Relational Databases are able to set permissions for users to insert, update, delete, etc by schema or table (e.g. I can allow bob CRUD access to table someschema.XYZ but only allow read access to someschema.FooBar and no access to schema ABC)
Graph databases do not have predefined schemas but have an arbitrary set of node types. Is it possible to set restrictions on a graph database for what a user can access like you do for relational databases or does this granularity not exist in graph databases due to it's nature?
I am specifically looking at Neo4j but if this exists in other examples, then I would like to know.
Neo4j allows you to implement your own SecurityRules. A SecurityRule acts similar to a servlet filter, every request is evaluated with the SecurityRule.
However you have to implement the logic on your own which gives great flexibility but might also cause a serious amount of work.
Related
I am initiating a new project which will be available as a SaaS for multiple customers. So, I am thinking of creating a database and then create individual schema for every customer.
I have defined some rules and the first rule is all the customers must always have the same schema. No matter what. If one customer gets an update, all the other customers will get the update as well.
For this purpose, my question is, is it possible to inherit schema from another schema in the same database? If not, do I have to manually create all the tables and indexes in the new schema and inherit them from the tables in master schema?
I am using Postgresql 9.6 but I can upgrade it as well if needed.
I open to suggestions.
Thanks in advance
There is no automated way to establish inheritance between all tables in two schemas, you'd have to do it one by one (a function can help).
However, I invite you to stop and think about your data model for a bit. How many users do you expect? If there could be many, plan differently, because databases with thousands of schemas become unwieldy (e.g. catalog lookups will become slow).
You might be better off with one schema for all users. If you are concerned with separation of the data and security, row level security might be the solution for you.
WHAT
I have users that share a database, but have their own schemas. Each user is only able to access objects on their schema - they have been explicitly revoked usage on the schemas that are not theirs.
I am not concerned about a user inappropriately accessing others' schema; however, I would very much like for them not to be able to see the contents or even the existence of the other schema to which they have no access.
WHY
I am aware that this is mostly "cosmetic", but the primary reason for this would be that my users do not have to shift through objects that they cannot access in certain tools (Tableau, DB IDEs, etc) - so I think it does add some practical value.
ATTEMPTS
I've been searching for a solution, but haven't found one that works. For instance, I revoked users' access on information_schema and pg_catalog (I know this is not recommended); however, it had no effect.
Is this at all possible?
It is not possible to limit access to pg_class, pg_attribute, or pg_proc. Therefore what you want can only be achieved by separating each user in their own databases rather than individual schemas.
With the sql
select * from pg_stat_activity
I can see all users connected to my database, I need something like that to show which schema is using each user connected
You can't connect to a schema, so it isn't clear what you are looking for. A schema is just a logical namespace for groups within the system. Now:
Determining which schemas a user has access to requires connecting to the relevant db and checking. You can't do this globally since schemas are not global objects.
It should be possible to show the search_path since this only attaches to global objects (databases and roles), but I could not figure out how to do this by glancing through the system catalog docs. That's probably where you'd have to start if that's what you wanted to look for.
Although this question fancies PostgreSQL, it is still a general DB question.
I have always been curious about the term schema as it relates to databases. Recently, we switched over to using PostgreSQL, where that term has actual significance to the underlying database structure.
In PostgreSQL-land, the decentralized structure is as follows:
DB Server (`some-server.com:5432`)
>> Database (`fizz`)
>> Schema (`buzz`)
>> Table (`foo`)
Thus, the FQDN for table [foo] is fizz.buzz.foo.
I understand that a "database" is a logical grouping of tables. For instance, an organization might have a "domain" database where all POJOs/VOs are persisted, an "orders" database where all sales-related info is stored, and a "logging" databases where all log messages get sent for future analysis, etc.
The introduction of this "schema" construct in between the database and its tables has me very confused, and the PostgreSQL documentation is a little too heavy-handed (and lacking good examples) for a newbie such as myself to understand.
I'm wondering if anyone can give me a laymen's description of not only what this "schema" construct is within the realm of PostgreSQL (and how it relates databases to tables), but I'm wondering what it means to database structures in general.
Thanks in advance!
Think of schemas as namespaces. We can use them to logically group tables (such as a People schema). Additionally, we can assign security to that schema so we can allow certain folks to look at a Customer schema, but not an Employee schema. This allows us to have a granularity of control of security just above an object level but below the database level.
Security is probably the most important reason to use schemas, but I've seen them used for logical groupings as well. It just depends on what you need them for.
Late to the party, but ..
I use schemas to split tables in to groups that are used by different applications that share a few tables, for example.
users
application1
application2
Here, if we log in with app1, we see users + application1; if we log in to app2, we see users and application2. So our user data can be shared between both, without exposing app1 users to app2 data. It also means that a superuser can do queries across both sets of data.
As Mysql, sql server, postgre sql etc are basically different implementation of the same concept (rdbms), I am wondering does the same relationship exists between LDAP and MongoDB/CouchDB etc, or is there something more into LDAP?
LDAP
Hierarchical Database model (based on parent/child relationships, like in XML)
LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the norm
Scalable
Standard protocol
Not suited for applications that require data integrity (banking, ecommerce, accounting). Traditionally is used to store users, groups, SSL certificates, service addresses, but is a generic database and can be used for any information.
MongoDb
Document oriented Database, based on BSON (JSON-like) documents
Key value database, but values can be BSON documents
High performance in both read and write operations
Scalable (Master-Slave replication)
Custom protocol
Not suited for applications that require data integrity (banking, ecommerce, accounting)
CouchDb
Document oriented Database, based on JSON documents
Key value database, but values can be JSON documents
High performance in both read and write operations
Scalable (Master-Master replication with conflict resolutions)
REST protocol
Not suited for applications that require data integrity (banking, ecommerce, accounting)
The most important thing, which differs LDAP databases from other noSQL, like MongoDB or CouchDB, is very flexible ACL system.
For example, you can grant access to the object in the tree, using groups and users stored in the same tree. In fact, you can use objects itself to authenticate against the LDAP server.
IMHO, it is completely safe to allow clients to get access to the LDAP tree directly from the Internet without writing a string of code.
In the other hand, LDAP has a bit archaic design and uses sophisticated approaches to provide trivial operations. Mainly because of that fact, I'm slipping and dreaming, about someone implemented LDAP-like ACL in the any of modern noSQL database. Indeed, why making JSON-based database, if you cannot be authorized against it directly from the browser?
SCHEMA is one of the biggest differences.
LDAP data stores have a single system-wide extendable schema (which in real-world, is the the Achilles heel of ldap servers replication...).
NO-SQL has 'no schema' (-or- any schema per object, look at it however you want..).