Fong, Philip W. L.Rizvi, Syed Zain R.2023-02-112020-12-07Rizvi, S. R. (2020). The SUDO Framework: For Data Organization And Efficient Query Authorization For NoSQL Databases (Doctoral thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.http://hdl.handle.net/1880/115855https://dx.doi.org/10.11575/PRISM/40749Due to the variety of NoSQL databases and database models, along with their schemaless nature, it has been a challenge to develop a framework that can enforce fine-grained access control policies and can be applicable to multiple NoSQL databases ranging over a variety of database models. In this thesis we present SUDO: Semi- / Unstructured Data Organization Framework for defining pseudo-dynamic schemata. The SUDO framework is comprised of four main features. i) SUDO is designed to be applicable to multiple NoSQL database technologies and models. ii) SUDO operates between the database and the application layer. iii) SUDO provides the tools for defining a pseudo-dynamic schema for databases with semi-structured or unstructured data. The pseudo-dynamic schema is based on Description Logic ontology. iv) SUDO provides the tools for validating database queries against that pseudo-dynamic schema and weaving queries and access control policies to simultaneously evaluate and authorize the query results.We present the SUDO framework in three parts. First, we present AReBAC, an attribute-supporting ReBAC model for Neo4j, a graph database. AReBAC focuses on weaving queries and policies for efficient authorization. AReBAC is also accompanied by GP-Eval, a query evaluation algorithm that surprisingly performs orders of magnitudes faster than the Cypher query evaluation engine provided by Neo4j, and introduces a new constraint satisfaction programming technique that we dubbed Live-End Backjumping. Next, we present SUDO as a framework for MongoDB, a document-based database. At this stage we focus on defining a pseudo-dynamic schema for a MongoDB state, and validating database queries against the pseudo-dynamic schema. Finally, we further extend SUDO by presenting a set of relations between queries and polices required to weave the two together and form a query that simultaneously evaluates and authorizes the query results. We also present a set of tests to verify if a query and a policy are compatible with each other, and identify the reason for incompatibility (if any). We then generalize SUDO so that it is not only specific to MongoDB, by presenting AReBAC as an extension of SUDO, and applying SUDO to Cassandra, a wide-column database.enUniversity of Calgary graduate students retain copyright ownership and moral rights for their thesis. You may use this material in any way that is permitted by the Copyright Act or through licensing that has been assigned to the document. For uses that are not allowable under copyright legislation or licensing, you are required to seek permission.SecurityAccess ControlRelationship-Based Access ControlReBACAttribute-Supporting Relationship-Based Access ContrlAReBACDatabaseSchemaNeo4jMongoDBCassandra: NoSQLDynamic SchemaPseudo-Dynamic SchemaSUDOComputer Sciencedoctoral thesis