Return-Path: 
 <user-return-24884-apmail-cassandra-user-archive=cassandra.apache.org@cassandra.apache.org>
X-Original-To: apmail-cassandra-user-archive@www.apache.org
Delivered-To: apmail-cassandra-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7C2F99C54
	for <apmail-cassandra-user-archive@www.apache.org>;
 Tue, 20 Mar 2012 06:47:59 +0000 (UTC)
Received: (qmail 99007 invoked by uid 500); 20 Mar 2012 06:47:57 -0000
Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org
Received: (qmail 98851 invoked by uid 500); 20 Mar 2012 06:47:57 -0000
Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@cassandra.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@cassandra.apache.org>
List-Post: <mailto:user@cassandra.apache.org>
List-Id: <user.cassandra.apache.org>
Reply-To: user@cassandra.apache.org
Delivered-To: mailing list user@cassandra.apache.org
Received: (qmail 98834 invoked by uid 99); 20 Mar 2012 06:47:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Mar 2012 06:47:56 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of mac.miklas@googlemail.com
 designates 209.85.210.172 as permitted sender)
Received: from [209.85.210.172] (HELO mail-iy0-f172.google.com)
 (209.85.210.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Mar 2012 06:47:50 +0000
Received: by iazz13 with SMTP id z13so12517750iaz.31
        for <user@cassandra.apache.org>; Mon, 19 Mar 2012 23:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:reply-to:date:message-id:subject:from:to:content-type;
        bh=7RVjO4c+vUJwN4X9HNGuoEmemxPX31SHzZCfxkY9sVk=;
        b=yQhck9FURVV4xRdaAHKqqoOXab2GKkcbEP0uxEyxClflKEbZYolOyCbc9ZMTyWsanP
         L2KHFQhe5S6lMmuSCFTB07DyIYXJXv2gYX/r4w/2lVYjVQriFjubTihysV7Is3S5oCdC
         QYeTdh11N5UpyzWSvN65Ycqr09T86ltWz7jAZr4YjzYwHLMcJO28iQnFUZl+qT6JQQ/T
         EljcfHVECUFy4ztiqbhYx1FD/5NTqi1HDtvSBBnA4HVZ3OPqpfKhptc7R7BpHgmU3XMI
         pUdFQq6kj0HUce7IqGQ/zPbZiRTsrn5Ywv5Pk66Ws1BEM8smNkPVOA+6OGXWejYYx2vt
         S5MA==
MIME-Version: 1.0
Received: by 10.60.18.197 with SMTP id y5mr16656108oed.58.1332226049801; Mon,
 19 Mar 2012 23:47:29 -0700 (PDT)
Received: by 10.182.121.10 with HTTP; Mon, 19 Mar 2012 23:47:29 -0700 (PDT)
Reply-To: mac.miklas@gmail.com
Date: Tue, 20 Mar 2012 07:47:29 +0100
Message-ID: 
 <CALk=J59k=VygRKyq4mCJQLqgiqa0LhbATWfsUbqk66V4YqPX0Q@mail.gmail.com>
Subject: Cassandra as Database for Role Based Access Control System
From: Maciej Miklas <mac.miklas@googlemail.com>
To: user@cassandra.apache.org
Content-Type: multipart/alternative; boundary=e89a8fb1f476757d3204bba70c29
X-Virus-Checked: Checked by ClamAV on apache.org

--e89a8fb1f476757d3204bba70c29
Content-Type: text/plain; charset=UTF-8

Hi *,

I would like to know your opinion about using Cassandra to implement a
RBAC-like authentication & authorization model. We have simplified the
central relationship of the general model (
http://en.wikipedia.org/wiki/Role-based_access_control) to:

user ---n:m--- role ---n:m--- resource

user(s) and resource(s) are indexed with externally visible identifiers.
These identifiers need to be "re-ownable" (think: mail aliases), too.

The main reason to consider Cassandra is the availability, scalability and
(global) geo-redundancy. This is hard to achieve with a RBDMS.

On the other side, RBAC has many m:n relations. While some inconsistencies
may be acceptable, resource ownership (i.e. role=owner) must never ever be
mixed up.

What do you think? Is such relational model an antipattern for Cassandra
usage? Do you know similar solutions based on Cassandra?


Regards,

Maciej


ps. I've posted this question also on stackoverflow, but I would like to
also get feedback from Cassandra community.

--e89a8fb1f476757d3204bba70c29
Content-Type: text/html; charset=UTF-8

<div class="post-text">
        <p>Hi *,<br></p><p>I would like to know your opinion about using Cassandra to implement a
RBAC-like authentication &amp; authorization model. We have simplified the
central relationship of the general model
(<a href="http://en.wikipedia.org/wiki/Role-based_access_control">http://en.wikipedia.org/wiki/Role-based_access_control</a>) to:</p>

<p>user ---n:m--- role ---n:m--- resource</p>

<p>user(s) and resource(s) are indexed with externally visible identifiers.
These identifiers need to be &quot;re-ownable&quot; (think: mail aliases), too.</p>

<p>The main reason to consider Cassandra is the availability, scalability
and (global) geo-redundancy. This is hard to achieve with a RBDMS.</p>

<p>On the other side, RBAC has many m:n relations. While some
inconsistencies may be acceptable, resource ownership (i.e. role=owner)
must never ever be mixed up.</p>

<p>What do you think? Is such relational model an antipattern for Cassandra
usage? Do you know similar solutions based on Cassandra?</p><p><br></p><p>Regards,</p><p>Maciej</p><p><br></p><p>ps. I&#39;ve posted this question also on stackoverflow, but I would like to also get feedback from Cassandra community.<br>
</p><p><br></p><p><br></p><p><br></p>

    </div>

--e89a8fb1f476757d3204bba70c29--