Grant access permissions on multi-user data - PolarDB - Alibaba Cloud Documentation Center

In an always-confidential database cluster, the ciphertext data of different users is automatically isolated. You can issue a behavior control list (BCL) to grant access permissions on the ciphertext data for multi-party data integration and computing.

Prerequisites

The always-confidential database feature is enabled and configured for the PolarDB instance. For more information, see Enable the always-confidential database feature, Define sensitive data, and Use the always-confidential database feature from a client.
Make sure that the minor version of your PolarDB for PostgreSQL cluster is 20231030 (14.9.14.0) or later.
The certificates and private keys of the certificates of the participantsare (data owners and applicants) obtained.

Background information

In an always-confidential database, user data is encrypted by using the data encryption keys (DEKs) of the users. The ciphertext data of different users is automatically isolated. If you want to use the data of multiple users for joint queries, you can use BCL to grant access permissions to the participants of the joint queries. After the authorization, the participants can query the data of other participants in a secure manner.

Scenarios

A data platform collects user profile data by age, encrypts sensitive data columns in a table by using the DEK that is exclusive to the data platform, and then stores the data in an always-confidential database on a PolarDB instance. The DEK is exclusive to the data platform. If a third party is not authorized, the third party can only view the ciphertext data. The third party cannot use the user profile data.

A third party wants to use the user profile data to help identify suitable user groups for an advertising application. This way, the advertising application can push advertisements to specific user groups, such as users who are younger than 30 years old. The third party needs to call the authorization application interface and submit a BCL authorization application to apply for the permissions to use the user profile data from the data platform. The third party must specify the details in the BCL authorization application. If the data platform approves the application, the BCL authorization is issued. After the required permissions are granted, the advertising application can query the user profile data, obtain information about the required user group, and then push advertisements to the required user group.

In this example, the advertising application can use the user profile data only within the authorized scope that is specified by the BCL and can only query the final results. Intermediate data is unavailable to the advertising application.

Procedure

Run the required commands to initialize the public keys of the certificates in the application code of participants.

// The private key of the participant certificate.
String userPriPemString = "*****";
// The public key of the participant certificate.
String userPukPemString = "*****";
// Key initialization. The keys need to be initialized only once.
KeyManager km = sdk.getKeyManager();
km.registerCertificate(userPriPemString, userPukPemString);

Define the authorization content.

String bclBodyJsonString = """{ 
  "version": 1,
  "serial_num": "a121bac0-5cb3-4463-a2b2-1155ff29f4c8",

  "issuer_pukid": "dYJ3Wfj/n0eZbuqgQjv8bnBdPXGyWGOlxE/uMy16NXo=",
  "subject_pukid": "+Gg4vXehPt9BWlCPdR83wKDn6E1b/XddNhKQ5mVbKVQ=",
  "validity": {
    "not_after": "20220820111111+0800",
    "not_before": "20230820111111+0800"
  },
  "policies": {
    "issuer_dek_group": [
      {
        "min": 1,
        "max": 100000,
        "groupid": "b6785611-0c49-4f13-87a9-13f151de9b4d"
      }
    ],
    "result_dek": "SUBJECT",
    "subject_dek_group": [
      {
        "min": 1,
        "max": 100000,
        "groupid": "5e19cfa7-c001-4e44-acab-2e5de4b97dcb"
      }
    ],
    "operation": [
      "*"
    ],
    "postproc": "NULL",
    "preproc": "NULL"
  }
}""";

The following table describes the parameters in the preceding syntax.

Parameter	Example	Description
version	1	The version number. Set the value to 1.
serial_num	"a121bac0-5cb3-4463-a2b2-1155ff29f4c8"	A unique, random serial number in the UUID format.
issuer_pukid	"dYJ3Wfj/n0eZbuqgQjv8bnBdPXGyWGOlxE/uMy16NXo="	The certificate thumbprint of the data owner. Perform the following steps to obtain the certificate thumbprint: Calculate the hash value of the certificate content. Note By default, the `SHA 256` encryption algorithm is used. You can specify other encryption algorithms. The following example shows the certificate content including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----: `-----BEGIN CERTIFICATE----- dYJ3Wfj/n0eZbuqgQjv8bnBdPXGyWGOlxE/uMy16NXo= -----END CERTIFICATE-----` Encode the hash value in Base64. Set this parameter to the Base64-encoded string.
subject_pukid	"+Gg4vXehPt9BWlCPdR83wKDn6E1b/XddNhKQ5mVbKVQ="	The certificate thumbprint of the applicant. You can configure this parameter the same way you configure the issuer_pukid parameter.
validity	{ "not_before": "20220820111111+0800", "not_after": "20230820111111+0800"}	The validity period of the authorization. The value must be in the GeneralizedTime time format. "not_before": the beginning of the validity period. "not_after": the end of the validity period.
policies
issuer_dek_group	[ { "min": 1, "max": 100000, "groupid": "b6785611-0c49-4f13-87a9-13f151de9b4d" }]	The group of the DEK that is allowed by the data owner. "groupid": the ID of the DEK group "min": the smallest DEK ID in the group "max": the largest DEK ID in the group Note To obtain the values of the groupid and dekid fields, you can execute the SELECT encdb_get_cc_entry_by_name(<keyname>); statement. You must set the keyname parameter to the column on which the applicant has access permissions.
subject_dek_group	[ { "min": 1, "max": 100000, "groupid": "5e19cfa7-c001-4e44-acab-2e5de4b97dcb" }]	The group of the DEK that is allowed by the applicant. "groupid": the ID of the DEK group "min": the smallest DEK ID in the group "max": the largest DEK ID in the group Note To obtain the values of the groupid and dekid fields, you can execute the SELECT encdb_get_cc_entry_by_name(<keyname>); statement. You must set the keyname parameter to the column on which the applicant has access permissions.
result_dek	"SUBJECT"	The DEK that is used to encrypt the computation result. "SUBJECT": uses the DEK that is allowed by the applicant in the current computation. "ISSUER": uses the DEK that is allowed by the data owner in the current computation. DEK ID: uses the DEK with the specified DEK ID. Important If you want to use a specified DEK, set this parameter to `the ID of the DEK`. You can directly specify the DEK ID without the need to enclose the DEK ID in double quotation marks ("").
operation	[ "*"]	The allowed computation operations. "encrypt": encryption "decrypt": decryption "cmp": comparison Note If you set this parameter to `"*"`, all computation operations are allowed.
postproc	"NULL"	The pre-processing operation before the computation. Set the value to NULL, which indicates that no pre-processing operations are required.
preproc	"NULL"	The post-processing operation after the computation. Set the value to NULL, which indicates that no post-processing operations are required.

The applicant initiates a BCL authorization application.

boolean isIssuer = false;
bclBodyJsonString = km.issueBCL(bclBodyJsonString, userPukPemString, userPriPemString, isIssuer);

The data owner approves the application and issues the BCL authorization.

boolean isIssuer = true;
bclBodyJsonString = km.issueBCL(bclBodyJsonString, userPukPemString, userPriPemString, isIssuer);

(Optional) If the data owner needs to revoke the authorization, perform the following operations:

Define the authorization that is to be revoked.

brlBodyJsonString = """{
  "version": 1,  
  "pukid": "dYJ3Wfj/n0eZbuqgQjv8bnBdPXGyWGOlxE/uMy16NXo=",
  "this_update": "20220819111128+0800",
  "next_update": "20220919111128+0800",
  "revoked": [
    {
      "revocation_date": "20220819111128+0800",
      "serial_num": "a121bac0-5cb3-4463-a2b2-1155ff29f4c8"
    }
  ]
}""";

The following table describes the parameters in the preceding syntax.

Parameter	Example	Description
version	1	The version number. Set the value to 1.
pukid	"dYJ3Wfj/n0eZbuqgQjv8bnBdPXGyWGOlxE/uMy16NXo="	The certificate thumbprint of the data owner. You must set this parameter to the certificate thumbprint of the data owner in the BCL authorization application.
this_update	"20220819111128+0800"	The point in time at which the revocation list is updated. The value must be in the GeneralizedTime time format.
next_update	"20220919111128+0800"	The next update time of the revocation list. The value must be in the GeneralizedTime time format.
revoked
revocation_date	"20220819111128+0800"	The point in time at which the authorization is revoked. The value must be in the GeneralizedTime time format.
serial_num	"a121bac0-5cb3-4463-a2b2-1155ff29f4c8"	The serial number in the UUID format. You must set this parameter to the serial number that is specified in the BCL authorization application.

The data owner approves and issues the revocation.

brlBodyJsonString = km.revokeBCL(brlBodyJsonString, userPukPemString, userPriPemString);