NetSqlAzMan VS AzMan的VS(?????) [英] NetSqlAzMan vs AzMan vs (?????)
问题描述
我一直想约的NetSqlAzMan项目原来的(和/或电流)动机字里行间。
是这样写的?
-
对于Windows授权管理器的适配器器(AzMan)。凡在NetSqlAzMan方法只是通过调用(Windows授权管理器(AzMan)),但也许有更好/更清洁的方法?
-
一个替代品(Windows授权管理器(AzMan))。凡(大部分或全部)中可用的功能(Windows授权管理器(AzMan))正在重建中NetSqlAzMan,但code的自主研发。 (也许是为了提供DOTNET的4.0支持???)(也许是为了消除任何COM依赖)
-
要提供比(Windows授权管理器(AzMan)),提供了更多的功能。阿卡,一个聪明/更好的版本(Windows授权管理器(AzMan))。
-
要重写还留着一个半死的活的项目,通过开源。 (如,或许(Windows授权管理器(AzMan)))是Microsoft死或废弃项目)。
-
其他的?
...........
我喜欢NetSqlAzMan的对象模型。但我要捍卫用它来我的项目经理(S)和其他开发人员的任何决定。 对象模型似乎恰到好处(认为金发和产床)至于什么我渴望安全。 我不想做的基于角色的安全。我想正确的(或任务或许可)的安全性。
(请参见: <一href="http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/">http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/ 和 <一href="http://granada$c$cr.word$p$pss.com/2010/12/01/rant-hard-$c$cd-security-roles/">http://granada$c$cr.word$p$pss.com/2010/12/01/rant-hard-$c$cd-security-roles/ )
和基本上是想出的问题是:什么是使用的好处NetSqlAzMan,而不是(Windows授权管理器(AzMan))
和子的问题是是的Windows授权管理器(AzMan)死了吗?。 (和沿万岁NetSqlAzMan线的东西!)。
............
我在-总体要求是:
非活动目录用户。 (下山的路Active Directory和/或LDAP的支持将是很好的,但不是必须的)。
密码没有存储为纯文本。
能够处理的权利的安全检查。
集团下的任何角色的权限。
向用户分配角色。 (但同样,code将执行行动时,检查的权利,而不是角色。)
允许(有时)的权利要分配给用户。使用拒绝覆盖。 (阿卡,谁做的愚蠢的事(如删除员工单个用户)可以撤销的权利。)
角色和权限可维持多个应用程序。
所以其他的想法是值得欢迎的。但是,<一个href="http://blogs.msdn.com/b/card/archive/2009/10/20/how-geneva-helps-with-access-control-and-what-is-its-relationship-to-azman.aspx">Windows身份验证基础似乎有点矫枉过正。
感谢。
我终于找到了比较的文章最后一晚。
<一个href="http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx">http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
我要的相关部分粘贴在这里(下图)。 (以防万一,该网站不再在未来存在。小的机会,我知道,但我不喜欢的答案就在这里的链接,当你点击链接,它是一个死一个。)
这是我可以告诉。
NetSqlAzMan提供了(表)的用户定义函数,可以重载向用户提供的列表(要分配给角色/任务)。 NetSqlAzMan不仅提供了是的,你可以在映射(格兰特),而且还拒绝和格兰特与 - 代表为好。 NetSqlAzMan和阿兹曼允许用户(组),以角色映射。只有NetSqlAzMan允许用户任务的映射。
在看几样...... NetSqlAzMan的对象模型是非常干净的。
=============================================== ========
女士授权管理器(AzMan)VS。NET SQL授权经理 (NetSqlAzMan)
正如前面所指出的,一个类似微软的产品已经存在 而被称为授权管理器(AzMan); AzMan的是present,由 默认情况下,在Windows Server 2003,并通过管理员包安装程序,在 Windows XP中。
AzMan的和NetSqlAzMan之间的重要区别在于 第一种是基于角色的,即,基于所属于 - 角色概念 并在每个角色的操作的容器中,而第二个是 项目基(或者,如果preFER基于操作的),即用户或用户 可以或可以不属于角色或执行群组或群组 这样的任务和/或业务(项目)。
下面的最重要的特点,以及两者之间的差异 产品:
AzMan的女士:
*这是COM。 *它配备由MMC 2.0(COM)控制台。 *它的存储可以是XML文件或ADAM(Active Directory应用程序模式 - 电子非LDAP)。 *这是基于角色。 *它支持静态/动态应用性团体,会员/非会员。 *基于角色的结构 - &GT;任务 - &GT;运营。 (分层角色和任务,没有操作)。 *授权只能添加到角色。 *它没有实现委托的概念。 *它不的时候管理授权。 *它不会触发事件。 *唯一类型的授权是允许。 (为拒绝,它需要从他的角色中删除用户/组)。 *它支持脚本/商业规则。 *它支持Active Directory用户/组和ADAM用户。
