Databases Reference
In-Depth Information
11.2.2
Authorization
Once you've verified the identity of your users (or their agents), you're ready to grant
them access to some or all of the database. The authorization process is shown in figure
11.5. Unlike authentication, which occurs once per session or query request, authori-
zation is a more complex process since it involves applying a complex, enterprise-wide,
access-control policy to many data items. If not implemented carefully, authorization
can negatively impact the performance of large queries. A second requirement to con-
sider is the issue of security granularity and its impact on performance, as illustrated in
figure 11.6.
As you leave the authentication step and move toward the authorization phase of
a query, you'll usually have an identifier that indicates which user is making the
request. You can use this identifier to look up information about each user; for exam-
ple, what department, groups, and projects they're associated with and which roles
they've been assigned. Inside NoSQL databases, you think of this information as an
individual's smart-card badge and your database as a series of rooms in a building
with security checkpoints at each door. But most user interfaces use folder icons that
contain other folders. Here, each folder corresponds to a directory (or collection)
and document within the database. In other systems, this same folder concept uses
buckets
to describe a collection of documents. Figure 11.7 is an example of this
folder/collection concept.
You use the information about a user and their groups to determine whether they
have access to a folder and what actions they can perform. This implies that if you
want to read a file, you'll need read access to the directories that contain the file as
well as all the ancestor folders up to the root folder of the database. As you can see,
the deeper you go into a directory, the more checks you need to perform. So the
checks need to be fast if you have many folders within folders.
In most large database systems, the authorization process will first look up addi-
tional information about each user. The most typical information might be what orga-
nization you work for in the company, what projects or groups you're associated with,
and what roles you've been assigned. You can use the user identifier directly against
Figure 11.6
Before you create
a NoSQL application, you must
consider the granularity of
security your applications
needs. A course grain allows
access control at the entire
database or collection level.
Finer-grained controls allow you
to control access to a collection,
an individual document, or an
element within a document. But
fine-grain may have performance
impacts on your system.
Coarse-grained access control
- little performance impact
Database
Collection
Document
Fine-grained access control
- large performance impact
Element
