[Opensource] designs for row-level privilege checking?

larry hamel expresso at codeguild.com
Tue Aug 13 19:51:24 PDT 2002 

hi,

SecuredDBObject provides a privilege check that is equivalent to table-level privileges. 

Has anyone extended the Expresso framework in order to add a row-level security check? What was your design?

In a prototype for row-level security, I've concocted a subclass of SecuredDBObject with overrides for each database access method.  Each override checks on row privileges before allowing access to the row.

A central idea of this design is that any row in any table could have (optional) privilege information, consisting of an owner, a group, and a bit mask of read/right privileges for owner, group, and Others, similar to the UNIX filesystem.

To store the privilege information, a new table, tentatively named ROW_PRIVILEGES, has the following columns:

        Table Name, Key, Owner, Group, Privileges

Where an example entry might be:

        Customers, 1256, 242, sales_group, 24

A key assumption of this design is about the primary key of the ROW_PRIVILEGES table: it assumes that we can use the name of the table plus the primary key (as a string) for a given row in order to create a universally unique key for any row in any table in the system.  

In the example given, the key to finding privileges for row number 1256 in the customers table is the string "Customers1256", which is created from concatenating the name of the table and the primary key for the row in question.

In the example given, the owner of the row has ID 242, and row's group is named sales_group. We could interpret some kind of primary group of the owner as the group of the row, but the Expresso group system doesn't have this concept of a user's primary group right now, and it seems flexible to specify the group explicitly as part of the privileges.

In the example given, the privileges are stored as an integer which is decoded with a bit mask, with owner privileges in the high order bits, then group privileges, then privileges for Others in the low order bits:

        public static final int SELF_WRITE_MASK = 0x20;
        public static final int SELF_READ_MASK = 0x10;
        public static final int GROUP_WRITE_MASK = 0x8;
        public static final int GROUP_READ_MASK = 0x4;
        public static final int OTHERS_WRITE_MASK = 0x2;
        public static final int OTHERS_READ_MASK = 0x1;

Such that the integer value of 24 means the group can write and the owner can read. We could store these bits as separate fields in ROW_PRIVILEGES, instead of packing the bits into a single integer.

Anyway, I'll be trying this out shortly, and would like to hear about alternative designs and any pitfalls in the assumptions above.  

thanks,

Larry

More information about the Opensource mailing list