Contents
Veil2
is a Postgres extension for
implementing relational security systems.
A relational security system Is one in which access rights are determined by the user’s relationships to the objects being accessed.
The primary aims of a relational security system are to make the management of access to data a seamless, and necessary, component of your application, and to make its implementation as simple as possible and as sophisticated as needed.
Veil2
is designed to make the implementation
of relational security systems as easy as possible. It provides
an extensible framework of permissions, permission checks, and
user authentication so that you can start building a secure
database in a matter of hours.
With Veil2
you secure the database itself and
not just applications that use it. This means that even if your
application server is compromised, an attacker's ability to
access data will be limited to the data for which they can steal
access credentials. This gives them little more access than
the application itself would give them.
The security of database applications is more usually managed by
building the access control rules into application servers, and
typically these access control rules offer a fairly coarse level
of granularity. This is often because reasoning about access
controls at the level of functionality is difficult. With
relational security modelling, it can be much easier to reason
about what sort of user needs what sort of access, and using
Veil2
the implementation of access control
rules becomes trivial.
Veil2
is mostly implemented in SQL and
PL/pgSQL, with a small amount of security and
performance-critical code written in C. It is designed to be
fast, flexible and customizable, and aims to make the security
of your system better, faster, more complete and easier to
understand.
If you would like to see what Veil2
can do,
you can install and explore the Veil2
demos.