We are using Spring Security ACL infrastructure in conjuction with App Engine Datastore. We do not use low-level Datastore API but rather we use Objectify framework to access Datatstore. We need to transform Spring Security ACL model (suitable for RDBMS) into model more suitable for schema-less object-oriented Datastore. So far we have ended up with two entities described below.
Acl
- id: Long
- domainObject: Key (ancestor/parent)
- entries: List<AclEntry> (embedded)
- owner: String
AclEntry
- sid: String
- principal: boolean
- mask: int
- granting: boolean
Almost every time the ACL is being retrieved by the known domainObject (not by ACL id) and hence we decided to use the domain object as an ancestor for the given ACL so that we can use ancestor query (strong consistent) and get most up-to-date data that is crucial in case of ACL
The thing is that such a model is not sufficient for queries like "What [entities] has the given user (sid) access to?" where [entities] can be any available entity like a project, group, ...
Does anyone have some experience with running Spring Security ACL on NoSQL database especially on App Engine Datastore? Any hint would be appreciated.