密钥斗篷中的资源,范围,权限和策略 [英] Resources, scopes, permissions and policies in keycloak
问题描述
我想使用Keycloak的授权系统创建一个非常简单的基于角色的访问控制系统. Keycloak正在替换的系统允许我们创建一个用户",该用户是一个或多个组"的成员.在此旧版系统中,通过组成员身份(向组分配了权限)或直接向用户授予权限,授予用户访问权限"以访问约250个功能"中的每一个.
I want to create a fairly simple role-based access control system using Keycloak's authorizaion system. The system Keycloak is replacing allows us to create a "user", who is a member of one or more "groups". In this legacy system, a user is given "permission" to access each of about 250 "capabilities" either through group membership (where groups are assigned permissions) or a direct grant of a permission to the user.
我想将旧系统映射到密钥斗篷授权.
I would like to map the legacy system to keycloak authorizations.
对我来说,将现有系统中的每个功能"映射到一个密钥库资源和一组密钥库作用域应该很简单.例如,"viewAccount"功能显然会映射到"account"资源和"view"范围;和"viewTransaction"映射到事务"资源...但是,最佳实践是仅创建一个视图"作用域,并在多种资源(帐户,交易等)中使用它吗?还是应该创建"viewAccount"范围,"viewTransaction"范围等?
It should be simple for me to map each "capability" in the existing system to a keycloak resource and a set of keycloak scopes. For example, a "viewAccount" capability would obviously map to an "account" resource and a "view" scope; and "viewTransaction" maps to a "transaction" resource... but is it best practice to create just one "view" scope, and use it across multiple resources (account, transaction, etc)? Or should I create a "viewAccount" scope, a "viewTransaction" scope, etc?
类似地,我对权限有些困惑.对于资源和范围的每种实用组合,是否通常创建许可?如果有多个权限匹配给定的资源/范围,Keycloak会做什么?我猜想Keycloak的目的是允许我针对资源和范围配置权限矩阵,例如,我可以具有访问帐户"的权限和具有查看"范围的权限,因此我将拥有权限查看帐户?
Similarly, I'm a little confused about permissions. For each practical combination of resource and scope, is it usual practice to create a permission? If there are multiple permissions matching a given resource/scope, what does Keycloak do? I'm guessing that the intention of Keycloak is to allow me to configure a matrix of permissions against resources and scopes, so for example I could have permission to access "accounts" and permission for "view" scope, so therefore I would have permission to view accounts?
我问,因为所有这些的结果似乎是我原来的"viewAccount"功能最终创建了一个具有"View"范围和"viewAccount"权限的"Account"资源,这似乎使我回到了哪里我曾是.如果正确,那没关系.
I ask because the result of all this seems to be that my old "viewAccount" capability ends up creating an "Account" resource, with "View" scope, and a "viewAccount" permission, which seems to get me back where I was. Which is fine, if it's correct.
最后,很明显,我需要一套确定是否应应用viewAccount的策略.但是我是对的,这意味着我需要一个用户可能属于的每个旧组的策略吗?例如,如果我具有服务台"角色,则需要一个服务台成员身份"策略,然后可以将其添加到"viewAccount"权限中.这是正确的吗?
Finally, obviously I need a set of policies that determine if viewAccount should be applied. But am I right that this means I need a policy for each of the legacy groups that a user could belong to? For example, if I have a "helpdesk" role, then I need a "helpdesk membership" policy, which I could then add to the "viewAccount" permission. Is this correct?
谢谢
标记
推荐答案
我知道我晚了2年以上,但我想我会分享我所知道的东西,并希望减轻以后的读者的痛苦.完全透明-我绝不是Keycloak/OAuth/OIDC专家,我所了解的主要是阅读文档,书籍,出色的YouTube以及使用该工具.
I know I'm 2+ years late but I figure I'd share what I know and hopefully alleviate some pain for future readers. Full transparency- I am by no means a Keycloak/OAuth/OIDC expert and what I know is mostly from reading the docs, books, good ol' YouTube and playing around with the tool.
这篇文章将由两部分组成:
This post will be comprised of two parts:
- 我将尽我所能回答您所有的问题
- 我将向您展示所有如何在Keycloak中使用策略/作用域/权限的方法,而无需部署单独的应用程序,以便更好地理解该线程中的某些核心概念.请注意,尽管这主要是为了使您入门.我正在使用
Keycloak 8.0.0
.
第一部分
开始之前的一些术语:
Part I
Some terminology before we get started:
- 在Keycloak中,您可以创建两种类型的权限:基于资源的和基于范围的.
