不同客户端的Dj​​ango权限 [英] Django Permissions for Different Clients

问题描述

我正在研究一个Django项目，该项目将以公司为客户，并且每个客户都可以创建多个用户.然后可以为这些用户分配不同的权限或角色.

I'm working on a Django project which will take on firms as clients and each client will be allowed to create multiple users. These users can then be assigned different permissions or roles.

要注意的是，权限的类型随客户端而异，即它们不像读取，写入，删除那样简单.因此，一个客户端只能具有5-10种权限，而另一种客户端可以具有100种权限.

The catch being that the type of permissions vary with clients i.e. they're not as simple as read, write, delete. Hence one client can have only 5-10 types of permissions while the other can have 100's.

内置的Django权限框架不直接支持我的用例，所以这是我想出的:

The inbuilt Django permissions framework does not directly support my usecase, so this is what I came up with:

1. 创建一个主要的django应用，其中包含用户模型
2. 对于每个新客户端，仅使用models.py创建一个新的django应用.
3. models.py仅暂时具有一个模型，该模型本身具有特定于该客户端的权限，如

1. Create a main django app which houses the user model
2. For every new client, create a new django app with only models.py
3. The models.py has only one model (for the time being) that in itself houses the permissions specific to that client as explained here.
4. Now I can assign each user permissions depending on which client the user is a part of.

虽然我还没有测试过，但这应该可以工作.该解决方案看起来可扩展，但是存在许多不一致之处，而且似乎不是正确的方法.有解决方法吗?

While I haven't tested it, this should work. The solution looks scalable but there are a lot of inconsistencies and it doesn't seem like the right way to do it. Is there a work around?

更新: django-guardian 看起来可能会有所帮助，不确定如何.

Update: django-guardian looks like it could help, not sure how.

更新:我想我将解释整个体系结构，因为当前的解决方案不能直接用于它.

Update: I think I'll explain the entire architecture because the current solution does not work directly for it.

1. 有些时间序列数据流中的数据是定期插入的.每个客户端可以拥有100至1000多个此类流.但是，这些流不会保存在Web服务器数据库中，而是保存在每个客户端的不同数据库中.
2. 现在，用户可以特权查看以上所有流，其中一个或某些流.客户让我们知道他们想要创建的用户类型，然后我们会相应地创建一个.
3. 出于身份验证的目的，最好将所有用户放在一个表中.但是，对于授权而言，将每个客户端用户放在单独的表上是有意义的.我认为最好隔离客户.
4. 略微偏离主题，但是我们正在考虑为每个客户端提供一个单独的共同域，例如client1.mysite.com，client2.mysite.com等，因此我们可以自由地为每个客户端部署不同的Web服务器，因此为每个客户定制它.同样，这有助于以不同方式存储每个客户端用户的数据.

推荐答案

我真的不喜欢您的解决方案-它类似于旧的数据库设计，在这些数据库中，设计是根据计划期望进行设计的！！！拜托，不管费用是什么，不要.忘记django了，数据库设计已有40年了，这使我们坚信数据库的架构永远都不会改变(除非需求改变或您的设计是不正确的).我可以提供与此类似的答案: RegEx匹配XHTML自包含标签以外的打开标签，以强调不更改数据库架构的重要性.

I really don't like your solution - it is similar to old database designs where schema chnges were expected by design !!! Please, whatever the cost DON'T do it. Forgetting about django, 40 years of database design has tought us that the schema of the database should never change (unless of course the requirements change or your design was not correct). I could provide an answer similar to this: RegEx match open tags except XHTML self-contained tags to emphasize how important is to not change your database schema.

因此，您将拥有一个django应用程序，其中包含您所说的用户模型和一个CustomPermission模型，该模型将为 admininstrator 提供一个界面，以便他为eah客户端添加权限(管理员将为客户端(而非开发者)添加权限.每个CustomPermission只会为其应用的客户端提供一个名称和一个ForeignKey.

So, you will have a django app which houses the user model as you say and a CustomPermission model which will give an interface to the admininstrator so that he will add permissions for eah client (the administrator will add the permissions for the client, not the developer). Each CustomPermission will just have a name and a ForeignKey to the client it applies.

