formalizing and ref ining authorization in sql
play

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal - PowerPoint PPT Presentation

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J i-Won Byun Tr uSe Reading Group J anuar y 11, 2005 I ntroduction Problems of current aut horizat ion semant ics of SQL t oo complex due t


  1. Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J i-Won Byun Tr uSe Reading Group J anuar y 11, 2005

  2. I ntroduction � Problems of current aut horizat ion semant ics of SQL – t oo complex due t o t riggers, obj ect s, and ot her f eat ures. – Numerous special cases and unnecessary rest rict ions. – DBA must cope wit h diverse user communit ies. � Goal – Reduce t he ad hoc nat ure of aut horizat ion semant ics. – I nt roduce explicit , simple, and f ormal principles. – Formalizat ion and simplif icat ion st art f rom pract ice.

  3. Formalizing authorization in SQL � A dat abase consist s of a set of obj ect s – Obj ect s: schemas, base t ables, views, columns and procedures. – Each obj ect has a set of act ions t hat can be perf ormed on it ; e.g., select , updat e, insert , delet e and execut e. � Operat ion: ( α , O) – Specif ies a part icular act ion α on a part icular obj ect O. � I D (user): individuals, roles, groups, or Public. � Privilege: ( τ , θ ) – Allows an I D τ t o perf orm an operat ion θ .

  4. Formalizing authorization in SQL � Given a st at ement S, SQL implicit ly def ines a set of oper at ions, OPS(S), f or checking aut hor izat ion. – That is, an I D τ is aut hor ized t o per f or m S if f τ has a pr ivilege f or ever y oper at ion in OPS(S). – OPS(S) can be f ound by t he f ollowing r ules: � I f S is a quer y, OPS(S) cont ains (select , A) f or all columns A ment ioned in S. � I f S is an updat e, OPS(S) cont ains (updat e, A) f or each column A being updat ed, plus (select , B) f or all columns B ment ioned in S. � I f S is a call t o r out ine P, OPS(S) cont ains (execut e, P), plus (select , A) f or all columns A ment ioned in t he ar gument list . � I f S cont ains a nest ed st at ement S’, OPS(S) cont ains all operat ions of S’.

  5. Formalizing authorization in SQL � Example: Updat e T set A = C + 2 wher e B1 in (select B2 f r om V) � OP S(S) = { (select , T.B1), (select , T.C), (select , B.B2), (updat e, T.A)} � I f S is complex, t he comput at ion of OPS(S) may not be st r aight f or war d. – Unnecessary predicat es; e.g., t aut ologies and const raint s – select T.A f rom T where T.B is null or T.B * T.B > = 0 � (select , T.B) should not be in OPS(S) – The det ect ion of such predicat es is not decidable; t hey are not considered.

  6. Formalizing authorization in SQL Grant � An I D receives privileges via grant st at ement s. – An I D is able t o issue a grant st at ement f or an operat ion if – it s pr ivilege include a gr ant-opt ion privilege f or t he operat ion. Ownership � When an obj ect is creat ed, t he creat or is given – administ rat ive aut horit y over t he obj ect . Two aspect s: right s over t he def ined met adat a and right s – over t he inst ance populat ion Base t able: t he creat or is given all possible privileges. 1. Derived obj ect : t he creat or is given f ull right s on t he 2. met adat a and limit ed right s over t he inst ance populat ion.

  7. Formalizing authorization in SQL � Der ived obj ect s: pr ocedur es and views Each derived obj ect Z has a def ining st at ement , DEF(Z). – Unlike base t ables, when a derived obj ect is creat ed, t he – syst em inf ers t he appropriat e privileges based on t he cr eat or’s privileges on underlying obj ect s. The general principle is t hat it is saf e t o inf er privileges f or – t asks t he user could accomplish by ot her means; i.e., inf erence may increase convenience, but not power. The SQL I nf erence Principle: Let θ be an operat ion on � derived obj ect Z. Then Z’s creat or τ should receive privileges on θ provided t hat τ ’s abilit y t o access and modif y dat a does not increase.

  8. Formalizing authorization in SQL Example: creat e view Z as select A, C f rom T where T.B > 2 � Say t he creat or τ has privileges on (select , T) and (updat e, T.A). – Then it is wrong t o give τ t he privilege on (updat e, Z). – But it is okay t o give τ t he privilege on (updat e, Z.A). – I nf erences are j ust if ied by using query modif icat ion � Take a st at ement S involving derived obj ect Z, and produce an – equivalent st at ement S’ by replacing ref erences t o Z t o t ables in DEF(Z). Select Z.A f rom Z � select T.A f rom T where T.B > 2 – Thus, it would be wrong t o give τ an inf erred privilege on (select , – Z.A) unless τ already has privileges on (select , T.A) and (select , T.B).