- 简单地说,对于
Resource-Based
权限,您可以将其直接应用于资源 - 对于
Scoped-Based
权限,您可以将其应用于您的范围或和资源.
- In Keycloak, you can create 2 types of permissions: Resource-Based and Scope-Based.
- Simply put, for
Resource-Based
permissions, you apply it directly to your resource - For
Scoped-Based
permission, you apply it to your scope(s) or scope(s) and resource.
最佳做法是仅创建一个视图"范围,并在多种资源(帐户,交易等)中使用它吗?还是应该创建"viewAccount"范围,"viewTransaction"范围等?
is it best practice to create just one "view" scope, and use it across multiple resources (account, transaction, etc)? Or should I create a "viewAccount" scope, a "viewTransaction" scope, etc?
范围表示受保护资源的一组权限.在您的情况下,您有2个资源:account
和transaction
,所以我倾向于第二种方法.
Scopes represent a set of rights at a protected resource. In your case, you have 2 resources: account
and transaction
, so I would lean towards the second approach.
从长远来看,将全局view
范围与您的所有资源(例如account
,transaction
,customer
,settlement
...)关联在一起会使授权难以管理和适应安全要求更改.
In the long run, having a global view
scope associated with all your resources (e.g. account
, transaction
, customer
, settlement
...) makes authorization difficult to both manage and adapt to security requirement changes.
以下是一些示例,您可以查看这些示例以获得设计感
Here are a few examples that you can check out to get a feel for design
- Slack API
- Box API
- Stripe
不过请注意-我并不是说您不应该跨资源共享范围.实际上,Keycloak
允许使用具有相同type
的资源.例如,您可能同时需要viewAccount
和viewTransaction
范围才能读取给定帐户下的交易(毕竟,您可能需要访问该帐户才能查看交易).您的要求和标准将严重影响您的设计.
Do note though - I am not claiming that you shouldn't share scopes across resources. Matter of fact, Keycloak
allows this for resources with the same type
. You could for instance need both viewAccount
and viewTransaction
scope to read a transaction under a given account (after all you might need access to the account to view transactions). Your requirements and standards will heavily influence your design.
对于资源和范围的每种实用组合,通常是否创建许可?
For each practical combination of resource and scope, is it usual practice to create a permission?
抱歉,我不太了解这个问题,因此我会比较宽泛.为了授予/拒绝对resource
的访问,您需要:
Apologies, I don't fully understand the question so I'll be a bit broad. In order to grant/deny access to a resource
, you need to:
- Define your policies
- Define your permissions
- Apply your policies to your permissions
- Associate your permissions to a
scope
orresource
(or both)
使政策强制生效.请参阅授权过程.
for policy enforcement to take effect. See Authorization Process.
如何设置所有这些完全取决于您.例如,您可以:
How you go about setting all this up is entirely up to you. You could for instance:
-
定义单个策略,并在适当的权限下绑定每个策略.
Define individual policies, and tie each policy under the appropriate permission.
更好的是,定义单个策略,然后将所有相关策略分组到aggregated
策略(策略策略)下,然后将该聚合策略与scope-based
权限相关联.您可以将scoped-based
权限应用于资源及其所有关联范围.
Better yet, define individual policies, then group all your related policies under an aggregated
policy (a policy of policies) and then associate that aggregated policy with the scope-based
permission. You could have that scoped-based
permission apply to both the resource and all its associated scope.
或者,您可以通过利用两种不同的类型来进一步分解权限.您可以通过resource-based
权限类型专门为资源创建权限,并通过scope-based
权限类型单独将其他权限与作用域关联.
Or, you could further break apart your permissions by leveraging the two separate types. You could create permissions solely for your resources via the resource-based
permission type, and separately associate other permissions solely with a scope via the scope-based
permission type.
您可以选择.
如果有多个权限匹配给定的资源/范围,Keycloak会做什么?
If there are multiple permissions matching a given resource/scope, what does Keycloak do?
这取决于
- 资源服务器的
Decision Strategy
- 每个权限的
Decision Strategy
- 每个策略的
Logic
值.
- The resource server's
Decision Strategy
- Each permission's
Decision Strategy
- Each policy's
Logic
value.
Logic
的值与Java的!
运算符相似.它可以是Positive
或Negative
.当Logic
为Positive
时,策略的最终评估保持不变.当其Negative
时,最终结果为否定(例如,如果策略评估为false并且其Logic
为Negative
,则它将为true
).为简单起见,我们假定Logic
始终设置为Positive
.
