Re: [JDBC] [SQL] Thoughts on a Isolation/Security problem. - Mailing list pgsql-admin

From Mark Lewis
Subject Re: [JDBC] [SQL] Thoughts on a Isolation/Security problem.
Date
Msg-id 1145384691.29754.50.camel@archimedes
Whole thread Raw
In response to Re: [SQL] Thoughts on a Isolation/Security problem.  (Achilleus Mantzios <achill@matrix.gatewaynet.com>)
List pgsql-admin
On Tue, 2006-04-18 at 14:32 +0300, Achilleus Mantzios wrote:
> Thanx for your thoughts, but this would require touching
> 173 tables +
> 2,594 SQL statements in a sum of 324 programs (which sum into 125,085
> lines of code)


We did a very similar conversion to the one proposed here a couple of
years back, and switched an old Java app from a dedicated schema-per-
client model to a shared schema with company ID model.  I figured I'd
share our results, to at least give you a data point on what you could
expect if you went that route.

At the time, the application consisted of roughly 90 tables and 90,000
lines of code.  Never counted the SQL statements there were probably
very roughly 1000.

We had the advantage of having the 90,000 LOC spread across only two
larger applications instead of a bunch of small programs.

It actually ended up being a much easier process than we had expected,
because the application logic didn't really need change all that much.
The major steps were:

1. Add an extra company FK to the top-level objects in our data model.
For example, we added companyId to the userdetail table, but not to the
address table which depends on the userdetail table.  In our case, this
meant that we needed to add a column to about 30 (one third) of our
tables.  Not very difficult.

2. Inserts into those 30 tables were modified to include an extra
parameter.  The actual insert change is trivial, but depending on your
plumbing it might take some refactoring to get the companyId to the code
that does the inserts.  This involved a moderate code refactoring, but
the changes were very straightforward and not too prone to errors.

3. Because we didn't support moving from one company to another, the
update and most of the select logic didn't change at all.

4. Needed to update all of the search queries to only search within the
current company.  Fortunately, this type of query is relatively rare.
In our case, there were only about 20 that needed updates out of our
1000 queries.  The change is also simple, just add one AND to the WHERE
clause.

5. Security checks.  This is the only step that took a good chunk of
time, because our application is web-based and so a mischievous user
could muck with id's in the HTTP POSTS on pretty much any page in our
application.  This meant that we needed to be careful to always do
company checks before processing any user input.  Fortunately for us, at
the same time we were enhancing our security model anyway, so doing the
extra company check really added no extra time on top of the work that
needed to be done anyway.

Steps 1-4 took a single developer 3 days to implement.  Step 5 was
harder to measure because as I mentioned we bundled it together with a
larger security overhaul, but to perform it separately (and do an audit
to make sure it was correct) would have taken perhaps a week or two.

Anyway, overall in our case we had a pretty successful conversion.  It
ended taking significantly less time than anticipated, and the decreased
maintenance of only managing one database and the ease of building new
global administrative and reporting tools definitely made the project
worth while.

-- Mark Lewis

pgsql-admin by date:

Previous
From: "Thomas F. O'Connell"
Date:
Subject: Re: Invalid Page Headers
Next
From: Tom Lane
Date:
Subject: Re: Invalid Page Headers