection<ProcedureParameter> params = parent.getParameters();
         		if (parent.getResultSet() == null) {
         			return params;
@@ -546,7 +548,7 @@ public void fillRow(List<Object> row, FunctionParameter param,
         	}
 
         	@Override
-        	protected Collection<? extends FunctionParameter> getChildren(final FunctionMethod parent) {
+        	protected Collection<? extends FunctionParameter> getChildren(final FunctionMethod parent, CommandContext cc) {
         		ArrayList<FunctionParameter> result = new ArrayList<FunctionParameter>(parent.getInputParameters().size() + 1);
         		result.addAll(parent.getInputParameters());
         		result.add(parent.getOutputParameter());
@@ -567,8 +569,8 @@ protected void fillRow(AbstractMetadataRecord s,
         			@Override
         			public SimpleIterator<AbstractMetadataRecord> processQuery(
         					VDBMetaData vdb, CompositeMetadataStore metadataStore,
-        					BaseIndexInfo<?> ii, TransformationMetadata metadata) {
-        				return processQuery(vdb, metadataStore.getOids(), ii);
+        					BaseIndexInfo<?> ii, TransformationMetadata metadata, CommandContext commandContext) {
+        				return processQuery(vdb, metadataStore.getOids(), ii, commandContext);
         			}
 
         			@Override
@@ -595,7 +597,7 @@ public void fillRow(List<Object> row, Map.Entry<String,String> entry, VDBMetaDat
         	}
 
         	@Override
-        	protected Collection<Map.Entry<String,String>> getChildren(AbstractMetadataRecord parent) {
+        	protected Collection<Map.Entry<String,String>> getChildren(AbstractMetadataRecord parent, CommandContext cc) {
         		return parent.getProperties().entrySet();
         	}
 		});
@@ -621,7 +623,7 @@ protected void fillRow(List<Object> row, Trigger record, VDBMetaData vdb, Transf
         	}
 
         	@Override
-        	protected Collection<Trigger> getChildren(Table table) {
+        	protected Collection<Trigger> getChildren(Table table, CommandContext cc) {
         		ArrayList<Trigger> cols = new ArrayList<Trigger>();
         		if (table .isVirtual()) {
         			if (table.getInsertPlan() != null) {
@@ -642,12 +644,12 @@ protected Collection<Trigger> getChildren(Table table) {
         systemAdminTables.put(SystemAdminTables.VIEWS, new RecordExtractionTable<Table>(new TableSystemTable(1, 2, columns) {
         	@Override
         	protected boolean isValid(Table s, VDBMetaData vdb,
-        			List<Object> rowBuffer, Criteria condition)
+        			List<Object> rowBuffer, Criteria condition, CommandContext cc)
         			throws TeiidProcessingException, TeiidComponentException {
         		if (s == null || !s.isVirtual()) {
         			return false;
         		}
-        		return super.isValid(s, vdb, rowBuffer, condition);
+        		return super.isValid(s, vdb, rowBuffer, condition, cc);
         	}
         }, columns) {
 
@@ -666,12 +668,12 @@ public void fillRow(List<Object> row, Table table,
         systemAdminTables.put(SystemAdminTables.STOREDPROCEDURES, new RecordExtractionTable<Procedure>(new ProcedureSystemTable(1, 2, columns) {
         	@Override
         	protected boolean isValid(Procedure s, VDBMetaData vdb,
-        			List<Object> rowBuffer, Criteria condition)
+        			List<Object> rowBuffer, Criteria condition, CommandContext cc)
         			throws TeiidProcessingException, TeiidComponentException {
         		if (s == null || !s.isVirtual()) {
         			return false;
         		}
-        		return super.isValid(s, vdb, rowBuffer, condition);
+        		return super.isValid(s, vdb, rowBuffer, condition, cc);
         	}
         }, columns) {
 
@@ -725,10 +727,11 @@ protected void fillRow(List<Object> row, Column column,
         		row.add(column.getUUID());
         		row.add(column.getAnnotation());
         		row.add(null);
+        		row.add(column.getParent().getUUID());
         	}
 
