views:

20

answers:

1

I am building a database that contains public, private(limited to internal) and confidential data (limited to very few). It has very specific requirements that the security of the the data is managed on the database side, but I am working in an environment where I do not have direct control of the permissions, and requests to change them will be time consuming (2-3 days).

So I created a structure that should meet our needs without requiring a lot of permissioning. I created two databases on the same server, one is the internal one, who's tables can only be edited by certain users within certain subnets of our network. The second is the public database where, using an admin account, I create views limited to public fields of tables in the internal database to expose public data and it seems to work well. However the data should only flow one way and the views should not be able to write to the source tables. And I cannot just lock down the public database to be only SELECTable since the public database is used for various tasks of our public website.

So I need to create views to limit access of some scripts to certain fields in a table. I need to make sure that those views are not able insert, update, or delete data in the source table. To create the view I use:

CREATE  ALGORITHM = UNDEFINED 
VIEW `table_view` AS 
  SELECT *
  FROM `table`

Looking at the documentation to prevent updates the view needs to have aggregate data, sub queries in the WHERE clause, and ALGORITHM = TEMPTABLE. I would go with TEMPTABLE, but the manual is unclear whether it would impact the performance. In one paragraph the manual states:

It prefers MERGE over TEMPTABLE if possible, because MERGE is usually more efficient

Then immediately states:

A reason to choose TEMPTABLE explicitly is that locks can be released on underlying tables after the temporary table has been created and before it is used to finish processing the statement. This might result in quicker lock release than the MERGE algorithm so that other clients that use the view are not blocked as long.

The views are going to be queried on page load to generate the contents of the page, would MERGE still be more efficient or would the lower lock time serve me better? And no, handling this through account permissions is not really an option due to the inability to GRANT permissions on individual fields to meet the legal confidentiality requirements. To meet them would require fragmenting each table into 2-3 tables containing fields with homogeneous confidentiality.

Should the algorithm be UNDEFINED or TEMPTABLE, or is there another setting in the view definition that will lock down the view. And what are the performance effects I will experience. Also, if I do something to force it to be uneditable, like including HAVING 1 to make it an aggregate function force it to be TEMPTABLE and the choice of algorithm moot.

+1  A: 

I'm wondering why you don't just lock down grants to the account(s) being used to not have DELETE, INSERT or UPDATE.

MySQL doesn't appear to support roles, where I'd have defined a role without these grants & just associated the account(s) with that role - pity...

OMG Ponies
Unfortunately I do not have table level control of the permissions and I have to go through our IT dept. to request any permission change. If I make a change it is 2 to 3 days before I can test it. Also I don't want to have to break each table up into 2-3 tables of varying levels of confidentiality, due to legal requirements beyond my control.
Tyson of the Northwest
@Tyson of the Northwest: Dedicating a user would alleviate permission assignment, but won't help if you want to keep interactions separate (IE: what if someone's role changes - now they have the password for both "roles"...). You could control access to table operations via stored procedures rather than consider breaking up a table for sake of data visibility. I'm sorry - it sounds like you've got some foundation issues that would make life easier if you address them early in development, but I really don't know your situation so take it with a grain of salt.
OMG Ponies
The question I really want answered is should the algorithm be UNDEFINED or TEMPTABLE, or is there another setting in the view definition that will lock down the view. And what is the performance effects I will experience. Also, if I do something to force it to be uneditable, like including HAVING 1 to make it an aggregate function force it to be TEMPTABLE and the choice of algorithm moot.
Tyson of the Northwest