Keycloak授权:将角色添加到域对象或实体 [英] Keycloak authorization: Adding a Role to a domain object or an entity

问题描述

我是Keycloak框架的新手，痛苦地编写了自己的解决方案后，我们希望转换为KeyCloak.这似乎是一个有前途的解决方案，但不幸的是缺少自我描述的文档.我已经遍历了教程和术语，但是，我似乎无法通过Keycloak概念为我的授权用例构建合适的模型.我发表了我的问题！在Keycloak邮件列表中没有任何回应，所以我决定在这里伸出援手.

I am new to the Keycloak framework and after writing my own solution painfully we are hoping to convert to KeyCloak. It seems to be a promising solution but unfortunately lacking self describing documentation. I have gone through the tutorials and the terminology, however, I can not seem to mold a suitable model for my authorization use case through Keycloak concepts. I posted my question! in Keycloak mailing list without any response so I decided to reach out here.

请考虑以下使用场景:

• 您为汽车经销商提供SaaS解决方案.
• 每个经销商在创建时都会继承一组默认角色，例如管理员，经理，销售，会计师等..
• 授权可以添加/删除默认角色的权限.
• 经销权可以定义自己的自定义角色.
• 经销店有多个供应商，每个供应商都有几个角色(管理员，会计师，供应商)
• 经销店有许多部门，每个部门可能对该部门有各自的作用.
• 基本上，您在不同的上下文中具有不同的角色.

在我的内置模型中，我有一个表，用于将角色连接到主体(实体)，并将ACL(或权限)分配给角色.委托人可以是"DealershipA"，"DealershipB"，"Vendor1"，"Department0"中的任何一个.

In my built-in model, I have a table that connects a Role to a Principal (an entity) and the ACLs (or permissions) are assigned to the roles. The Principal could be any of "DealershipA", "DealershipB", "Vendor1" "Department0".

现在我的问题是:在Keycloak中实现此方案的最佳实践是什么.

Now my questions is: What is the best practice to implement this scenario in Keycloak.

• 您如何向实体添加/分配角色?
• 您会将经销商，供应商或部门视为资源吗?

在此先感谢您的帮助，

推荐答案

IIUC根据您要执行的KeyCloak集成级别，可以使用不同的方法来实现此方案.让我尝试阐明一种这样的方式.这很可能不是最佳选择，但是您可以将其用作起点.

IIUC this scenario could be achieved with different approaches, based on the level of KeyCloak integration you want to do. Let me try to articulate one such way. This could most probably be suboptimal, however you could probably use it as a starting point.

首先，可以将经销权视为租户分隔符，因此可以将单个经销权中的用户聚集到KeyCloak领域

As a start, the Dealership could be considered as a tenant separator, so users in a single Dealership could be gathered to a KeyCloak Realm 1. A Realm groups users together and it sounds like a Dealership is a such separator (if users are indeed allowed to have access to different Dealerships through the same user profile, then this separation cannot be applied).

关于角色，在一种方法中，每个经销权，供应商，部门角色(管理员，销售，会计等)都可以是领域角色

On to Roles, in one approach each Dealership, Vendor, Department role (admin, sales, acct etc) could be a Realm Role 2. These are Roles available to users in a specific Dealership. However I can't think of a KeyCloak native way to differentiate between Dealership roles vs Vendor roles vs Department roles. These could be differentiated through a naming standard perhaps (ex: vendor-admin)?

在另一种方法中，每个实体(经销商，供应商，部门)也可以是具有自己的属性和角色的组[3].优点之一是实体之间的关系可以在组-子组关系中复制. 样本组层次结构 单位组的属性

In another approach, each entity (Dealership, Vendor, Department) could also be a Group with own attributes and Roles [3]. One advantage could be that the relationship between the entities could be replicated in Group-Subgroup relationship. sample-group-hierarchy attributes-of-a-dept-group

这可以让您开始对KeyCloak内部的实体建模.

This could give you a start on modeling the entities inside KeyCloak.

在授权中，您似乎将能够使用KeyCloak [4]中提供的授权服务.我还没有亲自使用过此功能，但是如果您想将KeyCloak用作PAP，PDP和PEP [5]，这似乎是可行的方法.

In authorization, it looks like you will be able to use the Authorization Services available in KeyCloak [4]. I haven't personally used this feature but if you want to rely on KeyCloak as the PAP, PDP and the PEP [5] this looks like the way to go.

例如，由于用户信息包含用户的组关系，因此可以授予或拒绝用户访问特定供应商或部门上的资源的权限.这似乎可以通过基于组的策略[6]实现.

For an example, users can be granted or denied access to resources on a specific vendor or department, since user information contains the user's group relationship. This seems like something achievable with a Group based Policy [6].

要对这些问题给出更直接的答案，

To give a more direct answer to the questions,

1. 用户创建过程应确保建立了正确的角色和(或)组关联

1. User creation process should make sure proper Role and (or) Group associations are made

资源似乎是每种实体类型提供的服务(例如:add_vendor()，view_accounts())

Resources seem to be the services offered by each entity type (ex: add_vendor(), view_accounts())

希望这有助于进行设计.由于目前尚不清楚大多数细节，因此必须根据将来的要求重做设计，但是至少可以使用一个模型进行验证，这样才能做得更好.

Hope this helps to get a design going. Since most details are not clear at this moment, the design will have to be redone based on future requirements, but at least with a model to validate against you will be able to do it better.

1 - 2 - [3]- https://www.keycloak.org/docs/6.0/server_admin/#groups

[4]- https://www.keycloak.org/docs/5.0/authorization_services/

[5]- https://www.keycloak.org/docs/5.0/authorization_services/#_ overview_architecture

[6]- https://www.keycloak.org/docs/5.0/authorization_services/#_ policy_group

这篇关于Keycloak授权:将角色添加到域对象或实体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！