问题描述
我们目前正在开发项目管理软件。而且,我们在确定实现安全性的正确方法方面遇到了麻烦。我们已经研究了ACL和RBAC,并且已经确定由于特定原因我们至少需要将两者结合使用。但是,有两个问题在两个世界中都没有一个好的解决方案。让我解释一下:
We are currently developing a project management software. And we are having trouble deciding on the correct approach to implement security. We have looked at both ACL and RBAC and are already pretty certain that we need at least a combination of both for specific reasons. But there are a couple of problems that do not have a nice solution in either world. Let me explain:
假设您具有以下实体:
- 用户,具有不同的角色,即
- 项目负责人
- 工作者
- 管理员
- Users, with different roles, i.e.
- Project Lead
- Worker
- Admin
现在应表达以下规则:
具有 Worker User >仅被允许查看与他所分配的项目相关的任务。
Now the following rule should be expressed:A User with the Role Worker is only allowed to view Tasks, which are related to a project he is assigned to.
这将导致用户仅允许查看整个列表中的某些任务。
This results in that a User is only allowed to view some Tasks in the whole list.
我们将使用RBAC授予 Roles 实际阅读 Tasks 的权限。但由于涉及特定实体,因此不适用该条件。可以使用ACL,但是我们担心保持ACL条目符合要求的噩梦(用户可以更改,角色可以更改,新的任务 >可以被引入,这将不得不获取正确的条目,这同样复杂)。
We would use RBAC to give Roles the permission to actually read Tasks. But the condition is not applied as there are specific entities involved. ACL could be used, but we fear the nightmare of keeping the ACL entries consitent with the requirements (Users can change, Roles can change, new Tasks can be introduced an would have to get the correct entries, which is just as complex).
当然,查看特定项目时可能会有特定查询( WHERE project_id = 123
),但这确实可以不能帮我查看我当前所有任务的视图,基本上可以考虑显示每个任务,但是必须检查每个单个对象的ACL。
Of course there could be specific queries when viewing a specific project (WHERE project_id = 123
), but this does not help for a "View of all my current Tasks", where basically every task can be considered for display, but the ACL would have to be checked for every single entriy.
如何确保诸如获得当前用户可以看到的前25个任务之类的东西,而无需从数据库加载所有任务,然后基于ACL进行过滤,即处理分页。 / p>
And how do I ensure things like "Get the first 25 Tasks the current User is allowed to see" without loading all the tasks from the DB and then filtering based on the ACL, i.e. handling pagination.
推荐答案
您需要超越ACL和RBAC并考虑基于属性的访问控制(ABAC-请参见NIST指南)。 Gartner将此空间称为外部授权管理。
You need to look beyond ACL and RBAC and consider attribute-based access control (ABAC - see NIST's guide here). Gartner calls this space "externalized authorization management".
使用ABAC,您可以轻松地表达不仅考虑用户是谁,而且考虑用户想要的任何规则。做,在哪里,什么时候,为什么以及如何做。使用属性定义授权,可以使用XACML实施策略。 是OASIS标准(就像SAML一样)。
With ABAC, you can easily express any rules that take into account not just who the user is but also what the user wants to do, where, when, why, and how. Using attributes to define authorization, you can use XACML to implement policies. XACML is an OASIS standard (just like SAML).
使用XACML,您可以获得一个可以在其中提出问题的API,例如: Alice可以查看此记录吗?但是,在您的情况下,这还不够,因为您想要从数据库中过滤掉记录。而且,正如您所描述的,您希望查询从一开始就是正确的,而不是来回查询数据库,直到您拥有正确数量的授权记录。这是XACML变得特别有趣的地方,因为它与技术无关。您可以将XACML应用于Java,C#和其他语言,例如Python,但也将XACML应用于不同的层(表示,API和...数据库)。可以以反向查询的方式查询XACML以生成一条SQL语句,然后可以使用该SQL语句向后端数据库查询相关记录:
With XACML, you get an API where you can ask questions e.g.: can Alice view this record? But in your case, it's not enough because you want to filter out records from the database. And, as you describe, you want the query to be the right from the start rather than going back and forth to the database until you have the right number of authorized records. This is where XACML becomes particularly interesting because it's technology-neutral. You can apply XACML to Java, C#, and other languages e.g. Python but also apply XACML to different layers (presentation, APIs, and... databases). XACML can be queried in a reverse query way to produce a SQL statement which you could then use to query your backend database for the relevant records:
- 爱丽丝可以查看哪些记录?
- 爱丽丝可以在加利福尼亚查看记录,其结果为 SELECT * FROM records WHERE location ='CA'
HTH
这篇关于复杂的Righty系统:ACL,RBAC等等?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!