Geek Answers Handbook

Access Control in Datomic

When writing applications based on Datomic and Clojure, peers seem to have unlimited data access. How to create a multi-user system where user A cannot access data that is private to user B?

I know that I can write queries in Clojure so that only the user's personal data is returned ... but what prevents the attacker from hacking binary files to see the personal data of user B?

UPDATE

It seems that the state of the Clojure / Datomic application is actually not safe, based on a response from @Thumbnail and a link to John P Hackworth's blog.

Let me state more clearly the problem that I see, because I do not see any solution for this and is the original problem that caused this question. I have to miss something and express my ignorance, so please, with me! Thanks: -)

Datomic has data warehouse, transaction and peer nodes. Access points are located on the computer and run data requests from the data warehouse. My question is how to restrict access to data in the data warehouse. Since the data store is dumb and actually just stores data, I'm not sure how to provide access control.

When AWS S3 is used as a data warehouse, the client (peer) must authenticate before accessing S3, but once it is authenticated, the partner does not have access to all the data !? Limited only by the requests that it runs, if the user wants to get other user data, they can change the code, binary, on the client so that the requests are executed with a different username, right? To be clear ... isn't access control just a condition for the request? Or is there a user connection that the data warehouse recognizes and the data warehouse limits which data is visible?

What am I missing?

In a traditional web environment such as Rails, server-side code restricts all data access and user authentication and authorization. The user can change the URLs or code on the client side, but the server does not allow access to the data, except the user provided the correct credentials.

Since the datastore in Datomic is dumb, it seems that it lacks the ability to restrict access for each user, and the application (peer-to-peer connection) should do this. I do not want to trust the user to behave and not try to acquire other users information.

A simple example is the banking system. Of course, the user will be authenticated ... but after that, what prevents them from modifying the side code / binary client to change data requests in order to get other users' account information from the data warehouse?

UPDATE - MODELS

Here are two possible models that I have, how Datomic and Clojure work ... the first is my current model (in my head).

  • the user computer starts the client / peer, which has requests and full access to the data store, where the user was authenticated before the client began thereby restricting users to those who have credentials.
  • The user computer has an interface (webapp) that communicates with the peer that is on the server. Requests are located on the server and cannot be changed by the user, therefore access control tools are under access control by the security of the server on which the peer is running.

If the second model is correct, then they will answer my question: the user cannot change the server code, and the server code contains access controls ... therefore the "peers" that, as I thought, remained on the user's computer are actually on the server applications.

+6
source share
3 answers

Your second model is correct. Datomic is designed so that peers, transactions, and repositories run within a trusted network boundary in the software and hardware that you manage. Application servers run a peer-to-peer library, and users interact with application servers through some protocol, such as HTTP. Within your application, you must provide a certain level of authentication and user authorization. This is consistent with the security model of most applications written on systems such as Rails (i.e., the end user does not require database permission, but rather application permission).

Datomic provides many very powerful abstractions to help you write auth (n | z) code at the application level. In particular, since transactions are first-class entities, Datomic provides the ability to comment on transactions during recording ( http://docs.datomic.com/transactions.html ) with arbitrary facts (for example, the username of the person responsible for the transaction, a group of groups and etc.). While reading, you can filter the database value ( http://docs.datomic.com/clojure/index.html#datomic.api/filter ) so that only facts that match the given predicate are returned from queries and other read operations in this database cost. This allows you to save authz problems from your query logic and sequentially align your security.

+10
source

As I understand it ... and this is far from complete ... please correct me if I am wrong ...

A distinctive feature of Datomic is that the query mechanism or most of it is located in the database client, and not on the database server. Thus, in your opinion, any "user" who gets programmatic access to the database client can do what they like with any content in the database.

On the other hand, the account system in such an Oracle restricts client access, so that a malicious user can, so to speak, destroy his own data.

But,...

Your application (the database client) does not need (and b **** y is better not needed!) Provides open access to any client user. You need to authenticate and authorize your users. You can show the user code to the client, but provided that your application is protected, no malicious actions can be made from this knowledge.

It follows that Datomic can sit in front of an SQL database to which limited access can be created.

Chas web search has appeared. Emerick Friend is a library for authenticating and authorizing users in Clojure. He also found John P Hackworth rated at the level that Clojure Internet security is worse than you think .

+2
source

You can use the transaction features to provide access restrictions for your peers / users. You can put data that describes your policies in db and use transactional functions to enforce them. This moves the mechanism and policy into the transaction. Transactions that do not meet the criteria can either fail or simply result in the inability to transfer data.

Obviously, you will need some way to protect these policies and transactional functions.

0
source

More articles:


All Articles