使用AWS Cognito的AWS DynamoDB的细粒度访问控制 [英] Fine-grained access control for AWS DynamoDB using AWS Cognito
问题描述
我正在开发一个简单的应用程序(ios),其中每个用户都可以向其他用户(他们的Facebook朋友)发送简单消息(每个消息由几个数据插槽组成,目前为所有字符串)。人们通过Cognito使用其Facebook帐户登录,而我使用DynamoDB中的单个表管理用户帐户,该表的主键是Facebook ID(辅助键是唯一的消息ID)。当用户A向用户B发送一条消息时,表中将添加几乎两行相同的行,其中包含该消息,并且它们之间的唯一区别是主键(一个是A的Facebook ID,另一个是B的)。因此,当用户登录并检查其帐户时,她会检索与她的facebook id对应的所有行,从而访问她发送的消息和已发送给她的消息。
I am developing a simple application (ios) where each user can send simple messages (each of them composed of a few data slots, all strings for the moment) to other users (their Facebook friends). People log in using their Facebook account through Cognito and I manage users accounts using a single table in DynamoDB where the primary key is the the Facebook id (the secondary key is a unique message id). When user A sends a message to user B, two almost identical rows are added to the table, they contain the message and the only difference between them is the primary key (one is A's facebook id and the other is B's). Therefore, when a user logs in and checks his account, she retrieves all the rows corresponding to her facebook id hence accessing both the messages she sent and the ones that have been sent to her.
目前,每个用户都可以访问表中的所有行,这是一个安全漏洞。我检查了一些文档,在这种情况下,可以通过向IAM策略中添加以下代码段来执行细粒度的访问控制:
For the moment, every user has access to all the rows in the table which is a security flaw. I checked out some documentation and it seems that it is possible to perform fine-grained access control by adding the following snippet to the IAM policy in this case:
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
不幸的是, $ {graph.facebook.com:id} 不适用于Cognito,我应该使用 $ {cognito-identity.amazonaws.com:sub}来标识用户。问题在于,使用后者需要使用Cognito ID作为主键而不是Facebook ID,这导致了我的问题:可以获取朋友的Facebook ID,但不能获取其Cognito ID,这使得无法向其发送消息他们使用以前的体系结构。
Unfortunately, ${graph.facebook.com:id} does not work with Cognito, and I should use ${cognito-identity.amazonaws.com:sub} instead to identify users. The problem is that using the latter requires using the Cognito id as a primary key instead of the Facebook id, which leads to my problem: it is possible to get friends' Facebook ids but not their Cognito ids which makes it impossible to send messages to them using the previous architecture.
在保留Cognito的同时,是否有任何可能的解决方案?如果没有,我是否应该对用户进行身份验证?另外,欢迎对我的应用程序设计进行任何评论和批评。
Is there any possible solution while still keeping Cognito or should I authenticate users without it? Also, any remarks and critiques about my application's design are welcome.
推荐答案
如果您需要使用用户的Facebook ID,请使用< a href = http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WIF.html rel = nofollow>网络身份联盟。该文档有些过时,但是aws mobile和js sdks提供了Web身份凭证提供程序。
If you need to use the user's facebook id, use Web Identity Federation. The doc is a bit dated, but the aws mobile and js sdks provide a web identity credentials provider.
如果您允许对所有密钥进行写访问和读取,则这种方法应该可以使用仅访问与凭证绑定的Facebook ID。
This approach should work if you allow write access to all keys and read access only to facebook id tied to the credentials.
这篇关于使用AWS Cognito的AWS DynamoDB的细粒度访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