The Logic
value is similar with Java's !
operator. It can either be Positive
or Negative
. When the Logic
is Positive
, the policy's final evaluation remains unchanged. When its Negative
, the final result is negated (e.g. if a policy evaluates to false and its Logic
is Negative
, then it will be true
). To keep things simple, let's assume that the Logic
is always set to Positive
.
Decision Strategy
是我们真正要解决的问题. Decision Strategy
可以是Unanimous
或Affirmative
.在文档中,
The Decision Strategy
is what we really want to tackle. The Decision Strategy
can either be Unanimous
or Affirmative
. From the docs,
决策策略
此配置更改了策略评估引擎基于所有评估权限的结果来决定是否应授予资源或范围的方式. 肯定是指至少一个权限必须评估为肯定的决定,才能授予对资源及其范围的访问权限. 一致表示所有权限都必须评估为肯定的决定,以便最终决定也为肯定的.例如,如果对同一资源或范围的两个权限发生冲突(其中一个权限授予访问权限,另一个权限拒绝访问),则在所选策略为肯定的情况下,将授予对资源或范围的权限.否则,任何权限的一个拒绝也将拒绝对资源或范围的访问.
This configurations changes how the policy evaluation engine decides whether or not a resource or scope should be granted based on the outcome from all evaluated permissions. Affirmative means that at least one permission must evaluate to a positive decision in order grant access to a resource and its scopes. Unanimous means that all permissions must evaluate to a positive decision in order for the final decision to be also positive. As an example, if two permissions for a same resource or scope are in conflict (one of them is granting access and the other is denying access), the permission to the resource or scope will be granted if the chosen strategy is Affirmative. Otherwise, a single deny from any permission will also deny access to the resource or scope.
让我们使用一个示例来更好地理解上述内容.假设您有一个具有2个权限的资源,并且有人正在尝试访问该资源(请记住,对于所有策略,Logic
是Positive
).现在:
Let's use an example to better understand the above. Suppose you have a resource with 2 permissions and someone is trying to access that resource (remember, the Logic
is Positive
for all policies). Now:
-
Permission One
的Decision Strategy
设置为Affirmative
.它还有3个策略,它们分别对它们进行评估:-
true
-
false
-
false
-
Permission One
has aDecision Strategy
set toAffirmative
. It also has 3 policies where they each evaluate to:true
false
false
由于其中一项策略设置为true
,因此Permission One
设置为true
(肯定的-true
仅需要1个).
Since one of the policies is set to true
, Permission One
is set to true
(Affirmative - only 1 needs to be true
).
-
Permission Two
的Decision Strategy
设置为Unanimous
,具有2个策略:-
true
-
false
-
Permission Two
has aDecision Strategy
set toUnanimous
with 2 policies:true
false
在这种情况下,Permission Two
为false
,因为一个策略为假(一致-它们都必须为true
).
In this case Permission Two
is false
since one policy is false (Unanimous - they all need to be true
).
- 现在进行最终评估.如果资源服务器的
Decision Strategy
设置为Affirmative
,则将授予对该资源的访问权限,因为Permission One
是true
.另一方面,如果资源服务器的Decision Strategy
设置为Unanimous
,则将拒绝访问.
- Now comes the final evaluation. If the resource server's
Decision Strategy
is set toAffirmative
, access to that resource would be granted becausePermission One
istrue
. If on the other hand, the resource server'sDecision Strategy
is set toUnanimous
, access would be denied.
请参阅:
- Resource Server Settings
- Managing Permissions
我们将继续对此进行回顾.在第二部分中,我将解释如何设置资源服务器的Decision Strategy
.
We'll keep revisiting this. I explain how to set the resource sever's Decision Strategy
in Part II.
例如,我可以有权访问帐户"和查看"范围的权限,因此,我是否有权查看帐户?
so for example I could have permission to access "accounts" and permission for "view" scope, so therefore I would have permission to view accounts?
简短的回答是.现在,让我们对此进行扩展:)
The short answer is yes. Now, let's expand on this a bit :)
如果您具有以下情况:
- 资源服务器的
Decision Strategy
设置为Unanimous
或Affirmative
- 访问
account/{id}
资源的权限为true
- 访问
view
范围的权限为true
- Resource server's
Decision Strategy
set toUnanimous
orAffirmative
- Permission to access the
account/{id}
resource istrue
- Permission to access the
view
scope istrue
您将被授予查看该帐户的权限.
You will be granted access to view the account.
-
true
+true
等于Affirmative
或Unanimous
Decision Strategy
下的true
.
true
+true
is equal totrue
under theAffirmative
orUnanimous
Decision Strategy
.