         	@Override
-        	protected Collection<Column> getChildren(Table parent) {
+        	protected Collection<Column> getChildren(Table parent, CommandContext cc) {
         		return parent.getColumns();
         	}
 
@@ -767,10 +770,18 @@ protected void fillRow(List<Object> row, KeyRecord key,
         	}
 
         	@Override
-        	protected Collection<KeyRecord> getChildren(Table parent) {
+        	protected Collection<KeyRecord> getChildren(Table parent, CommandContext cc) {
         		return parent.getAllKeys();
         	}
 
+        	@Override
+        	protected boolean isValid(KeyRecord result, CommandContext cc) {
+        		if (!super.isValid(result, cc)) {
+        			return false;
+        		}
+        		return isKeyVisible(result, cc);
+        	}
+
         });
         name = SystemTables.KEYCOLUMNS.name();
         columns = getColumns(tm, name);
@@ -793,13 +804,17 @@ protected void fillRow(List<Object> row, List<?> record,
         		row.add(key.getUUID());
         		row.add(pos);
         		row.add(null);
+        		row.add(key.getParent().getUUID());
         	}
 
         	@Override
-        	protected Collection<List<?>> getChildren(Table parent) {
+        	protected Collection<List<?>> getChildren(Table parent, CommandContext cc) {
         		ArrayList<List<?>> cols = new ArrayList<List<?>>();
 
         		for (KeyRecord record : parent.getAllKeys()) {
+        			if (!cc.getDQPWorkContext().isAdmin() && !isKeyVisible(record, cc)) {
+        				continue;
+        			}
         			int i = 1;
         			for (Column col : record.getColumns()) {
         				cols.add(Arrays.asList(record, col, i++));
@@ -839,10 +854,13 @@ protected void fillRow(List<Object> row, List<?> record,
         	}
 
         	@Override
-        	protected Collection<List<?>> getChildren(Table parent) {
+        	protected Collection<List<?>> getChildren(Table parent, CommandContext cc) {
         		ArrayList<List<?>> cols = new ArrayList<List<?>>();
 
         		for (KeyRecord record : parent.getForeignKeys()) {
+        			if (!cc.getDQPWorkContext().isAdmin() && !isKeyVisible(record, cc)) {
+        				continue;
+        			}
         			short i = 1;
         			for (Column col : record.getColumns()) {
         				cols.add(Arrays.asList(record, col, i++));
@@ -864,8 +882,8 @@ protected void fillRow(AbstractMetadataRecord s,
         			@Override
         			public SimpleIterator<AbstractMetadataRecord> processQuery(
         					VDBMetaData vdb, CompositeMetadataStore metadataStore,
-        					BaseIndexInfo<?> ii, TransformationMetadata metadata) {
-        				return processQuery(vdb, metadataStore.getOids(), ii);
+        					BaseIndexInfo<?> ii, TransformationMetadata metadata, CommandContext commandContext) {
+        				return processQuery(vdb, metadataStore.getOids(), ii, commandContext);
         			}
 
         			@Override
@@ -928,11 +946,23 @@ private String getType(AbstractMetadataRecord record) {
         	}
 
         	@Override
-        	protected Collection<AbstractMetadataRecord> getChildren(AbstractMetadataRecord parent) {
+        	protected Collection<AbstractMetadataRecord> getChildren(AbstractMetadataRecord parent, CommandContext cc) {
         		return parent.getIncomingObjects();
         	}
 		});
-    }        
+    }   
+
+    private boolean isKeyVisible(KeyRecord record, CommandContext cc) {
+    	if (record instanceof ForeignKey && !cc.getAuthorizationValidator().isAccessible(((ForeignKey)record).getReferenceKey(), cc)) {
+			return false;
+		}
+    	for (Column c : record.getColumns()) {
+    		if (!cc.getAuthorizationValidator().isAccessible(c, cc)) {
+    			return false;
+    		}
+		}
+    	return true;
+    }
 
 	private List<ElementSymbol> getColumns(TransformationMetadata tm,
 			String name) {