skip to main content
research-article

Efficient Authorization of Graph-database Queries in an Attribute-supporting ReBAC Model

Published:06 July 2020Publication History
Skip Abstract Section

Abstract

Neo4j is a popular graph database that offers two versions: an enterprise edition and a community edition. The enterprise edition offers customizable Role-based Access Control features through custom developed procedures, while the community edition does not offer any access control support. Being a graph database, Neo4j appears to be a natural application for Relationship-Based Access Control (ReBAC), an access control paradigm where authorization decisions are based on relationships between subjects and resources in the system (i.e., an authorization graph). In this article, we present AReBAC, an attribute-supporting ReBAC model for Neo4j that provides finer-grained access control by operating over resources instead of procedures. AReBAC employs Nano-Cypher, a declarative policy language based on Neo4j’s Cypher query language, the result of which allows us to weave database queries with access control policies and evaluate both simultaneously. Evaluating the combined query and policy produces a result that (i) matches the search criteria, and (ii) the requesting subject is authorized to access. AReBAC is accompanied by the algorithms and their implementation required for the realization of the presented ideas, including GP-Eval, a query evaluation algorithm. We also introduce Live-End Backjumping (LBJ), a backtracking scheme that provides a significant performance boost over conflict-directed backjumping for evaluating queries. As demonstrated in our previous work, the original version of GP-Eval already performs significantly faster than the Neo4j’s Cypher evaluation engine. The optimized version of GP-Eval, which employs LBJ, further improves the performance significantly, thereby demonstrating the capabilities of the technique.