现在,如果您拥有
- 资源服务器的
Decision Strategy
设置为Affirmative
- 访问
account/{id}
资源的权限为true
- 访问
view
范围的权限为false
- Resource server's
Decision Strategy
set toAffirmative
- Permission to access the
account/{id}
resource istrue
- Permission to access the
view
scope isfalse
您还将 被授予查看该帐户的权限.
You will also be granted access to view the account.
-
在
-
true
+false
是true
.
Affirmative
策略下,true
+false
istrue
under theAffirmative
strategy.
这里的要点是,对给定资源的访问还取决于您的设置,因此请小心,因为您可能不希望第二种情况.
The point here is that access to a given resource also depends on your setup so be careful as you may not want the second scenario.
但是我是对的,这意味着我需要一个用户可能属于的每个旧版组的策略吗?
But am I right that this means I need a policy for each of the legacy groups that a user could belong to?
我不确定Keycloak在2年前的行为,但是您可以指定基于组的策略,只需在该策略下添加所有组即可.您当然不需要为每个组创建一个策略.
I'm not sure how Keycloak behaved 2 years ago, but you can specify a Group-Based policy and simply add all your groups under that policy. You certainly do not need to create one policy per group.
例如,如果我具有服务台"角色,则需要一个服务台成员身份"策略,然后可以将其添加到"viewAccount"权限中.这是正确的吗?
For example, if I have a "helpdesk" role, then I need a "helpdesk membership" policy, which I could then add to the "viewAccount" permission. Is this correct?
差不多.您可以通过多种方式进行设置.例如,您可以:
Pretty much. There are many ways you can set this up. For instance, you can:
- 创建您的资源(例如
/account/{id}
),并将其与account:view
范围相关联. - 创建基于角色的策略并添加
helpdesk
角色根据该政策 - 创建名为
viewAccount
的Scope-Based
权限,并将其与scope
,resource
和policy
绑定
- Create your resource (e.g.
/account/{id}
) and associate it with theaccount:view
scope. - create a Role-Based Policy and add the
helpdesk
role under that policy - Create a
Scope-Based
permission calledviewAccount
and tie it withscope
,resource
andpolicy
我们将在第二部分中进行类似的设置.
We'll set up something similar in Part II.
Keycloak有一个简洁的小工具,可让您测试所有策略.更好的是,您实际上不需要启动另一台应用程序服务器并部署单独的应用程序即可正常工作.
Keycloak has a neat little tool which allows you test all your policies. Better yet, you actually do not need to spin up another application server and deploy a separate app for this to work.
这是我们要设置的方案:
Here's the scenario that we'll set up:
- 我们将创建一个名为
stackoverflow-demo
的新领域
- 我们将在该领域下创建
bank-api
客户端 - 我们将为该客户端定义一个名为
/account/{id}
的资源 -
account/{id}
将具有account:view
范围 - 我们将在新领域下创建一个名为
bob
的用户 - 我们还将创建三个角色:
bank_teller
,account_owner
和user
- 我们不会将
bob
与任何角色相关联.现在不需要.
- 我们不会将
- We'll create a new realm called
stackoverflow-demo
- We'll create a
bank-api
client under that realm - We will define a resource called
/account/{id}
for that client - The
account/{id}
will have theaccount:view
scope - We'll create a user called
bob
under the new realm - We'll also create three roles:
bank_teller
,account_owner
anduser
- We will not associate
bob
with any roles. This is not needed right now.
- We will not associate
-
bank_teller
和account_owner
有权访问/account/{id}
资源 -
account_owner
有权访问account:view
范围 -
user
无权访问资源或范围
bank_teller
andaccount_owner
have access to the/account/{id}
resourceaccount_owner
has access to theaccount:view
scopeuser
does not have access to the resource or scope
请原谅我,这个例子是不现实的,但我对银行业不熟悉:)
Do forgive me, this example is unrealistic but I'm not familiar with the banking sector :)
cd tmp
wget https://downloads.jboss.org/keycloak/8.0.0/keycloak-8.0.0.zip
unzip keycloak-8.0.0.zip
cd keycloak-8.0.0/bin
./standalone.sh
创建初始管理员用户
- 转到
http://localhost:8080/auth
- 点击
Administration Console
链接 - 创建管理员用户并登录
- Go to
http://localhost:8080/auth
- Click on the
Administration Console
link - Create the admin user and login
访问入门以获取更多信息.就我们的目的而言,以上内容就足够了.
Visit Getting Started for more information. For our purposes, the above is enough.