现在，您可以创建一个UserCustomPermission模型，该模型将对User具有ForeignKey，对CustomPermission具有另一个ForeignKey(实际上，User与CustomPermission.

Now you can create a UserCustomPermission model which will have a ForeignKey to the User and another ForeignKey to the CustomPermission (actually there is a many-to-many relation between User and CustomPermission.

现在，您需要实现的是如何将分配的权限分配给实际的允许和禁止的操作.您在这个问题上什么也没说.只是为了给您一个方向，我真的很喜欢(并一直使用)django-rules-light应用程序(

Now, what you need to implement is how the permissions you assign will be assigned to actual allowed and forbidded actions. You don't say anything about this in your question. Just to give you a direction, I really like (and use all the time) the django-rules-light application (https://github.com/yourlabs/django-rules-light) which can be used to define your business rules.

可能我的答案实际上并不能解决您的问题，或者我可能听不懂，但是我相信您会从一个起点开始，也可以随时更新您的问题，我会相应地更新我的答案

Probably my answer doesn't actually solve your problem, or maybe I didn't understand something, but I believe that you will get a starting point -- also feel free to update your question and I'll update my answer accordingly.

答案更新

您可以理解，我不喜欢1和3:对于每个新客户，您需要创建一个 new 数据库吗?为什么不将所有客户端流放在同一表中，并使用外键指向它们所属的客户端?

As you can understand, I don't like 1 and 3: For every new client you will need to create a new database ? Why not put all your client streams in the same table and use a foreign key to the client they belong to ?

(这里是龙)

我认为这是一个不错的解决方案-我不会这样做，但是如果您希望将您的用户及其权限放置在不同的数据库中，那么您可以提前使用单独的子域:使用数据库路由( https://docs.djangoproject.com/zh/1.3 /topics/db/multi-db/#database-routers )，以根据子域选择每个客户端的数据库.因此，您将在settings.py中定义所有客户的数据库.

I thought a nice solution - I wouldn't do it, but if want so much to put your users and their permissions in different databases then you can use the seperate sub-domain in your advance: Use database routing (https://docs.djangoproject.com/en/1.3/topics/db/multi-db/#database-routers) to select each client's database depending on the sub-domain. So, you will define all your client's databases in your settings.py:

DATABASES = {
    'default': {
        'NAME': 'app_data',
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'USER': 'postgres_user',
        'PASSWORD': 's3krit'
    },
    'client1': {
        'NAME': 'client2',
        'ENGINE': 'django.db.backends.mysql',
        'USER': 'client2',
        'PASSWORD': 'priv4te'
    },
    'client2': {
        'NAME': 'client1',
        'ENGINE': 'django.db.backends.mysql',
        'USER': 'client1',
        'PASSWORD': 'priv4te'
    }
}

然后您将创建一个SubDomainDatabaseRouter类，该类将使用正确的数据库，具体取决于您的子域.因为请求设置在该类中不可用，所以您必须使用中间件和线程本地变量将其放置在该位置.看看下面的代码段

And then you will create a SubDomainDatabaseRouter class that will use the correct database depending on your sub-domain. Because the request settings are not available in that class you have to put them there by using middleware and thread locals. Take a look at the following snippet

https://djangosnippets.org/snippets/2037/

因此，在您的RouterMiddleware中，您将检查以查看子域，并根据该域设置客户端名称的client_cfg选项.您的SubDomainDatabaseRouter将使用正确的数据库，具体取决于client_cfg.要使用它，只需添加

So in your RouterMiddleware you will check to see the subdomain and depending on that you will set a client_cfg option with the name of the client. Your SubDomainDatabaseRouter will use the correct database depending on the client_cfg. To use it just add

DATABASE_ROUTERS = ['my.package.SubDomainDatabaseRouter']

使用此功能，您将为每个客户端拥有一个完全不同的数据库.我需要再次强调，您将很难维持它-假设您有100个客户端，并且需要向表中添加一个字段.那又怎样呢?请不要怪我:)

By using this you will have a completely different database for each client. I need to emphasize again that you will have a hell maintaining it - let's suppose you have 100 clients and need to add a field to a table. Then what ? Please don't blame me :)

(龙结束)

这篇关于不同客户端的Dj​​ango权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！