1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
# A Users, Roles & Privileges Scheme Using Graphs
The basic elements:
* Every agent that can interact with a system is represented by a **user**.
* Every capability the system has is authorized by a distinct **privilege**.
* Each user has a list of zero or more **roles**.
* Roles can **imply** further roles. This relationship is transitive: if
role A implies role B, then a member of role A is a member of role B; if
role B also implies role C, then a member of role A is also a member of
role C. It helps if the resulting role graph is acyclic, but it's not
necessary.
* Roles can **grant** privileges.
A user's privileges are the union of the privileges granted by the transitive
closure of their roles.
## In SQL
create table "user" (
username varchar
primary key
-- credentials &c
);
create table role (
name varchar
primary key
);
create table role_member (
role varchar
not null
references role,
member varchar
not null
references "user",
primary key (role, member)
);
create table role_implies (
role varchar
not null
references role,
implied_role varchar
not null
);
create table privilege (
privilege varchar
primary key
);
create table role_grants (
role varchar
not null
references role,
privilege varchar
not null
references privilege,
primary key (role, privilege)
);
If your database supports recursive CTEs, querying this isn't awful, since we
can have the database do all the graph-walking along roles:
with recursive user_roles (role) AS (
select
role
from
role_member
where
member = 'SOME USERNAME'
union
select
implied_role as role
from
user_roles
join role_implies on
user_roles.role = role_implies.role
)
select distinct
role_grants.privilege as privilege
from
user_roles
join role_grants on
user_roles.role = role_grants.role
order by privilege;
If not, get a better database. Recursive graph walking with network round
trips at each step is stupid and you shouldn't do it.
Realistic uses should have fairly simple graphs: elemental privileges are
grouped into abstract roles, which are in turn grouped into meaningful roles
(by department, for example), which are in turn granted to users. In
PostgreSQL, the above schema handles ~10k privileges and ~10k roles with
randomly-generated graph relationships in around 100ms on my laptop, which is
pretty slow but not intolerable. Perverse cases (interconnected total
subgraphs, deeply-nested linear graphs) can take absurd time but do not
reflect any likely permissions scheme.
## What Sucks
* Graph theory in my authorization system? It's more likely than you think.
* There's no notion of revoking a privilege. If you have a privilege by any
path through your roles, then it cannot be revoked except by removing all of
the paths that lead back to that privilege.
* Not every system has an efficient way to compute these graphs.
* PostgreSQL, as given above, has a hard time with unrealistically-deep
nested roles.
|
