The SUDO Framework: For Data Organization And Efficient Query Authorization For NoSQL Databases

Date
2020-12-07
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Due to the variety of NoSQL databases and database models, along with their schemaless nature, it has been a challenge to develop a framework that can enforce fine-grained access control policies and can be applicable to multiple NoSQL databases ranging over a variety of database models. In this thesis we present SUDO: Semi- / Unstructured Data Organization Framework for defining pseudo-dynamic schemata. The SUDO framework is comprised of four main features. i) SUDO is designed to be applicable to multiple NoSQL database technologies and models. ii) SUDO operates between the database and the application layer. iii) SUDO provides the tools for defining a pseudo-dynamic schema for databases with semi-structured or unstructured data. The pseudo-dynamic schema is based on Description Logic ontology. iv) SUDO provides the tools for validating database queries against that pseudo-dynamic schema and weaving queries and access control policies to simultaneously evaluate and authorize the query results.We present the SUDO framework in three parts. First, we present AReBAC, an attribute-supporting ReBAC model for Neo4j, a graph database. AReBAC focuses on weaving queries and policies for efficient authorization. AReBAC is also accompanied by GP-Eval, a query evaluation algorithm that surprisingly performs orders of magnitudes faster than the Cypher query evaluation engine provided by Neo4j, and introduces a new constraint satisfaction programming technique that we dubbed Live-End Backjumping. Next, we present SUDO as a framework for MongoDB, a document-based database. At this stage we focus on defining a pseudo-dynamic schema for a MongoDB state, and validating database queries against the pseudo-dynamic schema. Finally, we further extend SUDO by presenting a set of relations between queries and polices required to weave the two together and form a query that simultaneously evaluates and authorizes the query results. We also present a set of tests to verify if a query and a policy are compatible with each other, and identify the reason for incompatibility (if any). We then generalize SUDO so that it is not only specific to MongoDB, by presenting AReBAC as an extension of SUDO, and applying SUDO to Cassandra, a wide-column database.
Description
Keywords
Security, Access Control, Relationship-Based Access Control, ReBAC, Attribute-Supporting Relationship-Based Access Contrl, AReBAC, Database, Schema, Neo4j, MongoDB, Cassandra: NoSQL, Dynamic Schema, Pseudo-Dynamic Schema, SUDO
Citation
Rizvi, S. R. (2020). The SUDO Framework: For Data Organization And Efficient Query Authorization For NoSQL Databases (Doctoral thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.