please add fine-grained access control

[bionicles]

thanks for making RedisGraph! it's starting to look really appealing since it's in the cloud service

would it be possible to add something like https://neo4j.com/docs/operations-manual/current/authentication-authorization/access-control/ for authorization?

I prefer Attribute or Graph Based Access Control (ABAC, GBAC) (the article and implementation describes Role based access control, RBAC) but this could be pretty handy either way for security, compliance, privacy, etc because right now, I'd still have to stick some slow-ass authorization server between users and RedisGraph. That adds multiple network hops and probably slower code than C (which would also live next to the data necessary to make the authorization decisions anyway)

also, there's a ton of interest lately in offline-first web state, and very few great options. is it theoretically possible to compile RedisGraph to WebAssembly and use the Redis Enterprise CRDT to sync some 'materialized subgraph' to a webworker embedded in a web platform?

The idea being, each user, would have access to different subgraphs of the full graph stored in the cloud. If we could run RedisGraph in WebAssembly inside our web apps, then we could just use cypher query syntax locally and have it sync automatically, no server necessary, just a cloud peer in Redis Enterprise Cloud, what do you think?

[swilly22]

Hi @bionicles, the link seems broken, can you please double check?
Although Redis supports ACL RedisGraph has no notion of ACL, I can see the value in such feature as you've described it, although I believe it will come with a performance hit. at the moment there's no plan to introduce such a feature.

With regard to WebAssembly I haven't tried compiling RedisGraph to WebAssembly nor am I aware of anyone else trying to, it will be interesting to know if it would work, lastly RedisGraph is not CRDT "enabled" similarly to ACL there's no plan for the foreseen future to support RedisGraph and CRDT.

Please let me know if you want to collaborate on trying to run RedisGraph within a web-browser using WebAssembly.

[bionicles]

re security

Schema-Based Security in Neo4j 4.0

https://neo4j.com/docs/operations-manual/current/authentication-authorization/built-in-roles/index.html

https://github.com/neo4j/neo4j-documentation/blob/402084b3f096507e642f690cd3f383116b7319be/cypher/cypher-docs/src/docs/dev/ql/administration/security/index.asciidoc

https://www.postgresql.org/docs/current/ddl-rowsecurity.html

https://docs.tigergraph.com/start/vertex-level-access-control

is it possible to separate questions of data from questions of trust? we need data to make trust decisions, and we need to make trust decisions to serve many forms of data.

the alternative is to implement security in the application layer but this means there is no security at the database layer. anyone who directly accesses the graph, can see all the data for everyone, which equates to millions or billions of dollars in HIPAA / GDPR compliance violation fines

the problem with ACLs is, you have to explicitly grant each person access to each resource. that's extremely difficult to maintain all those lists correctly

a graph-based authorizer could enable pattern-matching rules.

doctors view records, labs for their patients
doctors edit their records of their encounters with their patients
researchers view records for encounters between patients with the disease under study and doctors who treat that disease, if both patients and doctors opt-in to the research
regulators view records of patients who take the drug they're monitoring for safety risks

this way we can define whole sets of access-control lists without explicitly adding each regulator to each patient-record ACL based on what drugs they're taking, and it all happens right at the moment the query is processed, without any network hops or slow application code -- these extra steps, could add 100s of milliseconds per query and completely eliminate any performance advantage of RedisGraph over TigerGraph or Neo4j

conversely, if such a feature were added so developers could specify security rules in terms of graph traversals, it could be a game-changer for privacy, security, and the usefulness of RedisGraph

---

re: WASM -- yes, I'd love to try it, what would be blockers for this? perhaps that's a separate ( and almost surely less critical ) issue

[bionicles]

@swilly22
just want to specify in advance a set of allowed paths from subject / user to object / data. if the path of a query is in the set of allowed paths, then return the data; else, return "unauthorized"

is there a way to accomplish this now with cypher?

or, can we return all vertices / edges along an arbitrary path?

ideally we could specify optional steps, and steps which could go to multiple different targets (to avoid enumerating a billion ways to get from A to B)

in python this might look like a list of labels for nodes along the allowed path

rule = (
    ["Provider", Option["CareTeam"], Option["Group"], "Patient", {"Condition", "Observation", "Treatment"}], 
    "CRUD"
)