基于资源的访问控制与基于角色的访问控制 [英] Resource Based Access Control vs Role Based Access Control

问题描述

我正在学习Apache Shiro，并且发现了这篇文章:

I am learning Apache Shiro, and I found this article:

新的RBAC:基于资源的访问控制

作者说:

.....如果您将行为(权限)直接分配给角色， 想.从这个意义上讲，您仍将具有基于角色的访问控制 安全策略-只是您将拥有明确的RBAC策略 而不是传统的隐式策略.

.......you could assign behaviors (permissions) directly to a Role if you want. In this sense, you would still have a Role-Based Access Control security policy - it is just you would have an explicit RBAC policy instead of the traditional implicit strategy.

但是，这引出了一个问题-为什么要停止担任角色?您可以分配 直接针对用户，群组或其他任何人的行为 安全策略可能会允许.

But that begs the question - why stop at roles? You can assign behaviors directly to users, or to groups, or to anything else your security policy might allow.

作者似乎更喜欢直接存储用户和权限的关系，而不是通过角色.

It seems that the author prefer to store the relationship of User and Permission directly instead of through a Role.

尽管这看起来很简单明了，但我有一些疑问:

Though it seems this is simple and straightforward, I have some questions:

1. 他们两个之间有本质区别吗?

1. Are there any essential differences between two of them?

数据库架构.

在基于角色的访问控制中，通常我们使用三个表来描述这种关系:

In a Role Based Access Control, normally we use three tables to describe the relationship:

user
role
user_role

否，如果我使用基于资源的访问控制，构建表的正常做法是什么?

No if I use the Resource Based Access Control, what is the normal practice for building the tables?

推荐答案

这是我第一次听说基于资源的访问控制.

This is the first time I hear of resource-based access control.

我会非常小心地走这条路.在授权世界中，基本上有2个标准:

I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:

• 由 NIST 标准化的基于角色的访问控制(RBAC)，并已在成千上万的应用程序和框架中实现在主要供应商(CA，Oracle，IBM ...)的支持下
• 基于属性的访问控制(ABAC)已由 NIST 标准化(也此处)，并得到了我工作的IBM，Oracle和Axiomatics等供应商的良好实施.

• Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
• Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.

基于资源的访问控制似乎是Stormpath发明的模型，仅受它们支持.可能不错，但仅适用于他们的环境.

Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.

基于角色的访问控制和基于属性的访问控制是NIST和其他标准化机构(如OASIS(其中SAML和XACML于10年前定义，至今仍受支持))支持的公认范例.

Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).

给您的问题是:为什么基于角色的访问控制对您来说还不够?您有角色爆炸问题吗?表现力不够吗?您是否需要实现用户，资源和上下文之间的关系?

The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?

ABAC和XACML可以帮助您做到这一点.不久前，我在YouTube上发布了一个简单的视频，该视频处理基于属性的访问控制.保持外观.

ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.

最重要的是，RBAC和ABAC是跨多个应用程序和层工作的标准.基于资源的访问控制仅特定于Apache Shiro.

The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.

这篇关于基于资源的访问控制与基于角色的访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！