NetSqlAzMan:
*这是.NET 2.0。 *它配备由MMC 3.0(.NET)控制台。 *它的存储是一个SQL Server数据库(2000 / MSDE / 2005 / EX preSS)。 *它基于TDO - 类型化数据对象技术。 *它是基于项目的。 *基于角色的结构 - &GT;任务 - &GT;运营。 (所有层次的)。 *授权可以被添加到角色,任务和操作。 *它支持静态/动态应用性团体,会员/非会员。 *直接从控制台LDAP查询测试。 *这是随时间变化的。 *它的委托兼容。 *它触发事件(ENS)。 *它支持4授权类型: o允许与授权(授权和授权委托)。 o允许(授权)。 Ø拒绝(未授权)。 Ø中性(中性的权限,这取决于更高级别产品的权限)。 *分层授权。 *它支持脚本/商务规则(在.NET编译 - C# - VB - 而不是跨preTED) *它支持SQL Server数据库中定义的Active Directory用户/组和定制用户。
下面是另外一个疑难杂症。
阿兹曼样品code: <一href="http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-$c$c">http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-$c$c http://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan-Sample-$c$c
使用系统;
使用System.Security.Principal;
使用了System.Runtime.InteropServices;
使用AZROLESLib;
命名空间TREYRESEARCH {
公共类AzManHelper:IDisposable的{
AzAuthorizationStore店;
IAzApplication应用;
字符串的appName;
公共AzManHelper(字符串的connectionString,字符串的appName){
this.appName =的appName;
尝试 {
//加载和初始化AzMan的运行时间
店内=新AzAuthorizationStore();
store.Initialize(0,的connectionString,NULL);
//深入到我们的应用程序
应用= store.OpenApplication(的appName,NULL);
}
赶上(收到COMException X){
抛出新AzManException(无法initizlize AzManHelper,X);
}
赶上(System.IO.FileNotFoundException X){
抛出新AzManException(的String.Format( - ,的connectionString),X无法加载AzMan的政策从{0}确保您的连接字符串是正确的。);
}
}
公共无效的Dispose(){
如果(空==应用程序)的回报;
对Marshal.ReleaseComObject(应用程序);
对Marshal.ReleaseComObject(店);
应用= NULL;
店内= NULL;
}
公共BOOL的AccessCheck(字符串审核,业务操作,
的WindowsIdentity CLIENTIDENTITY){
尝试 {
//第一步是建立一个AzMan的上下文客户端
//此着眼于安全标识符(SID)在用户的
//访问令牌,并将它们映射到AzMan的角色,任务和操作
IAzClientContext CTX = app.InitializeClientContextFromToken(
(ULONG)clientIdentity.Token.ToInt64(),NULL);
//下一步就是看是否该用户被授权
//请求的操作。需要注意的是AccessCheck的允许
//你要检查多个操作一次,如果你的愿望
[对象]范围= {};
[对象]操作= {(INT)OP};
[对象]结果=(对象[])ctx.AccessCheck(审计,范围,操作,
NULL,NULL,NULL,NULL,NULL);
INT结果=(int)的结果[0];
返回0 ==结果;
}
赶上(收到COMException X){
抛出新AzManException(AccessCheck的失败,X);
}
}
公共BOOL AccessCheckWithArg(字符串审核,业务操作,
的WindowsIdentity CLIENTIDENTITY,
串argName,反对argValue){
尝试 {
//第一步是建立一个AzMan的上下文客户端
//此着眼于安全标识符(SID)在用户的
//访问令牌,并将它们映射到AzMan的角色,任务和操作
IAzClientContext CTX = app.InitializeClientContextFromToken(
(ULONG)clientIdentity.Token.ToInt64(),NULL);
//下一步就是看是否该用户被授权
//请求的操作。需要注意的是AccessCheck的允许
//你要检查多个操作一次,如果你的愿望
[对象]范围= {};
[对象]操作= {(INT)OP};
[对象] argNames = {argName};
[对象] argValues = {argValue};
[对象]结果=(对象[])ctx.AccessCheck(审计,范围,操作,
argNames,argValues,
NULL,NULL,NULL);
INT结果=(int)的结果[0];
返回0 ==结果;
}
赶上(收到COMException X){
抛出新AzManException(AccessCheckWithArg失败,X);
}
}
