Reworking the LAMP - moving authentication and access control to the database
The standard LAMP methodology relies on the middleware application logic
to manage user authentication and to impose access control over the data
in the database. Typically access to the database is as a single user.
In some cases, access to the database may be required from different
pieces of middleware simultaneously, maybe even from code written in
different languages (PHP, Python, Java, C etc.). In order to keep the
authentication and access control consistent, it is necessary to push
these functions into the database itself.
This presentation will outline one approach developed using the
PostgreSQL database server using views, triggers and the PL/pgSQL procedural language. A patch to PostgreSQL to allow an "at connection"
trigger to invoke a PL/pgSQL function will also be discussed, as an
performance enhancement to the approach outlined. I will also discuss
some of the development/debugging issues encountered by moving the
authentication and access control into SQL functions instead of PHP
Robert (Bob) Edwards
Bob Edwards is the Chief IT Officer in the Department of Computer
Science at the Australian National University. He also teaches the
Computer Networks course at undergraduate and Masters level.
He has written several kernel modules used in production within the
Departments various computer networks, including an IPTables mangle
table module that imposes NFS access control for laboratory computers.
Bob is active in the local Linux user group. He also jointly won a
Gordon Bell prize at the 2000 Supercomputing Conference for the
Bunyip Linux cluster, recognised as the first in the world to post
less than $US1/megaflop for a serious supercomputing application.