1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
<!DOCTYPE html>
<html>
<head>
<title>
The Codex »
A Users, Roles & Privileges Scheme Using Graphs
</title>
<link
rel='stylesheet'
type='text/css'
href='http://fonts.googleapis.com/css?family=Buenard:400,700&subset=latin,latin-ext'>
<link
rel="stylesheet"
type="text/css"
href="../media/css/reset.css">
<link
rel="stylesheet"
type="text/css"
href="../media/css/grimoire.css">
</head>
<body>
<div id="shell">
<ol id="breadcrumbs">
<li class="crumb-0 not-last">
<a href="../">index</a>
</li>
<li class="crumb-1 not-last">
<a href="./">authnz</a>
</li>
<li class="crumb-2 last">
users-rolegraph-privs
</li>
</ol>
<div id="article">
<h1 id="a-users-roles-privileges-scheme-using-graphs">A Users, Roles & Privileges Scheme Using Graphs</h1>
<p>The basic elements:</p>
<ul>
<li>Every agent that can interact with a system is represented by a <strong>user</strong>.</li>
<li>Every capability the system has is authorized by a distinct <strong>privilege</strong>.</li>
<li>Each user has a list of zero or more <strong>roles</strong>.<ul>
<li>Roles can <strong>imply</strong> further roles. This relationship is transitive: if
role A implies role B, then a member of role A is a member of role B; if
role B also implies role C, then a member of role A is also a member of
role C. It helps if the resulting role graph is acyclic, but it's not
necessary.</li>
<li>Roles can <strong>grant</strong> privileges.</li>
</ul>
</li>
</ul>
<p>A user's privileges are the union of the privileges granted by the transitive
closure of their roles.</p>
<h2 id="in-sql">In SQL</h2>
<pre><code>create table "user" (
username varchar
primary key
-- credentials &c
);
create table role (
name varchar
primary key
);
create table role_member (
role varchar
not null
references role,
member varchar
not null
references "user",
primary key (role, member)
);
create table role_implies (
role varchar
not null
references role,
implied_role varchar
not null
);
create table privilege (
privilege varchar
primary key
);
create table role_grants (
role varchar
not null
references role,
privilege varchar
not null
references privilege,
primary key (role, privilege)
);
</code></pre>
<p>If your database supports recursive CTEs, querying this isn't awful, since we
can have the database do all the graph-walking along roles:</p>
<pre><code>with recursive user_roles (role) AS (
select
role
from
role_member
where
member = 'SOME USERNAME'
union
select
implied_role as role
from
user_roles
join role_implies on
user_roles.role = role_implies.role
)
select distinct
role_grants.privilege as privilege
from
user_roles
join role_grants on
user_roles.role = role_grants.role
order by privilege;
</code></pre>
<p>If not, get a better database. Recursive graph walking with network round
trips at each step is stupid and you shouldn't do it.</p>
<p>Realistic uses should have fairly simple graphs: elemental privileges are
grouped into abstract roles, which are in turn grouped into meaningful roles
(by department, for example), which are in turn granted to users. In
PostgreSQL, the above schema handles ~10k privileges and ~10k roles with
randomly-generated graph relationships in around 100ms on my laptop, which is
pretty slow but not intolerable. Perverse cases (interconnected total
subgraphs, deeply-nested linear graphs) can take absurd time but do not
reflect any likely permissions scheme.</p>
<h2 id="what-sucks">What Sucks</h2>
<ul>
<li>Graph theory in my authorization system? It's more likely than you think.</li>
<li>There's no notion of revoking a privilege. If you have a privilege by any
path through your roles, then it cannot be revoked except by removing all of
the paths that lead back to that privilege.</li>
<li>Not every system has an efficient way to compute these graphs.<ul>
<li>PostgreSQL, as given above, has a hard time with unrealistically-deep
nested roles.</li>
</ul>
</li>
</ul>
</div>
<div id="comments">
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</div>
<div id="footer">
<p>
The Codex —
Powered by <a href="http://markdoc.org/">Markdoc</a>.
<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/authnz/users-rolegraph-privs.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/authnz/users-rolegraph-privs.md">history</a>).
</p>
</div>
</div>
</body>
</html>
|
