Support fine-grained data acess control for queries
---------------------------------------------------
Key: OPENJPA-1931
URL: https://issues.apache.org/jira/browse/OPENJPA-1931
Project: OpenJPA
Issue Type: New Feature
Components: kernel
Affects Versions: 2.2.0
Reporter: Pinaki Poddar
Assignee: Pinaki Poddar
Applications often require fine-grained access control to data. The access
control is based on the question: Who can do What?
"Who" part - the identity of the caller will determine a set of "What" - i.e.
a set of constraints. The constraints can be on query predicates, fetch plans
or actions (persist, remove, update etc).
The constraints will be specified say in a XML say
<role name="guest">
<query>
<block root="*.Account" path="balance" operation="*"/>
<block root="*.Account" path="openingDate" operation="lessThan"
value="Jan 1, 1990"/>
<query>
</role>
This will prevent a caller in "guest" role to execute any query that involves a
predicate on Account.balance property. Or any query on Account.openingDate
before Jan 1, 1990.
The mechanics to determine the caller's role (who part) and the constrained on
the operation (what part) will be a combined plugin through a SecurityContext
interface attached to the persistence unit configuration.
The scope i.e. which operations can be restricted and how these restrictions
will be specified will be fleshed out once the basic scaffolding is in place.
Initially we will target constraint on queries for prototyping the mechanics.
The query constraints will be aimed at the abstract schema.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
