Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 341940

Summary: Add disable/enable allowing native queries
Product: z_Archived Reporter: Guy Pelletier <guy.pelletier>
Component: EclipselinkAssignee: Nobody - feel free to take it <nobody>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: douglas.clarke, eclipselink.orm-inbox
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Bug Depends on: 337323    
Bug Blocks:    
Attachments:
Description Flags
Proposed changes
none
Working proposal
none
Proposed changes
none
Final patch none

Description Guy Pelletier CLA 2011-04-05 11:58:29 EDT 
Background (from email):

Tom,

I believe it will mostly be of use to larger development teams where the reality of the MT additional-criteria may be overlooked and a developer may start using native queries without understanding the impact.

Can you track a P3 ER for this against the 2.3.0 release?

Doug

On 05/04/2011 11:40 AM, Tom Ware wrote:
> I have always thought of this in the "trusted" sense.  If the application provider allows the end-user to write native-sql, they should be aware of the risks and deal with it themselves.
>
> If the end-user can get to the createNativeQuery() API itself, they'll have access to all the API.  They could just disable the tenant criteria and get all the data anyway.
>
> If this is simply a setting that lets people set-up the application so that they don't accidentally write a native query without tenant info in it, I guess the value is if native queries are disabled by default and you must specifically enable then and as a result indicate you "know the risks".  To me, I'd suggest a feature like this is lower priority than the other items we have been addressing and something we would likely add late in the game if time remained.
>
> -Tom
>
> douglas clarke wrote:
>>   One the challenges with the shared MT schema is that we only augment queries where we generate the SQL. What is our plan to support limiting preventing native SQL queries.
>>
>> Last week when we met with Mitesh and Linda we discussed that an application can be considered trusted so that any developer who wished to use a native query could but it would be up to them to ensure they included the MT criteria. Alternatively we should allow you to disallow native queries. Probably with a PU property.
>>
>> I believe this requirement should be included in the MT work. Curious about any existing plans for this or your thoughts?
>>
>> -- 
>> Doug
Comment 1 Guy Pelletier CLA 2011-05-11 09:53:22 EDT 
Created attachment 195350 [details]
Proposed changes
Comment 2 Guy Pelletier CLA 2011-05-11 09:56:53 EDT 
The proposal is as follows:

New persistence unit property: eclipselink.jdbc.allow-native-sql-queries

Default is true.

When set to false in JPA, no user issued sql queries will be executed. Note: disabling all sql queries impacts internal EclipseLink queries such as sequencing.
Comment 3 Guy Pelletier CLA 2011-06-15 09:16:06 EDT 
Created attachment 198016 [details]
Working proposal

This patch introduces two new flags that can be set to achieve this functionality.

Persistence unit property: 
  - "eclipselink.jdbc.allow-native-sql-queries" 
  - defaults to TRUE

QueryHint: 
  "eclipselink.jdbc.bypass-disallowed-native-sql-queries" 
  - defaults to FALSE

Note the query hint has no effect essentially unless the persistence unit property is set to FALSE.
Comment 4 Guy Pelletier CLA 2011-06-28 09:13:39 EDT 
Created attachment 198721 [details]
Proposed changes

Update to previous patch (from feedback from Doug and Gordon)

Persistence unit property: 
  - "eclipselink.jdbc.allow-native-sql-queries" 
  - defaults to TRUE

QueryHint: 
  "eclipselink.jdbc.allow-native-sql-query" 
  - defaults to UNDEFINED

When the query hint is undefined then we'll look at the persistence unit setting. If the query hint is defined, we'll do as it says.
Comment 5 Guy Pelletier CLA 2011-06-30 13:27:25 EDT 
Created attachment 198922 [details]
Final patch

Changes have been submitted to trunk.

Reviewed: Gordon Yorke
Comment 6 Guy Pelletier CLA 2011-07-04 14:32:22 EDT 
Changes have been submitted to the 2.3.1 stream
Comment 7 Eclipse Webmaster CLA 2022-06-09 10:30:45 EDT 
The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink