Exist database user authorisation per resource possible?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Exist database user authorisation per resource possible?

Nick van Spingelen
Exist database user authorisation per resource possible?

Dear collegues,

Currently I am looking at the usability of Exist for a kind of knowledge base application. In this application, users are allowed to read and/or update specific xml fragments, each fragment representing a knowledge item. Similar knowledge items have been modeled in a way that they are stored together in a  resource.

I have tried to find information on ow to use the database security methods to allow certain users to read and/or update specific resource files (XML files). It seemsto me that Exist does not suport this. It allows groups of users certain rights, but not individual uders (exept the owner).

Can anyone give me directions on how to implement a security model where for instance (none of the users is owner):
- user A is able to read resource 1,2,3 and to update resource 1
- user B is able to read resource 2,3 and to update resource 2
- user C is able to read resource 1,3 and to update resource 1,3
- User D is able to read resource 1

(Hereby assuming that update rights are always a subset of read rights since one has to be able to read in order to know what to update.)

Tnx inadvance for any suggestions!


Nick
 


Reply | Threaded
Open this post in threaded view
|

adding a built-in module

Chris Tomlinson-2
Hi,

I using eXist snapshot 20050805 on Mac OS X 10.4.2 (Java 1.4.2_09). eXist is running in tomcat 5.0.28.

I've written a module and a couple of functions to provide access from XQuery to some gnarly java code for working with Tibetan strings. I modeled the code off of ExampleModule.

I packaged the module and functions up with the gnarly java code in a jar (tbrc-dlms-exist.jar).

I put the jar in /usr/local/tomcat/webapps/exist/WEB-INF/lib/.

I added the following to the <modules/> section of /usr/local/tomcat/webapps/exist/WEB-INF/conf.xml:

<module uri="http://tbrc.org/xquery/ewts2html"
  class="org.tbrc.dlms.exist.xqueries.modules.ewts2html.EwtsToHtmlModule"/>

When I perform:

    http://localhost:9080/exist/xquery/functions.xq

I don't see any evidence of the (new) EwtsToHtmlModule. I've looked at all log files in:

    /usr/local/tomcat/webapps/exist/WEB-INF/logs

and find no evidence of an error related to trying to locate the module class.

I'd appreciate any help on what I need to do to get the module recognized.

Thanks,
Chris


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: adding a built-in module

wolfgangmm
In reply to this post by Nick van Spingelen
Hi,

I can't find anything obviously wrong in your description. The module
should be loaded if the class is correctly found in the classpath.
Unfortunately, it seems we commented out some debug messages that
would be of help in this case. The whole module loading is done in
class org/exist/xquery/XQueryContext. In method loadDefaults(), remove
the comment in line
1449:

// LOG.debug("Loading module " + modules[i][0]);

Also check method loadBuiltInModule() and enable the 3 LOG statements
there. With these changes in place, you should see if your module is
loaded or if an error occurred.

Wolfgang


On 9/27/05, Chris Tomlinson <[hidden email]> wrote:

> Hi,
>
> I using eXist snapshot 20050805 on Mac OS X 10.4.2 (Java 1.4.2_09). eXist is running in tomcat 5.0.28.
>
> I've written a module and a couple of functions to provide access from XQuery to some gnarly java code for working with Tibetan strings. I modeled the code off of ExampleModule.
>
> I packaged the module and functions up with the gnarly java code in a jar (tbrc-dlms-exist.jar).
>
> I put the jar in /usr/local/tomcat/webapps/exist/WEB-INF/lib/.
>
> I added the following to the <modules/> section of /usr/local/tomcat/webapps/exist/WEB-INF/conf.xml:
>
> <module uri="http://tbrc.org/xquery/ewts2html"
>   class="org.tbrc.dlms.exist.xqueries.modules.ewts2html.EwtsToHtmlModule"/>
>
> When I perform:
>
>     http://localhost:9080/exist/xquery/functions.xq
>
> I don't see any evidence of the (new) EwtsToHtmlModule. I've looked at all log files in:
>
>     /usr/local/tomcat/webapps/exist/WEB-INF/logs
>
> and find no evidence of an error related to trying to locate the module class.
>
> I'd appreciate any help on what I need to do to get the module recognized.
>
> Thanks,
> Chris


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: adding a built-in module

Chris Tomlinson-2
Hi,

Thanks for the reply. Apparently I had an unresolved dependency in the jar when I built it. The logging helped very nicely. Now I can actually debug the code itself.

Thanks again,
Chris

>Hi,
>
>I can't find anything obviously wrong in your description. The module
>should be loaded if the class is correctly found in the classpath.
>Unfortunately, it seems we commented out some debug messages that
>would be of help in this case. The whole module loading is done in
>class org/exist/xquery/XQueryContext. In method loadDefaults(), remove
>the comment in line
>1449:
>
>// LOG.debug("Loading module " + modules[i][0]);
>
>Also check method loadBuiltInModule() and enable the 3 LOG statements
>there. With these changes in place, you should see if your module is
>loaded or if an error occurred.
>
>Wolfgang
>
>
>On 9/27/05, Chris Tomlinson <[hidden email]> wrote:
>> Hi,
>>
>> I using eXist snapshot 20050805 on Mac OS X 10.4.2 (Java 1.4.2_09). eXist is running in tomcat 5.0.28.
>>
>> I've written a module and a couple of functions to provide access from XQuery to some gnarly java code for working with
>Tibetan strings. I modeled the code off of ExampleModule.
>>
>> I packaged the module and functions up with the gnarly java code in a jar (tbrc-dlms-exist.jar).
>>
>> I put the jar in /usr/local/tomcat/webapps/exist/WEB-INF/lib/.
>>
>> I added the following to the <modules/> section of /usr/local/tomcat/webapps/exist/WEB-INF/conf.xml:
>>
>> <module uri="http://tbrc.org/xquery/ewts2html"
>>   class="org.tbrc.dlms.exist.xqueries.modules.ewts2html.EwtsToHtmlModule"/>
>>
>> When I perform:
>>
>>     http://localhost:9080/exist/xquery/functions.xq
>>
>> I don't see any evidence of the (new) EwtsToHtmlModule. I've looked at all log files in:
>>
>>     /usr/local/tomcat/webapps/exist/WEB-INF/logs
>>
>> and find no evidence of an error related to trying to locate the module class.
>>
>> I'd appreciate any help on what I need to do to get the module recognized.
>>
>> Thanks,
>> Chris
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Exist-open mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/exist-open


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Exist database user authorisation per resource possible?

wolfgangmm
In reply to this post by Nick van Spingelen
> I have tried to find information on ow to use the database security methods
> to allow certain users to read and/or update specific resource files (XML
> files). It seemsto me that Exist does not suport this. It allows groups of
> users certain rights, but not individual uders (exept the owner).

Permissions in eXist closely follow the Unix model and roles are
indeed limited to owner, group and world. The Unix model is simple and
space efficient (just one byte used for storing permissions), but we
already thought about implementing a more flexible ACL model.

Anyway, adding your own security layer on the application level is
always possible if access to eXist is exclusively done through your
application. Otherwise, we would have to discuss how to extend the
current security model, i.e. throw away the Unix style permissions and
switch to a more flexible scheme. That's certainly possible if one
figures out a good model.

Wolfgang


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Exist database user authorisation per resource possible?

Mark Harrah-4
In reply to this post by Nick van Spingelen
Hi all,

> Otherwise, we would have to discuss how to extend the
> current security model, i.e. throw away the Unix style permissions and
> switch to a more flexible scheme. That's certainly possible if one
> figures out a good model.

I would like to make an attempt at proposing a security model.  I think it
will require changes to many classes, so it might be targeted for after the
1.0 release.  I hope this is useful, if only as a starting point for
discussion.

My goals were:
  -a pluggable security manager
  -extensibility for future additions/changes to security
  -more control over eXist's internal actions
  -flexible authentication
  -centralizing eXist's security-related features

Thanks,
Mark


A security model proposal:
The security manager should be selectable/pluggable.  It should be selectable
either at runtime or through the configuration file.  There should be at
least one implementation that comes with eXist.  I would suggest that there
be one very similar to the current security model for backwards compatibility
(if that is important) and for those who do not need much more.  A second,
more advanced security manager should take advantage of the newer features
for those that want more flexibility.

eXist should delegate to the security manager when anything security-related
occurs.  If the security manager declines the request, it should throw an
EXistSecurityException (or whatever name it is given).  The list of actions
that are checked should include:
  changing security model
  if an XQuery module (or function?) can be directly called by user code/query
  if an XQuery module is allowed to be indirectly loaded
  what the XQuery timeout and maximum memory usage settings should be for a
given user
  whether a user may read,store,remove, or rename a collection
  whether a user may read,create,remove,rename,update of a document
  if a user can shutdown the database
  if a user can reindex the database or a collection
  if a user is allowed, or what a user is allowed to backup/restore
  which of the above permissions a user may change

The security model should also handle user authentication.  This will allow
the security manager to look up users elsewhere: this might be useful for
people at a company/instituation where people already have user names and
passwords.  Also, clear-text may be fine for one developer, whereas another
may want challenge-response based authentication.

This will likely require changes to how the permissions and users are stored
because a given security manager will have its own metadata to store per
document and/or collection and will have different global permissions storage
needs.

Possibilities enabled by flexible security model:
  -the security model could potentially enforce fine grained access if eXist
asked the security manager's permission on an element/attribute/text basis.  
This might be a performance hit so it should probably be disabled by default.  
I don't know the details, such as where this would take place (indexing,
querying, serialization, or all three), or if it is desired/practical.
  -centralizes, standardizes, and allows easier customization of default
permissions, data permissions, XQuery permissions, and authentication
  -selection of authentication method


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

extension modules must be packaged in exist-module.jar?

Chris Tomlinson-2
In reply to this post by Chris Tomlinson-2
Hi,

I'm back with another question regarding builtin extension modules.

It seems that if I'm trying to add the module to a standalone eXist installation I seem to have to add the classes to the exist-modules.jar. On the other hand sometimes I can just add a self-contained xyz.jar to the $TOMCAT_HOME/webapps/exist/WEB-INF/lib; except on a linux platform I couldn't get this to work but could get it all to work when I rebuilt the exist-modules.jar with my exstenion module.

I'd like to do this in the intended way for eXist so I'm looking for guidance about what is supposed to be the way to add extension modules that will work across the different ways of deploying eXist.

Please pardon my questions if this has been dealt with in the docs already, as I have looked but may have missed the info.

Thanks in advance,
Chris


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: extension modules must be packaged in exist-module.jar?

wolfgangmm
> I'd like to do this in the intended way for eXist so I'm looking for guidance about what is supposed to be the way to add extension modules that will work across the different ways of deploying eXist.

Just to be sure: I assume you included the new module in
WEB-INF/conf.xml? If yes, I don't really have a clue why it isn't
loaded in the tomcat context.

All modules are loaded via Java introspection, using
Class.forName(moduleClass) to look up the class. It should not make a
difference if the module is contained in exist-modules.jar or in
another jar in the classpath.

Concerning the classpath:

1) if you are starting eXist with the bootloader (contained in
start.jar), eXist will build its own classpath. All jars in e.g.
lib/optional are added by default, so putting your jar in there should
help.

2) if you deployed eXist in tomcat, so the bootloader is not used and
every jar in WEB-INF/lib should be in the classpath.

Wolfgang


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Exist database user authorisation per resource possible?

wolfgangmm
In reply to this post by Mark Harrah-4
Hi Mark,

thanks for the proposal. Sounds good and I think I agree with most of
your suggestions.

> The security manager should be selectable/pluggable.  It should be selectable
> either at runtime or through the configuration file.  There should be at
> least one implementation that comes with eXist.  I would suggest that there
> be one very similar to the current security model for backwards compatibility
> (if that is important) and for those who do not need much more.  A second,
> more advanced security manager should take advantage of the newer features
> for those that want more flexibility.

Ok. Right now, there's a single SecurityManager instance for every
database instance (i.e. every active BrokerPool instance). In order to
provide a pluggable system, SecurityManager should become an interface
and offer methods to check permissions etc., things that are currently
provided by the document and collection classes.

> eXist should delegate to the security manager when anything security-related
> occurs.  If the security manager declines the request, it should throw an
> EXistSecurityException (or whatever name it is given).  The list of actions
> that are checked should include:
>   changing security model
>   if an XQuery module (or function?) can be directly called by user code/query

It should be possible to restrict access to specific functions, not
just modules. At a minimum, eXist should deny access to potentially
harmful Java classes.

>   if an XQuery module is allowed to be indirectly loaded
>   what the XQuery timeout and maximum memory usage settings should be for a
> given user
>   whether a user may read,store,remove, or rename a collection
>   whether a user may read,create,remove,rename,update of a document

So far, owner, group and permissions were directly stored with the
collection or document data. To implement a more flexible system, we
will probably need to provide a mechanism to attach arbitrary metadata
to documents and collections. This would be a nice feature anyway ;-)
It would be the SecurityManager's responsibility to store/retrieve the
information it needs.

>   if a user can shutdown the database
>   if a user can reindex the database or a collection
>   if a user is allowed, or what a user is allowed to backup/restore
>   which of the above permissions a user may change
>
> The security model should also handle user authentication.  This will allow
> the security manager to look up users elsewhere: this might be useful for
> people at a company/instituation where people already have user names and
> passwords.  Also, clear-text may be fine for one developer, whereas another
> may want challenge-response based authentication.
>
> This will likely require changes to how the permissions and users are stored
> because a given security manager will have its own metadata to store per
> document and/or collection and will have different global permissions storage
> needs.

Ok, just what I wrote above...

> Possibilities enabled by flexible security model:
>   -the security model could potentially enforce fine grained access if eXist
> asked the security manager's permission on an element/attribute/text basis.
> This might be a performance hit so it should probably be disabled by default.
> I don't know the details, such as where this would take place (indexing,
> querying, serialization, or all three), or if it is desired/practical.
>   -centralizes, standardizes, and allows easier customization of default
> permissions, data permissions, XQuery permissions, and authentication
>   -selection of authentication method

We would probably have to implement this model step by step. Right
now, I desperately need access control to modules and functions, so
this could be the first priority. How much time could you contribute -
if you're available at all?

Wolfgang


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open