  9. Formalizing authorization in SQL Query modif icat ion t echnique can provide a count erexample, but it � cannot prove t hat an inf erence is correct . We would have t o examine ever y possible st at ement involving Z. – Def init ion. Let Z be a derived obj ect , and let θ be an oper at ion on Z. � OPS( θ ) is f ound as f ollows: OPS((select , Z.B)) consist s of t hose oper at ions (select , T.A) such t hat – changing A-value of T can change t he B-value of Z. OPS((inser t , Z.B)) consist s of t hose oper at ions (inser t , T.A) if inser t ing – int o Z can cause an inser t ion int o T, and Z.B is der ived f r om T.A. OPS((delet e, Z)) consist s of (delet e, T) if delet ing Z can cause a – delet ion f r om T. OPS((updat e, Z.B)) consist s of t hose oper at ions (updat e, T.A) if – updat ing t he B-value of Z can cause a change in t he A-value of T. OPS((execut e, P)) consist s of t he oper at ions r equir ed t o execut e t he – body of P. That is, it cont ains each oper at ion in OPS(DEF(P)).

  10. Formalizing authorization in SQL The SQL Pr ivilege I nf er ence Rule: Let τ be t he cr eat or � of der ived obj ect Z and let θ be an oper at ion on Z. I nf er t he pr ivilege ( τ , θ ) if τ has a privilege f or every 1. operat ion in OPS( θ ). I nf er t he pr ivilege ( τ , grant θ ) if τ has grant -opt ion 2. privilege f or every operat ion in OPS( θ ). � Theorem. The privileges inf erred by t his rule sat isf ies t he SQL I nf erence Principle. Pr oved in t he paper –

  11. Proposed extension I nf erred privileges on derived obj ect s � I n st andard SQL, all privileges on a derived obj ect st em – f rom t he creat or. The ext ension is t o allow privileges on a derived obj ect s t o – be inf erred t o any I D, not j ust t he obj ect ’s creat or. � The inf er ence Pr inciple Let θ be an operat ion on derived obj ect Z. An I D τ receive – privilege on θ as long as τ ’s abilit y t o access and modif y dat a does not increase.

  12. Proposed extension Who may creat e a derived obj ect ? � As all privileges on a derived obj ect st em f rom t he creat or, SQL – does not allow an I D t o creat e an obj ect unless t he creat or receives a reasonable number of privileges. Wit hout t his rest rict ion, any user can creat e a derived obj ect – and receives what ever privileges t he syst em inf er. However, t he met adat a (def init ion) of derived obj ect must be – explicit ly cont rolled. I nt roduce a new act ion, Visible. – Privilege on (visible, Z) allows I D t o see Z’s def init ion. – Now some users can use Z wit hout knowing t he def init ion of Z. – Also t he creat or can allow some users t o see t he def init ion of Z wit hout giving t hem privileges t o use it .

  13. Proposed extension: Benef its Creat ors need not be administ rat ors. � Subj ect s wit h (visible, Z) and privileges on OPS( θ ) are – immediat ely able t o use θ wit hout any explicit grant by t he creat or. The creat or can give access t o Z t o anyone wit h suf f icient – aut horizat ion on t he underlying obj ect by grant ing (visible, Z) t o Public. P rivileges can be kept consist ent aut omat ically. � Consider a dat a warehouse, whose cont ent s are a mat erialized – view of it s underlying source dat abases. The proposed model provides a way t o enf orce consist ency – bet ween t he warehouse privileges and t he source privileges.

  14. Proposed extension: Benef its Explicit cont rol over met adat a privileges � SQL allows an I D wit h any privilege on an obj ect t o have t he – abilit y t o see all met adat a about t he obj ect ; more is revealed t hat required. A user wit h select privilege can see t he const raint s. – A user who can execut e a procedure can see t he def init ion. – I n some cases, t his is not desirable. – Unt rust ed I Ds can creat e usef ul derived obj ect s. � As t he creat or of a derived obj ect is t he source of all privileges – in SQL, only t rust ed users can creat e usef ul views. I n t he proposed model, I Ds can access t he obj ect even if t he – creat or is unt rust ed or lazy.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend