Clarification on replacement of Zones

[kunalsumblyavenue]

First really appreciate the work that you all are doing for acra. Big thanks for that. I was also looking into a tool/platform which does something similar and really liked what I found in terms of capabilities of acra. One of the key capabilities of Acra that caught my attention was using Zones that cryptographically compartmentalise access to data , which I understood as within the same application if we have two sets of users - User1 and User2 and there is a sensitive database column ; and for group User1 we dont want them to unmask a certain sensitive database column whereas for group User2 (they have special role) and only they should be able to unmask the sensitive data , this kind of thing was achieved via Zones. If that is the case and we know that after 0.94 release Zones have been deprecated and from what I have read so far ClientId is the thing that represents users/group of users as per this documentation https://docs.cossacklabs.com/acra/security-controls/client-id-sql-detection/ Is my understanding correct here ?

Thanks for your time.

Regards, Kunal

[Lagovas]

We are glad to hear that you found Acra interesting and useful for you) Your understanding is correct. Zones existed to compartmentalize data access cryptographically. They and ClientID were used to specify keys related to data. ClientID derived from the mutually authenticated connections, got from CLI flag --client_id, or specified in encryptor_config for transparent encryption. But ZoneID should have been specified as SQL value preceding encrypted data in the SQL query or statically in encryptor_config. The first option was too complicated for applications and the second works similarly for ClientID. So, we removed it to simplify usage and understanding.

As you found , AcraEnterprise supports specifying ClientID during the db session as SQL statement for all next queries until changed to another. And it allows switching between owners of users in the same db connection. It is much easier for most of applications than connect with another credentials to the acra+database on every owner change or compile the correct SQL query to specify the proper ZoneID.

So yes, open source version of Acra supports switching between data owners by specifying different ClientID from TLS certificates, static CLI option, or static option in the encryptor_config. And AcraEnteprise provides one extra option to specify ClientID by SQL query.

[kunalsumblyavenue]

We are glad to hear that you found Acra interesting and useful for you) Your understanding is correct. Zones existed to compartmentalize data access cryptographically. They and ClientID were used to specify keys related to data. ClientID derived from the mutually authenticated connections, got from CLI flag --client_id, or specified in encryptor_config for transparent encryption. But ZoneID should have been specified as SQL value preceding encrypted data in the SQL query or statically in encryptor_config. The first option was too complicated for applications and the second works similarly for ClientID. So, we removed it to simplify usage and understanding.

As you found , AcraEnterprise supports specifying ClientID during the db session as SQL statement for all next queries until changed to another. And it allows switching between owners of users in the same db connection. It is much easier for most of applications than connect with another credentials to the acra+database on every owner change or compile the correct SQL query to specify the proper ZoneID.

So yes, open source version of Acra supports switching between data owners by specifying different ClientID from TLS certificates, static CLI option, or static option in the encryptor_config. And AcraEnteprise provides one extra option to specify ClientID by SQL query.

Thanks a lot @Lagovas for your prompt reply