主体，用户和主体之间的含义和区别是什么? [英] What is the meaning and difference between subject, user and principal?

问题描述

在安全框架的上下文中，一些术语经常出现主体、用户和主体，其中我无法找到一个明确的定义以及它们之间的区别.

In the context of security frameworks, a few terms commonly occur subject, user and principal, of which I have not been able to find a clear definition and the difference between them.

那么，这些术语究竟是什么意思，为什么需要区分主体和主体?

So, what exactly do these terms mean, and why are these distinctions of subject and principal needed?

推荐答案

这些是分层的，即属、种和个体是分层的.

These are hierarchical in the way that genus, species and individual are hierarchical.

• 主题 - 在安全上下文中，主题是任何请求访问对象的实体.这些是用于表示请求访问的事物和请求所针对的事物的通用术语.当您登录应用程序时，您是主体，应用程序是客体.当有人敲门时，访客是请求访问的主体，而您的家是请求访问的对象.
• Principal - subject 的子集，由帐户、角色或其他唯一标识符表示.当我们进入实现细节级别时，主体是我们在访问控制列表中使用的唯一键.它们可能代表人类用户、自动化、应用程序、连接等.
• User - principal 的子集，通常指的是人工操作员.随着时间的推移，这种区别越来越模糊，因为用户"或用户 ID"这两个词通常与帐户"互换.但是，当您需要区分委托人一类广泛的事物和以非确定性方式驱动交易的交互式操作符的子集时，用户"是正确的词.

• Subject - In a security context, a subject is any entity that requests access to an object. These are generic terms used to denote the thing requesting access and the thing the request is made against. When you log onto an application you are the subject and the application is the object. When someone knocks on your door the visitor is the subject requesting access and your home is the object access is requested of.
• Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc.
• User - A subset of principal usually referring to a human operator. The distinction is blurring over time because the words "user" or "user ID" are commonly interchanged with "account". However, when you need to make the distinction between the broad class of things that are principals and the subset of these that are interactive operators driving transactions in a non-deterministic fashion, "user" is the right word.

主题/对象继承自语法中使用的相同术语.在一个句子中，主语是演员，宾语是被作用的事物.从这个意义上说，自计算机发明之前就已经使用了.在安全上下文中，主体是可以发出请求的任何东西.如上所述，这不必限于 IT 安全，因此是一个非常广泛的分类.有趣的是，主体隐含着客体.没有客体就没有主体.

Subject/Object inherits from the same terms as used in grammar. In a sentence the subject is the actor and the object is the thing acted on. In this sense the use has been around since before computers were invented. In a security context, a subject is anything that can make a request. As noted above, this need not be limited to IT security and so is a very broad classification. The interesting thing is that subject implies object. Without an object, there is no subject.

主体是主体决心要解决的问题.当您出示信用卡时，您就是主体，帐号是主体.在其他情况下，您的用户 ID 或国家颁发的身份证明是您的委托人.但是校长可以与许多类型的主题相关联，而不是人.当应用程序请求系统级功能时，委托人可能是签名可执行代码模块的签名者，但即使在这种情况下，驱动请求的用户仍然是主体.

Principals are what subjects resolve to. When you present your credit card you are the subject and the account number is the principal. In other contexts your user ID or state-issued identification is your principal. But principals can be associated with many types of subject that are not people. When applications make requests for system-level functions the principal may the signer of a signed executable code module but even in that case the user driving the request is still the subject.

用户比主题或主体更具体，因为它通常指的是交互式操作符.这就是为什么我们有图形用户界面而不是图形主体界面的原因.用户是解析为 principal 的 subject 实例.单个用户可以解析为任意数量的主体，但预期任何主体都可以解析为单个用户(假设人们遵守不共享 ID 的要求).在上面的例子中，可执行代码模块的签名者绝对不是用户，但它是一个有效的委托人.试图加载模块的交互式操作员是用户.

User is more specific than subject or principal in that it usually refers to an interactive operator. That is why we have a graphical User Interface and not a Graphical Principal Interface. A user is an instance of subject that resolves to a principal. A single user may resolve to any number of principals but any principal is expected to resolve to a single user (assuming people observe the requirement not to share IDs). In the example above, the signer of an executable code module is definitely not the user, but it is a valid principal. The interactive operator trying to get the module loaded is the user.

正如评论中所指出的，即使是权威来源也不同意这些条款.在准备此回复时，我搜索了 NIST、SANS、IEEE、MITRE 和几个准权威"来源，例如安全考试指南.我发现没有一个至少是准权威的单一来源涵盖了所有三个术语，并且它们的用法都存在显着差异.这是我对如何使用这些术语的看法应该，但从实际的角度来看，当你在半夜仔细阅读手册时，定义往往是供应商或作者所说的是.希望这里的回复能够提供足够的洞察力，以使用这些术语在水域中导航并解析任何安全文档.

As noted in the comments, even the authoritative sources do not agree on these terms. I searched NIST, SANS, IEEE, MITRE and several "quasi-authoritative" sources such as security exam guides while preparing this response. No single source that I found which was at least quasi-authoritative covered all three terms and all differed significantly in their usage. This is my take on how the terms should be used but from a practical standpoint, when you are poring over a manual in the middle of the night, the definitions tend to be whatever the vendor or writer say they are. Hopefully though responses here will provide enough insight to navigate the waters and parse any security document using these terms.

这篇关于主体，用户和主体之间的含义和区别是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！