Record level access control for REST API GET Collection call
So, I am working on the next project that requires more detailed access control functionality (i.e. Sally can only view products in her department).
I get how either a role based access control model or an attribute access control model can 'wrap' an API call to determine if a given user can perform said action on a given object.
Where I keep getting stuck is when you are dealing with a GET call that returns a collection of records. If I ask the API for a page of 20 records from this endpoint, I can't get 20 records, then run a code based authorization check on those records before returning them as I most likely won't be returning 20 records.
It seems like the authorization check either has to be down in the database and/or happen prior to the database query by adding additional filters to the query call (i.e. also filter where product department = clothing).
Anybody have any more concrete implementation examples or ideas how how this could be implemented in a performant manner?
As David mentioned, XACML can be used at the database level for filtering.
Implementing XACML For The Database
The diagram below is for SQL, but can be used as a general example for any database technology.
Let's see how this works:
- SQL statement is intercepted.
- A query is sent to the external authorization service that implements XACML
- The authorization engine (PDP) evaluates the relevant policies, written in XACML or ALFA (an implementation of XACML).
- It may query external attribute sources (PIPs) for more info.
- The result: SQL statement is dynamically modified to retrieve only authorized data for the user.
How This Would Be Used In An Application
The implementation of XACML you choose to go with would ideally have an SDK in your language of choice or support the XACML REST profile. Either would work for integration into your application.
Given that you are using REST calls, I don't think you would have to add much code to integrate your application with an implementation of XACML.
Implementing XACML for an API Gateway
The principle used in this integration is the ability of an API gateway to make a callout to a third party service.
In this case the third party service is your XACML implementation's Policy Decision Point (PDP). The implementation must support REST/JSON.
The API Gateway is configured to send fine-grained authorization requests to the PDP.
Requests are made using the REST/JSON interface exposed by the PDP. The PDP then returns a response.
The JSON profile of XACML extends the Request/Response schema allowing both the Request and the Response to be encoded in JSON instead of the traditional XML encoding. This makes the Request and the Response much easier to read and also much smaller in size thus transferring less data.
Implementations of XACML
For an entire list of XACML implementations, you can check this list on Wikipedia.
Full disclosure - I work for Axiomatics with David Brossard, who designed the JSON profile for XACML to be used in conjunction with the REST profile.
Axiomatics provides Axiomatics Data Access Filter for relational databases and SmartGuard for HADOOP. Axiomatics Policy Server natively supports both JSON and REST profiles.
- file_get_contents(): SSL operation failed with code 1, Failed to enable crypto
- REST API - Handling an empty body in PATCH
- How can i get data from custom post type using WP REST API
- Implementing custom methods of Spring Data repository and exposing them through REST
- How do I submit requests to REST api in batches in SpringBoot?
- increase python REST requests efficiancy
- RestClientException: Could not extract response. no suitable HttpMessageConverter found
- What is the real difference between an API and an microservice?
- No connection could be made because the target machine actively refused it 127.0.0.1:3446
- Which is better for Dynamic querying String Builder or string buffer?
- Log REST-requests to file with unique request-id
- HTTP method names: upper or lower case?
- REST. Make order request
- Correct use of files.getUploadURLExternal in Curl command line
- Detect client connection drop using Jersey/Java
- How to control exception while developing RESTful API with Java?
- Django REST Framework Login
- api platform - Unable to generate an IRI for the item
- TripAdvisor is adding -mapper to my API key
- How can I make Laravel return a custom error for a JSON REST API
- Spark Send DataFrame as body of HTTP Post request
- Use $batch to bulk break SharePoint List items permission inheritance
- GET request not supported in custom API in Business Central. "BadRequest_MethodNotAllowed"
- Hyphen, underscore, or camelCase as word delimiter in URIs?
- Should I use Singular or Plural name convention for REST resources?
- RESTful resources: Plural vs. singular when a resource is always singular in the database
- Customize Global Exception Handler in java Spring Boot
- Custom @ControllerAdvice in Spring for exception handling
- How to handle MethodArgumentTypeMismatchException and set a custom error message in spring boot?
- POST fails with invalid or missing data