//使用这个更新运行的应用程序
你改变AzMan的政策//后
公共无效UpdateCache(){
尝试 {
store.UpdateCache(空);
对Marshal.ReleaseComObject(应用程序);
应用= store.OpenApplication(的appName,NULL);
}
赶上(收到COMException X){
抛出新AzManException(UpdateCache失败,X);
}
}
}
公共类AzManException:异常{
公共AzManException(字符串消息,异常的InnerException)
:基地(消息的InnerException)
{}
}
}
这是阿兹曼帮手code。这是丑陋的COM / Interopish的东西。 :其中;
现在检查NetSqlAzMan code样品:</ P>
<一个href="http://netsqlazman.$c$cplex.com/wikipage?title=Samples">http://netsqlazman.$c$cplex.com/wikipage?title=Samples
///&LT;总结&gt;
///通过创建.NET code一个完整的存储
///&LT; /总结&gt;
私人无效CreateFullStorage()
{
//用户必须是SQL数据库角色的成员:NetSqlAzMan_Administrators
//的Sql存储连接字符串
字符串sqlConnectionString =数据源=(本地);初始目录= NetSqlAzManStorage;用户ID = netsqlazmanuser;密码=密码;
//创建SqlAzManStorage类的一个实例
IAzManStorage存储=新SqlAzManStorage(sqlConnectionString);
//开放式存储连接
storage.OpenConnection();
//开始一个新的事务
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//创建一个新的商店
IAzManStore newStore = storage.CreateStore(我的店,店铺介绍);
//创建一个新的基本StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(),我的存储组,存储组说明的String.Empty,GroupType.Basic);
//获得当前用户的SID
IAzManSid糠=新SqlAzManSID(WindowsIdentity.GetCurrent()用户。);
//添加自己为我的店集团的SID
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(糠,WhereDefined.Local,真正的);
//创建一个新的应用程序
IAzManApplication NEWAPP = newStore.CreateApplication(新应用,应用说明);
//创建一个新角色
IAzManItem newRole = newApp.CreateItem(新角色,角色介绍,ItemType.Role);
//创建一个新的任务
IAzManItem newTask = newApp.CreateItem(新任务,任务描述,ItemType.Task);
//创建一个新的操作
IAzManItem newOp = newApp.CreateItem(新工作,操作说明,ItemType.Operation);
//添加新经营为新任务一个SID
newTask.AddMember(newOp);
//添加新任务为新角色一个SID
newRole.AddMember(newTask);
//的新角色为自己创建一个授权
IAzManAuthorization AUTH = newRole.CreateAuthorization(糠,WhereDefined.Local,糠,WhereDefined.Local,AuthorizationType.AllowWithDelegation,NULL,NULL);
//创建一个自定义属性
IAzManAttribute&LT; IAzManAuthorization&GT; ATTR = auth.CreateAttribute(新钥匙,新价值);
//创建的新角色的授权数据库用户安德烈
IAzManAuthorization auth2 = newRole.CreateAuthorization(糠,WhereDefined.Local,storage.GetDBUser(安德烈)CustomSid,WhereDefined.Local,AuthorizationType.AllowWithDelegation,NULL,NULL);
//提交事务
storage.CommitTransaction();
//关闭连接
storage.CloseConnection();
}
这是讲述一个故事的本身。
I've been trying to "read between the lines" about the original (and/or current) motivation for the NetSqlAzMan project.
Was this written for?
An adapter for Windows Authorization Manager (AzMan). Where the methods in the NetSqlAzMan just passes calls to (Windows Authorization Manager (AzMan)), but perhaps with nicer/cleaner methods?
