Efficient Authorization of Graph-database Queries in an Attribute-supporting ReBAC Model

摘要

Neo4j is a popular graph database that offers two versions: an enterprise edition and a community edition. The enterprise edition offers customizable Role-based Access Control features through custom developed procedures, while the community edition does not offer any access control support. Being a graph database, Neo4j appears to be a natural application for Relationship-Based Access Control (ReBAC), an access control paradigm where authorization decisions are based on relationships between subjects and resources in the system (i.e., an authorization graph). In this article, we present AReBAC, an attribute-supporting ReBAC model for Neo4j that provides finer-grained access control by operating over resources instead of procedures. AReBAC employs Nano-Cypher, a declarative policy language based on Neo4j's Cypher query language, the result of which allows us to weave database queries with access control policies and evaluate both simultaneously. Evaluating the combined query and policy produces a result that (i) matches the search criteria, and (ii) the requesting subject is authorized to access. AReBAC is accompanied by the algorithms and their implementation required for the realization of the presented ideas, including OP-Eval, a query evaluation algorithm. We also introduce Live-End Backjuinping (LBJ), a backtracking scheme that provides a significant performance boost over conflict-directed backjumping for evaluating queries. As demonstrated in our previous work, the original version of GP-Eval already performs significantly faster than the Neo4j's Cypher evaluation engine. The optimized version of GP-Eval, which employs LBJ, further improves the performance significantly, thereby demonstrating the capabilities of the technique.