We are using Spring Security ACL infrastructure in conjuction with App Engine Datastore. We do not use low-level Datastore API but rather we use Objectify framework to access Datatstore. We need to transform Spring Security ACL model (suitable for RDBMS) into model more suitable for schema-less object-oriented Datastore. So far we have ended up with two entities described below.

Acl

• id: Long
• domainObject: Key (ancestor/parent)
• entries: List<AclEntry> (embedded)
• owner: String

AclEntry

• sid: String
• principal: boolean
• mask: int
• granting: boolean

Almost every time the ACL is being retrieved by the known domainObject (not by ACL id) and hence we decided to use the domain object as an ancestor for the given ACL so that we can use ancestor query (strong consistent) and get most up-to-date data that is crucial in case of ACL

The thing is that such a model is not sufficient for queries like "What [entities] has the given user (sid) access to?" where [entities] can be any available entity like a project, group, ...

Does anyone have some experience with running Spring Security ACL on NoSQL database especially on App Engine Datastore? Any hint would be appreciated.

You'll probably think my answer is off at first, but your issue is beyond Spring Security : you need to change your approach of data.

If you're using your using a "NO SQL" datastore, it's to allow your app to scale, not to structure your app around your data.

You need to model your entities based on your use cases, not tight fit them in a framework that was built for RDBMS. That's the tradeoff for performance IMHO.

If you're not willing to trade structure for performance, it probably means your application is more suited for Google Cloud SQL :)

I may be wrong though : tell us more about your use case? that's how you will get helpful advice with a "NoSQL" database.