A replacement for (Windows Authorization Manager (AzMan)). Where (most or all of) the features available in (Windows Authorization Manager (AzMan)) are recreated in NetSqlAzMan, but the code was developed independently. (Perhaps to provide DotNet 4.0 support???) (Perhaps to remove any COM dependencies)
To provide more features than (Windows Authorization Manager (AzMan)) provided. Aka, a "smarter"/"better" version of (Windows Authorization Manager (AzMan)).
To rewrite but also keep a semi-dead project alive through open-source. (As in, perhaps (Windows Authorization Manager (AzMan))) is a dead or abandoned project by Microsoft).
Other?
................
I like the object model of NetSqlAzMan. But I need to defend any decision to use it to my project manager(s) and other developers. The object model seems "just right" (think goldilocks and the middle bed) as far as what I desire for security. I do NOT want to do role based security. I want right(or task or permission) based security.
(See: http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/ and http://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/ )
And basically the question that came up is: "What is the advantage of using NetSqlAzMan instead of (Windows Authorization Manager (AzMan))?"
And the sub question is "Is Windows Authorization Manager (AzMan) dead?". (And something along the lines of Long Live NetSqlAzMan!).
..................
My in-general requirements are:
Non Active-Directory users. (Down the road Active Directory and/or LDAP support would be nice, but not a requirement).
Passwords not stored as plain text.
Be able to handle RIGHTS for security checks.
Group the rights under any role.
Assign roles to users. (But again, the code will check for the right, not the role when performing an action.)
Allow (on occasion) rights to be assigned to users. With a Deny override. (Aka, a single user who does on stupid thing (like "Delete Employee") can have that right revoked.)
Roles and Rights can be maintained for multiple applications.
So other ideas are welcome. But Windows Identity Foundation seems like a little overkill.
Thanks.
I finally found a "compare" article last night.
http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
I am going to paste the relevant portion here (below). (Just in case that website ceases to exist in the future. Small chance, I know, but I hate "The answer is here" links, and when you hit the link, it is a dead one.)
From what I can tell.
NetSqlAzMan provides a (table) user-defined-function that you can overload to provide a list of users (to be assigned to roles/tasks). NetSqlAzMan provides not only "Yeah you can" mappings (Grant), but also Deny and Grant-With-Delegate as well. NetSqlAzMan and Azman allows users(groups) to role mappings. Only NetSqlAzMan allows users to Task mappings.
After looking at a few samples ... the object model of NetSqlAzMan is very clean.
=======================================================
Ms Authorization Manager (AzMan) vs .NET Sql Authorization Manager (NetSqlAzMan)
As pointed out before, an analogous Microsoft product already exists and is called Authorization Manager (AzMan); AzMan is present, by default, in Windows Server 2003 and, through the Admin Pack setup, in Windows XP.
The important difference between AzMan and NetSqlAzMan is that the first is Role-based, that is, based on the belonging - Role concept and the operations container in each role, while the second is Item-based (or if you prefer Operation-based), that is users or users group or group of groups that can or cannot belong to Roles or execute such Task and/or Operations (Items).
Here the most important features and differences between the two products:
Ms AzMan:
* It's COM. * It's equipped by a MMC 2.0 (COM) console. * Its storage can be an XML file or ADAM (Active Directory Application Mode - e un LDAP). * It's role-based. * It supports static/dynamic applicative groups, members/not-members. * Structure based on Roles -> Tasks -> Operations. (Hierarchical Roles and Tasks , none Operations). * Authorizations can be added only to Roles. * It doesn't implement the "delegate" concept. * It doesn't manage authorizations "in the time". * It doesn't trigger events. * The only type of authorization is "Allow". (to "deny" it needs to remove the user/group from his Role). * It supports Scripting / Biz rules. * It supports Active Directory users/groups and ADAM users.NetSqlAzMan:
* It's .NET 2.0. * It's equipped by a MMC 3.0 (.NET) console. * Its storage is a Sql Server database(2000/MSDE/2005/Express). * It's based on Tdo - Typed Data Object technology. * It's Item-based. * Structure based on Roles -> Tasks -> Operations. (all hierarchical ones). * Authorizations can be added to Roles, Task and Operations. * It supports static/dynamic applicative groups, members/not-members. * LDAP query testing directly from console. * It's time-dependant. * It's delegate-compliant. * It triggers events (ENS). * It supports 4 authorization types: o Allow with delegation (authorized and authorized to delegate). o Allow (authorized). o Deny (not authorized). o Neutral (neutral permission, it depends on higher level Item permission). * Hierarchical authorizations. * It supports Scripting / Biz rules (compiled in .NET - C# - VB - and not interpreted) * It supports Active Directory users/groups and custom users defined in SQL Server Database.
