Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Architecting a platform authorization permission model

An important part of any platform (PaaS) authentication's security is to be able to limit and/or define a particular application or user's "rights" or permissions on either a user/app basis or a per-authentication basis.

The common permission model found in modern platform or product API’s is based on an idea of "Scopes". In my research, GitHub, Facebook, Instagram, Etsy (and more) all use this style of permission modeling in their OAuth implementations. However, this “scopes” model seems to be only concerned with how external (ie. third party) applications access an authenticated user’s data.

Internally, permission models seem to be either more focused on a "role" based model (admin, moderator, user, etc) or a number of other custom implementations.

My question is this: "What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?"

My initial research led me to an internal and external usage of a scope-based permission model. Unfortunately, architecting such a system isn’t trivial. I’ve seen multiple methods of creating such an architecture:

  1. The AR-friendly relational DB way:

    • Creating multiple tables with join tables for a many-to-many relationship between a list of permissions, a user’s available permissions, a user’s token, and a user token’s active permissions.

    • A user may authenticate with a token and specify as many permissions to be available on that token up to the permissions originally set for that user

  2. The clever Bit-masking way:

    • Using a simple integer column in a data set to store an integer value

    • The integer value is accessed in a binary way, using bitwise operators to set, get, toggle (etc) the permissions of a user or their token by representing a permission as a single bit

Their seems to be some pros and cons to each. The AR-friendly way seems like its a very flexible solution, but also seems like it could be a serious performance hit, since multiple joins/queries would have to be run and ORM model instances would have to be created on every authenticated call. The Bit-masking method seems like it would be very fast and efficient, but would be less intuitive to develop and would be more prone to error. Also, bit-masking seems like it would be a limiting solution in that it would only easily allow a very "binary" permission model (can or cannot do) with no middle-ground/happy-medium and that it would limit the permissions to a hard 64-bit limit based on hardware limitations.

Is there another method of permission modeling or architecting that I’m missing/not thinking of? Or am I on the right track and the performance consideration is not as huge a concern (as far as the relational method goes) as I’m making it out to be?

Thank you so much!

tl;dr:

What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?

like image 570
Rican7 Avatar asked Jul 16 '13 18:07

Rican7


People also ask

What is authorization model?

An authorization model is a layer of abstraction that comes above technical entitlements (application rights, transactions, groups, etc.). It is made up of carefully defined objects (roles, profiles, etc.), with a name in natural language, and often organized hierarchically.

What is authorization permission?

What Is Authorization? Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege.

What is the difference between authorization and access control?

Authorization vs. Access Control. If authorization involves defining a policy, access control puts the policies to work. These two terms aren't interchangeable.


1 Answers

I would start with a look at Spring Security ACL. They use bit masks, and can be (relatively) easily integrated with a cache like ehcache. If you use JPA for data access, you can use JPA's cache too.

http://static.springsource.org/spring-security/site/docs/current/reference/springsecurity.html

The schema:

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/appendix-schema.html

OAuth:

http://static.springsource.org/spring-security/oauth/

like image 128
Neil McGuigan Avatar answered Oct 05 '22 16:10

Neil McGuigan