[Opensource] designs for row-level privilege checking?

Michael Rimov rimovm at centercomp.com
Wed Aug 14 03:34:57 PDT 2002 

At 07:51 PM 8/13/2002 -0700, you wrote:
>hi,
>
>SecuredDBObject provides a privilege check that is equivalent to 
>table-level privileges.
>
>Has anyone extended the Expresso framework in order to add a row-level 
>security check? What was your design?

Hi Larry!  Actually, this is definitely something I'm interested in since I 
nagged Mike N. many times about possibilities on how to get it 
operational.  So I'm all ears here!

<snip> <snip>
>To store the privilege information, a new table, tentatively named 
>ROW_PRIVILEGES, has the following columns:
>
>         Table Name, Key, Owner, Group, Privileges

Actually, I think I'd like to see DBObject class name instead of table 
name.  It is a longer string, but Expresso DOES have a couple of DBObjects 
that point to the same table, and you might get some weird results without 
that specific separation.



>Where an example entry might be:
><snip> <snip>
>In the example given, the owner of the row has ID 242, and row's group is 
>named sales_group. We could interpret some kind of primary group of the 
>owner as the group of the row, but the Expresso group system doesn't have 
>this concept of a user's primary group right now, and it seems flexible to 
>specify the group explicitly as part of the privileges.

True, but we could easily implement a primary group of sorts... esp since 
something like this will be going into Expresso 4.2, so we have the time to 
work it out.

>In the example given, the privileges are stored as an integer which is 
>decoded with a bit mask, with owner privileges in the high order bits, 
>then group privileges, then privileges for Others in the low order bits:
>
>         public static final int SELF_WRITE_MASK = 0x20;
>         public static final int SELF_READ_MASK = 0x10;
>         public static final int GROUP_WRITE_MASK = 0x8;
>         public static final int GROUP_READ_MASK = 0x4;
>         public static final int OTHERS_WRITE_MASK = 0x2;
>         public static final int OTHERS_READ_MASK = 0x1;
>
>Such that the integer value of 24 means the group can write and the owner 
>can read. We could store these bits as separate fields in ROW_PRIVILEGES, 
>instead of packing the bits into a single integer.

Well, one thing is that we'd be better off if we could Cache LOTS of these 
records from this table, so making it as small as possible may help.  Of 
course people may argue what the difference 6 integers might make, but 
doing profiling, I've seen the databases do a fair of CPU work converting 
integer fields to strings for use in Expresso, so this would have more of 
an impact than just 6 integers vs 1 integer.



>Anyway, I'll be trying this out shortly, and would like to hear about 
>alternative designs and any pitfalls in the assumptions above.

-Your idea is a lot more flexible than mine.  UNIX file permissions have 
always done fairly well.  One question, how do you determine the ability 
for a person to "take ownership" of a record?

-The more complicated we get with this, the more we're going to really need 
some sort of transactional capability.  My problem that I see is that right 
now JDBC transactions are not compatible with JTA transactions in the same 
app.  Perhaps we could write a wrapper class that could be configured to do 
either and then we associate the transaction with the DBConnection... just 
musing here, any thoughts on this?

That's about all that I can think of looking at it.  I look forward to 
seeing it, and I'll post a notice when I've finally branched CVS so you 
could check it in for "tire kicking".

                                         -Mike

More information about the Opensource mailing list