[Haskell-cafe] Role based access control via monads or arrows or... something

porrifolius porrifolius at gmail.com
Wed Apr 2 17:22:37 EDT 2008


I've been playing around trying to write a framework to support/enforce access 
control to resources.  So far my efforts have yielded little but bruised 
forehead and compressed plaster-board.

What I'd like is a solution that:
  (1) prevents access to resources except via a fine-grained permissions 
checking gateway

  (2) supports on-the-fly permissions eg Bob can see Fred's salary

  (3) supports dynamic role constraints eg Bob can't be both appointor and 
appointee of secret agent status

  (4) allows lack of permission to optionally act as a filter rather than 
cause an abort, eg Bob viewing all salaries returns Fred's but doesn't return 
Tom's rather than aborting altogether because Bob lacks the permission over 

  (5) well defined behaviour when checking permissions for actions that change 

  (6) it must be pure, no need for IO.

  (7) ideally required permissions would appear (and accumulate) in type 
signatures via inference so application code knows which are required and 
type checker can reject static/dynamic role constraint violations 

I've attempted a solution using arrows based loosely upon ideas in [1] and 
[2].  I can't figure out how to make it work, even if I did get it working I 
now suspect it can be done far more simply, and I don't think it could ever 
provide feature (7).  For what it's worth it's attached.

Ideally you kind folk could help me come up with a type-level solution to 
satisfy (7), so you could have something like:
deptAveSal :: (HasPerms subject? Read Salary [person]?, HasPerm subject? Read 
Employees dept?, HasRole subject? Manager dept?) => Department -> Salary

Failing that how to do it in a more simple fashion?  I now think that a 
State-like monad exposing only functions taking values in a wrapper type that 
carries required permissions may be sufficient, but still probably couldn't 
satisfy (7).

Failing that my existing attempt has me stumped for a few reasons:
  how do I get hold of the subject and resource so I can build the correct 
permission in Test?  eg the Person whose Salary is needed in salary, and 
who's trying to get it

  where do I get the System from in Test?  eg fakeSystem in personByName

  how to implement the filter functionality in RBAC?  Parametric over 
container types?

I think that perhaps the Validator would need to be a monad that holds the 
initial state of the System to provide a stable set of permissions/roles and 
that the subject and System should also be threaded through the arrows for 

Any help you can offer for my aching cranium will be _much_ appreciated.

[1] Encoding Information Flow in Haskell - Peng Li, Steve Zdancewic. 
[2] A Library for Secure Multi-threaded Information Flow in Haskell - 
Alejandro Russo, Tsa-chung Tsai, John Hughes. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RBAC.hs
Type: text/haskell
Size: 2742 bytes
Desc: not available
Url : http://www.haskell.org/pipermail/haskell-cafe/attachments/20080403/e06534c4/RBAC-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Test.hs
Type: text/haskell
Size: 1625 bytes
Desc: not available
Url : http://www.haskell.org/pipermail/haskell-cafe/attachments/20080403/e06534c4/Test-0001.bin

More information about the Haskell-Cafe mailing list