Application Based Access Control for Remote RDBMS

抄録

To accelerate business growth, companies nowadays use not only data collected by themselves but also contracted data provided by other companies. Relational data base management systems (RDBMS) are widely used to control provided data at the provider side. However, there are problems in terms of safety and convenience when a data provider accepts access to relational database data from outside data consumers. From the viewpoint of data providers, RDBMS cannot identify which applications attempt to access whereas can identifying which users and applications with IP addresses attempt to access. In addition, data providers need to apply data filtering at row and/or column level to remove specified data such as personal records and this task is bothersome and error-prone. From the perspective of data consumers, remote access to RDBMS brings about increases in the response latency on the provider side. To solve these problems, we propose a mechanism for relational database access control, which is transparent to RDBMSs and their client applications. According to an access control policy, a filtering program linked with a relational database server removes unnecessary row and/or column elements before transferring them to clients on the provider side. Based on the policy and /proc file system, a proxy program controls access from clients at the granularity of applications on the consumer side. We build the prototype system on a container orchestration tool. The experimental results show that overheads due to our access control mechanism are small enough for practical use and our mechanism is scalable with moderate overhead in comparison with operations on relational databases without it.