Re: [HACKERS] RFC: Security and Impersonation - Mailing list pgsql-hackers

From Philip Warner
Subject Re: [HACKERS] RFC: Security and Impersonation
Date
Msg-id 3.0.5.32.19990724224027.00afd850@mail.rhyme.com.au
Whole thread Raw
In response to Re: [HACKERS] RFC: Security and Impersonation  (The Hermit Hacker <scrappy@hub.org>)
List pgsql-hackers
At 08:54 23/07/99 -0300, The Hermit Hacker wrote:
>
>Can't we do this already with views?
>

Not really. A combination of Views, Triggers and Rules will almost do it, but at the expense of being harder to
maintainand more difficult to understand. It may be worth giving a real-world example:
 

Create Table Access_Codes(ACCESS_CODE Char(4), DESCRIPTION Varchar(62));
Insert into ACCESS_CODES Values('SUPR','User may perform any action');
...+various others

Create Table USER_ACCESS(USER_ID Int4, ACCESS_CODE Char(4));

Create Table USERS(USER_ID Int4, USERNAME Varchar(30));

Create Table GROUPS(GROUP_ID Int4, GROUP_NAME Varchar(30));

Create Table USER_GROUPS(GROUP_ID Int4, USER_ID Int4);
Insert Into...etc

The idea is to have 'ACCESS_CODES' function like priviledges - possibly overriding group membership, and have groups
functiona lot like unix groups.
 

Next define the things you want to control (in my case documents stored as blobs):

Create Table DOCUMENTS(DOCUMENT_ID Int4, DOCUMENT_SOURCE <Blob>, ....) etc.

Create Table DOCUMENT_GROUPS(DOCUMENT_ID Int4, GROUP_ID Int4);

The idea is that documents can be members of groups, and that a user must be a member of a group before they can change
thedocument.
 

Next write the 'update' procedure:

CREATE FUNCTION Update_Document (int4,...<args>...)       RETURNS Varchar(255) AS '
Declare   DocID    Alias for $1;   UserID   int4;   Msg    Varchar(255);   isOK    int4;
...declare some other stuff..
Begin   Set :isOK = 1;   Set Msg = 'OK';   Set UserID = (Select USER_ID From USERS Where USERNAME = CURRENT_USER;   If
notexists(Select * From USER_GROUPS UG, DOCUMENT_GROUPS DG Where                   UG.USER_ID = UserID        And
DG.GROUP_ID= UG.GROUP_ID                   And DG.DOCUMENT_ID = DocID) Then
 
       If Not Exists(Select * From USER_ACCESS Where USER_ID = UserID                      and ACCESS_CODE = 'SUPR')
   Then           Set :isOK = False;           Set :Msg = 'User has no access to document';       End If;   End If;
 
   If isOK == 1 Then       <Do The Update>;   End If;
   Return Msg;

End;

And finally, set the table protections:

Revoke All On Table <All> from <All>;
Grant All On Table <All> To SPECIAL_USER;

Grant Execute on Function UPDATE_DOCUMENT To Public;

Set Authorization On Function UPDATE_DOCUMENT To SPECIAL_USER;
^
|
+-- This is the important bit.


What we now have is a table that can only be updated according to a set of rules contained in one procedure, and which
returnsa useful error message when it fails. The rules for access can be as complex as you like, and this system does
notpreclude the use of triggers to enforce both integrity and further security.
 
The same could probably be achieved using rules and triggers for updates, but would not return a nice message on
failure,and would, IMO, be less 'clear'.
 

Sorry for the length of the example, but I hope it puts things a little more clearly.

>On Fri, 23 Jul 1999, Philip Warner wrote:
>
>> A very useful feature in some database systems is the ability to restrict who can run certain external or stored
procedures,and to grant extra access rights to users when they do run those procedures.
 
>> 
>> The usefulness of this may not be imediately obvious, but it is a very powerful feature, especially for preserving
integrityand security:
 
>> 
>> Simple uses include:
>> 
>> 1. Make all tables 'read-only', then all updates must happen through procedures. The procedures can make data-based
securitychecks, and can ensure integrity.
 
>> 
>> 2. Make some tables unreadable, then data can only be retrieved via procedures. Once again, data-based security can
beachieved.
 
>> 
>> The way this is implemented it to specify that when a procedure is run by *any* user, the procedure runs with the
accessrights of another user/group/entity. 
 
>> 
>> Procedures must also have security associated with them: it is necessary to grant 'execute' access on procedures to
theusers who need to execute them.
 
>> 
>> Since this *seems* like it is not likely to get too far into the internals of the optimizer, and seems to be an area
thatis not under active development by others, and since I am looking for a way to contribute to development, I would
beinterested in comments that:
 
>> 
>> 1. Tell me if this is much bigger than I think it is.
>> 2. Tell me if it sounds useful.
>> 3. Is a good learning excercise.
>> 4. If it is stepping on other people's toes.
>> 5. How to do it 8-}
>> 
>> I look forward to comments and suggestions...I think.
>> 
>> 
>> 
>> ----------------------------------------------------------------
>> Philip Warner                    |     __---_____
>> Albatross Consulting Pty. Ltd.   |----/       -  \
>> (A.C.N. 008 659 498)             |          /(@)   ______---_
>> Tel: +61-03-5367 7422            |                 _________  \
>> Fax: +61-03-5367 7430            |                 ___________ |
>> Http://www.rhyme.com.au          |                /           \|
>>                                  |    --________--
>> PGP key available upon request,  |  /
>> and from pgp5.ai.mit.edu:11371   |/
>> 
>
>Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
>Systems Administrator @ hub.org 
>primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org 
>
>
----------------------------------------------------------------
Philip Warner                    |     __---_____
Albatross Consulting Pty. Ltd.   |----/       -  \
(A.C.N. 008 659 498)             |          /(@)   ______---_
Tel: +61-03-5367 7422            |                 _________  \
Fax: +61-03-5367 7430            |                 ___________ |
Http://www.rhyme.com.au          |                /           \|                                |    --________--
PGP key available upon request,  |  /
and from pgp5.ai.mit.edu:11371   |/


pgsql-hackers by date:

Previous
From: "D'Arcy" "J.M." Cain
Date:
Subject: Re: [HACKERS] Phantom row from aggregate in self-join in 6.5
Next
From: Philip Warner
Date:
Subject: Re: [HACKERS] RFC: Security and Impersonation