References

  1. [n.d.]. Intro to Cypher. Retrieved from https://neo4j.com/developer/cypher-query-language/.Google ScholarGoogle Scholar
  2. [n.d.]. MySQL. Retrieved from http://www.mysql.com/.Google ScholarGoogle Scholar
  3. [n.d.]. Neo4J. Retrieved from http://neo4j.com/.Google ScholarGoogle Scholar
  4. [n.d.]. OpenMRS. Retrieved from http://openmrs.org/.Google ScholarGoogle Scholar
  5. Stanford Large Network Dataset Collection. 2014. Retrieved from http://snap.stanford.edu/data.Google ScholarGoogle Scholar
  6. Rafiul Ahad, James Davis, Stefan Gower, Peter Lyngbaek, Andra Marynowski, and Emmanuel Onuegbe. 1992. Supporting access control in an object-oriented database language. In Proceedings of the Conferences on Advances in Database Technology (EDBT’92). Springer Berlin, 184--200.Google ScholarGoogle ScholarCross RefCross Ref
  7. Tahmina Ahmed, Ravi Sandhu, and Jaehong Park. 2017. Classifying and comparing attribute-based and relationship-based access control. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 59--70. DOI:https://doi.org/10.1145/3029806.3029828Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Renzo Angles and Claudio Gutierrez. 2008. Survey of graph database models. ACM Comput. Surv. 40, 1, Article 1 (Feb. 2008), 39 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Albert-László Barabási and Réka Albert. 1999. Emergence of scaling in random networks. Science 286, 5439 (1999), 509--512. DOI:https://doi.org/10.1126/science.286.5439.509Google ScholarGoogle Scholar
  10. Glenn Bruns, Philip W. L. Fong, Ida Siahaan, and Michael Huth. 2012. Relationship-based access control: Its expression and enforcement through hybrid logic. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Xinguang Chen and Peter van Beek. 2001. Conflict-directed backjumping revisited. J. Artif. Int. Res. 14, 1 (Mar. 2001), 53--81. Retrieved from http://dl.acm.org/citation.cfm?id=1622394.1622397.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2012. Relationship-based access control for online social networks: Beyond user-to-user relationships. In Proceedings of the 4th IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2012. A user-to-user relationship-based access control model for online social networks. In Proceedings of the 26th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec’12) (LNCS), Vol. 7371.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2014. Attribute-aware relationship-based access control for online social networks. In Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII—Volume 8566 (DBSec’14). Springer-Verlag New York, Inc., 292--306. DOI:https://doi.org/10.1007/978-3-662-43936-4_19Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. P. Colombo and E. Ferrari. 2016. Towards virtual private NoSQL datastores. In Proceedings of the IEEE 32nd International Conference on Data Engineering (ICDE’16). 193--204. DOI:https://doi.org/10.1109/ICDE.2016.7498240Google ScholarGoogle Scholar
  16. P. Colombo and E. Ferrari. 2017. Enhancing MongoDB with purpose-based access control. IEEE Trans. Depend. Secure Comput. 14, 6 (Nov. 2017), 591--604. DOI:https://doi.org/10.1109/TDSC.2015.2497680Google ScholarGoogle ScholarCross RefCross Ref
  17. Jason Crampton and Gregory Gutin. 2013. Constraint expressions and workflow satisfiability. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (SACMAT’13). ACM, New York, NY, 73--84. DOI:https://doi.org/10.1145/2462410.2462419Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Jason Crampton and James Sellwood. 2014. Path conditions and principal matching: A new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT’14). ACM, New York, NY, 187--198.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Jason Crampton and James Sellwood. 2016. ARPPM: Administration in the RPPM model. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, NY, 219--230. DOI:https://doi.org/10.1145/2857705.2857711Google ScholarGoogle Scholar
  20. Elena Ferrari. 2010. Access Control in Data Management Systems. Morgan and Claypool Publishers.Google ScholarGoogle Scholar
  21. Philip W. L. Fong. 2011. Relationship-based access control: Protection model and policy language. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (CODASPY’11). ACM, New York, NY, 191--202.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Philip W. L. Fong, Pooya Mehregan, and Ram Krishnan. 2013. Relational abstraction in community-based secure collaboration. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS’13). 585--598.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Spec. Pub. (Jan. 2014).Google ScholarGoogle Scholar
  24. Patricia Huey. 2014. Oracle Database Security Guide 11g Release 1 (1.11). Oracle Corp.Google ScholarGoogle Scholar
  25. Matthew O. Jackson and Brian W. Rogers. 2007. Meeting strangers and friends of friends: How random are social networks?Amer. Econ. Rev. 97, 3 (June 2007), 890--915. DOI:https://doi.org/10.1257/aer.97.3.890Google ScholarGoogle Scholar
  26. Daniel Karapetyan, Andrew J. Parkes, Gregory Gutin, and Andrei Gagarin. 2016. Pattern-based approach to the workflow satisfiability problem with user-independent constraints. CoRR abs/1604.05636 (2016).Google ScholarGoogle Scholar
  27. Jure Leskovec, Lars Backstrom, Ravi Kumar, and Andrew Tomkins. 2008. Microscopic evolution of social networks. In Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’08). ACM, New York, NY, 462--470. DOI:https://doi.org/10.1145/1401890.1401948Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Lichman. 2013. UCI Machine Learning Repository. Retrieved from http://archive.ics.uci.edu/ml.Google ScholarGoogle Scholar
  29. Jakob Nielsen. 2009. Powers of 10: Time Scales in User Experience. Retrieved from https://www.nngroup.com/articles/powers-of-10-time-scales-in-ux/.Google ScholarGoogle Scholar
  30. Edelmira Pasarella and Jorge Lobo. 2017. A datalog framework for modeling relationship-based access control policies. In Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies (SACMAT’17 Abstracts). ACM, New York, NY, 91--102. DOI:https://doi.org/10.1145/3078861.3078871Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Patrick Prosser. 1993. Hybrid algorithms for the constraint satisfaction problem. Comput. Intell. 9, 3 (1993), 268--299.Google ScholarGoogle ScholarCross RefCross Ref
  32. Shariq Rizvi, Alberto Mendelzon, S. Sudarshan, and Prasan Roy. 2004. Extending query rewriting techniques for fine-grained access control. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD’04). ACM, New York, NY, 551--562. DOI:https://doi.org/10.1145/1007568.1007631Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Syed Zain R. Rizvi. 2018. Attribute-Supporting ReBAC Model. Retrieved from http://pages.cpsc.ucalgary.ca/ szrrizvi/projectAReBAC/.Google ScholarGoogle Scholar
  34. Syed Zain R. Rizvi and Philip W. L. Fong. 2016. Interoperability of relationship- and role-based access control. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, NY, 231--242.Google ScholarGoogle Scholar
  35. Syed Zain R. Rizvi and Philip W. L. Fong. 2018. Efficient authorization of graph database queries in an attribute-supporting ReBAC model. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 204--211. DOI:https://doi.org/10.1145/3176258.3176331Google ScholarGoogle Scholar
  36. Syed Zain R. Rizvi, Philip W. L. Fong, Jason Crampton, and James Sellwood. 2015. Relationship-based access control for an open-source medical records system. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT’15). ACM, New York, NY, 113--124.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Francesca Rossi, Peter Van Beek, and Toby Walsh. 2007. Handbook of Constraint Programming. Elsevier.Google ScholarGoogle Scholar
  38. Ebrahim Tarameshloo and Philip W. L. Fong. 2014. Access control models for geo-social computing systems. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT’14). ACM, New York, NY, 115--126. DOI:https://doi.org/10.1145/2613087.2613098Google ScholarGoogle Scholar
  39. Peter van Beek. 2006. Backtracking search algorithms. In Handbook of Constraint Programming. Elsevier, 85--134.Google ScholarGoogle Scholar
  40. Chad Vicknair, Michael Macias, Zhendong Zhao, Xiaofei Nan, Yixin Chen, and Dawn Wilkins. 2010. A comparison of a graph database and a relational database: A data provenance perspective. In Proceedings of the 48th Annual Southeast Regional Conference (ACM SE’10). ACM, New York, NY, Article 42, 6 pages. DOI:https://doi.org/10.1145/1900008.1900067Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Efficient Authorization of Graph-database Queries in an Attribute-supporting ReBAC Model

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!