cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! Site migration is underway. Phase 2: migrate recent content

Pre-filtering for security

haris-zynka
Node Link

Hi, I'm trying to pre-filter database before query is made by SDN/RX. Is is possible to do so with something like cypher query for filtering out data and leaving sub-graph before real request comes in?

It's not Role based system, each user is specific and can have multiple ways and nodes that are connected and allowed to him but also their children could be denied. So if I could simply create something like sub-graph and let SDN RX apply query on it, it would be amazing.

Guessing that probable answer is no, is there an alternative for such apporach. Let's say I have an (:Level)-[:HAS]->(:OtherLabel)-[:HAS]->(t:ThirdLabel)->(deep node :DeepLabel). And I have (user1)-[HAS_ACCESS]->(other noed:OtherLabel). I need to be able to filter out graph so that any kind of query that comes in doesn't see the (t:ThirdLabel) and (deep node :DeepLabel) BUT they could have access to (some other deep node :DeepLabel) not connected to (other node) . Reason is that some queries might try to execute MATCH (:ThirdLabel) ... OR MATCH (:OtherLabel).. and given that user can have some nodes of specific type accessible and others not query would execute and I would have to post filter every single query I make or I would have to customise every query I have so far.

To repeat system has no roles for this and there's no solution that helps which includes having roles. It's user specific security. Example if there's 1000 buildings in the system and we want to give access to users to some of them - we probably want custom access for each user and roles don't help except for admin. Now if users can have forbidden access to certain rooms it gets even more complicated.

I can easily do query for it but don't know is it possible to downsize graph before doing actual queries.

Thanks

2 REPLIES 2

sameerG
Graph Buddy

You can try data Model similar to one shown below
User1---(Query1)----User2..n
User(n+1)---(Query2)----User(n+2..m)
.
.
User(l)---(Querym)----User(l+1...z)

The set of users will only have access to Subgragh returned by a specific Query related to that user and not the subgraph returned by other queries.This way you can avoid role based security and if users want expanded access to graph you can change the queries associated with that user.Please let me know if this helps solve your problem

Thank you for your reply and sorry for taking 11 days. I'm unaware how this answers my question so I don't think it helps but maybe I didn't understand it.

Problem is that I have a working prototype without any users or privileges. Now since there's so much code and queries in there it would be wonderful if I could create subgraph prior to Spring executing it's queries. This would allow me to use existing code without couple of months of refactoring every single line of query. I know that pre-filters are solvable in other DBs but I don't think it's possible with Neo4j.

So let's say I have query (:Item1)-[:HAS]->(:Item2)-.... Is there a way to tell SDN/RX to do (User)-[:HasAccess]->(any) and then let the repository interface trigger "(:Item1)-[:HAS]->(:Item2)-..." only on that subgraph. As far as I tested it out it doesn't work. I cannot use "MATCH ...filtering out data for user..." and then expect next line like "MATCH (:SomeLabel)" to work only on subgraph data previously fetched. This means that I have to build new project basically.

In order to make it more clear since use case is confusing I'll try posting an example image which might make more clear some stuff


So first line of cypher in there will filter out Item 1 and Child Item 1 correctly. And as expected second line will ignore that and just continue on returning all things that have that particular label therefore:

Now my question is, is there a nice "magical" way to at least tell Neo4j to use previous data as graph or maybe SDN/RX has this option which I don't know of? Guessing that first one is more probable I could figure out a way to add more Cypher before any of the ANY repository methods are executed which is still good enough as it will be written in one place. Otherwise I would have to change every single query

Thanks