Monday, 1 October 2012

OrientDB supports the new "Record Level Security"


OrientDB continues to grow up adding amazing features you can't find in other NoSQL products. This is the time of "Record Level Security". Now creating multi-tenant apps is a breeze!


Record level security

This is also called "horizontal security" because doesn't act to the schema (vertically) but per single record.
To activate this kind of advanced security let the classes you want to have such kind of security system to extends the ORestricted super class. Every time a class extends the ORestricted class, OrientDB, by a hook, injects a check before each CRUD operation:
  • CREATE new document: set the current database's user in the _allow field
  • READ a document: check if the current user or its roles are enlisted in the _allow field. If not the record is skipped. This let each queries to work per user basis
  • UPDATE a document: check if the current user or its roles are enlisted in the _allow field. If not a OSecurityException is thrown
  • DELETE a document: check if the current user or its roles are enlisted in the _allow field. If not a OSecurityException is thrown
The _allow field can contain instances of OUser and ORole records. Use OUser to allow single users and ORole to allow all the users that are part of these roles.

Use case

You want to enable this security in a BLOG like application. First create the document class, like "Post" that extends "ORestricted". Then if the user "Luke" creates a new post and the user "Steve" make the same each user can't access the Post instances created by each other.


> connect remote:localhost/blog admin admin
> create class Post extends ORestricted
Class 'Post' created successfully

The user "Luke", registered as OUser "luke" having RID #5:5, logs in and create a new Post:

> connect remote:localhost/blog luke luke

> insert into Post set title = "Yesterday in Italy"

Created document #18:0

> select from Post

+-----+--------------+-----------------------+
| RID | _allow       | title                 |
+-----+--------------+-----------------------+
|#18:0| [#5:5]       | Yesterday in Italy    |
+-----+--------------+-----------------------+

Then the user Steve, registered as OUser "steve" having RID #5:6, logs in too and create a new Post

> connect remote:localhost/blog steve steve

> insert into Post set title = "My Nutella cake"

Created document #18:1

> select from Post

+-----+--------------+-----------------------+
| RID | _allow       | title                 |
+-----+--------------+-----------------------+
|#18:1| [#5:6]       | My Nutella cake       |
+-----+--------------+-----------------------+

Each user can see only the record where they have access. Now try to allow the user Steve (rid #5:6) to access to the first Luke's post adding the Steve's RID in the _allow field:

> connect remote:localhost/blog luke luke

> update #18:0 add _allow = #5:6

Now if Steve executes the same query as before, the result changes:

> connect remote:localhost/blog steve steve

> select from Post

+-----+--------------+-----------------------+
| RID | _allow       | title                 |
+-----+--------------+-----------------------+
|#18:0| [#5:5]       | Yesterday in Italy    |
|#18:1| [#5:6]       | My Nutella cake       |
+-----+--------------+-----------------------+

This is available since now in v. 1.2.0-SNAPSHOT. For more information: http://code.google.com/p/orient/wiki/Security#Record_level_security


Enjoy,
NuvolaBase - The Company behind OrientDB

No comments:

Post a Comment

Note: only a member of this blog may post a comment.