Here's another gotcha.
Azman sample code: http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-Code http://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan-Sample-Code
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using AZROLESLib;
namespace TreyResearch {
public class AzManHelper : IDisposable {
AzAuthorizationStore store;
IAzApplication app;
string appName;
public AzManHelper(string connectionString, string appName) {
this.appName = appName;
try {
// load and initialize the AzMan runtime
store = new AzAuthorizationStore();
store.Initialize(0, connectionString, null);
// drill down to our application
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("Failed to initizlize AzManHelper", x);
}
catch (System.IO.FileNotFoundException x) {
throw new AzManException(string.Format("Failed to load AzMan policy from {0} - make sure your connection string is correct.", connectionString), x);
}
}
public void Dispose() {
if (null == app) return;
Marshal.ReleaseComObject(app);
Marshal.ReleaseComObject(store);
app = null;
store = null;
}
public bool AccessCheck(string audit, Operations op,
WindowsIdentity clientIdentity) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
null, null, null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheck failed", x);
}
}
public bool AccessCheckWithArg(string audit, Operations op,
WindowsIdentity clientIdentity,
string argName, object argValue) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] argNames = { argName };
object[] argValues = { argValue };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
argNames, argValues,
null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheckWithArg failed", x);
}
}
// use this to update a running app
// after you change the AzMan policy
public void UpdateCache() {
try {
store.UpdateCache(null);
Marshal.ReleaseComObject(app);
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("UpdateCache failed", x);
}
}
}
public class AzManException : Exception {
public AzManException(string message, Exception innerException)
: base(message, innerException)
{}
}
}
That is Azman helper code. That is ugly COM/Interopish stuff. :<
Now check the NetSqlAzMan code samples:
http://netsqlazman.codeplex.com/wikipage?title=Samples
/// <summary>
/// Create a Full Storage through .NET code
/// </summary>
private void CreateFullStorage()
{
// USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Administrators
//Sql Storage connection string
string sqlConnectionString = "data source=(local);initial catalog=NetSqlAzManStorage;user id=netsqlazmanuser;password=password";
//Create an instance of SqlAzManStorage class
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
//Open Storage Connection
storage.OpenConnection();
//Begin a new Transaction
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//Create a new Store
IAzManStore newStore = storage.CreateStore("My Store", "Store description");
//Create a new Basic StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), "My Store Group", "Store Group Description", String.Empty, GroupType.Basic);
//Retrieve current user SID
IAzManSid mySid = new SqlAzManSID(WindowsIdentity.GetCurrent().User);
//Add myself as sid of "My Store Group"
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(mySid, WhereDefined.Local, true);
//Create a new Application
IAzManApplication newApp = newStore.CreateApplication("New Application", "Application description");
//Create a new Role
IAzManItem newRole = newApp.CreateItem("New Role", "Role description", ItemType.Role);
//Create a new Task
IAzManItem newTask = newApp.CreateItem("New Task", "Task description", ItemType.Task);
//Create a new Operation
IAzManItem newOp = newApp.CreateItem("New Operation", "Operation description", ItemType.Operation);
//Add "New Operation" as a sid of "New Task"
newTask.AddMember(newOp);
//Add "New Task" as a sid of "New Role"
newRole.AddMember(newTask);
//Create an authorization for myself on "New Role"
IAzManAuthorization auth = newRole.CreateAuthorization(mySid, WhereDefined.Local, mySid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Create a custom attribute
IAzManAttribute<IAzManAuthorization> attr = auth.CreateAttribute("New Key", "New Value");
//Create an authorization for DB User "Andrea" on "New Role"
IAzManAuthorization auth2 = newRole.CreateAuthorization(mySid, WhereDefined.Local, storage.GetDBUser("Andrea").CustomSid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Commit transaction
storage.CommitTransaction();
//Close connection
storage.CloseConnection();
}
That tells a story in and of itself.
这篇关于NetSqlAzMan VS AzMan的VS(?????)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