- 将鼠标悬停在
master
领域,然后单击Add Realm
按钮. - 输入
stackoverflow-demo
作为名称. - 单击
Create
. - 现在左上角应该显示
stackoverflow-demo
而不是master
领域.
- Hover your mouse around the
master
realm and click on theAdd Realm
button. - Enter
stackoverflow-demo
as the name. - Click on
Create
. - The top left should now say
stackoverflow-demo
instead of themaster
realm.
请参见创建新领域
- 单击左侧的
Users
链接 - 点击
Add User
按钮 - 输入
username
(例如bob
) - 确保已打开
User Enabled
- 点击
Save
- Click on the
Users
link on the left - Click on the
Add User
button - Enter the
username
(e.g.bob
) - Ensure that
User Enabled
is turned on - Click
Save
请参见创建新用户
- 点击
Roles
链接 - 点击
Add Role
- 添加以下角色:
bank_teller
,account_owner
和user
- Click on the
Roles
link - Click on
Add Role
- Add the following roles:
bank_teller
,account_owner
anduser
同样,请不将您的用户与角色相关联.就我们的目的而言,这不是必需的.
Again, do not associate your user with the roles. For our purposes, this is not needed.
请参见角色
- 点击
Clients
链接 - 点击
Create
- 为
Client ID
输入 - 对于
Root URL
,输入http://127.0.0.1:8080/bank-api
- 点击
Save
- 确保
Client Protocol
是openid-connect
- 将
Access Type
更改为confidential
- 将
Authorization Enabled
更改为On
- 向下滚动并按
Save
.新的Authorization
选项卡应显示在顶部. - 点击
Authorization
标签,然后点击Settings
- 确保将
Decision Strategy
设置为Unanimous
- 这是资源服务器的
Decision Strategy
- 这是资源服务器的
bank-api
- Click on the
Clients
link - Click on
Create
- Enter
bank-api
for theClient ID
- For the
Root URL
enterhttp://127.0.0.1:8080/bank-api
- Click on
Save
- Ensure that
Client Protocol
isopenid-connect
- Change the
Access Type
toconfidential
- Change
Authorization Enabled
toOn
- Scroll down and hit
Save
. A newAuthorization
tab should appear at the top. - Click on the
Authorization
tab and thenSettings
- Ensure that the
Decision Strategy
is set toUnanimous
- This is the resource server's
Decision Strategy
- This is the resource server's
请参阅:
- Creating a Client Application
- Enabling Authorization Services
- 点击
Authorization
标签 - 点击
Authorization Scopes
>Create
弹出Add Scope
页面 - 在名称中输入
account:view
,然后按Enter.
- Click on the
Authorization
tab - Click on
Authorization Scopes
>Create
to bring upAdd Scope
page - Enter
account:view
in the name and hit enter.
创建查看帐户资源"
- 点击上方的
Authorization
链接 - 单击
Resources
- 点击
Create
- 为
Name
和Display name
都输入View Account Resource
- 输入
account/{id}
作为URI
- 在
Scopes
文本框中输入account:view
- 点击
Save
- Click on
Authorization
link above - Click on
Resources
- Click on
Create
- Enter
View Account Resource
for both theName
andDisplay name
- Enter
account/{id}
for theURI
- Enter
account:view
in theScopes
textbox - Click
Save
请参见创建资源
- 再次在
Authorization
标签下,单击Policies
- 从
Create Policy
下拉列表中选择Role
- 在
Name
部分中,输入Only Bank Teller and Account Owner Policy
- 在
Realm Roles
下,同时选择bank_teller
和account_owner
角色 - 确保将
Logic
设置为Positive
- 点击
Save
- 点击
Policies
链接 - 从
Create Policy
下拉列表中再次选择Role
. - 这次将
Only Account Owner Policy
用作Name
- 在
Realm Roles
下选择account_owner
- 确保将
Logic
设置为Positive
- 点击
Save
- 单击顶部的
Policies
链接,您现在应该看到新创建的策略.
- Again under the
Authorization
tab, click onPolicies
- Select
Role
from the theCreate Policy
dropdown - In the
Name
section, typeOnly Bank Teller and Account Owner Policy
- Under
Realm Roles
select both thebank_teller
andaccount_owner
role - Ensure that
Logic
is set toPositive
- Click
Save
- Click on the
Policies
link - Select
Role
again from theCreate Policy
dropdown. - This time use
Only Account Owner Policy
for theName
- Under
Realm Roles
selectaccount_owner
- Ensure that
Logic
is set toPositive
- Click
Save
- Click on the
Policies
link at the top, you should now see your newly created policies.
请参见基于角色的政策
请注意,Keycloak具有更强大的策略.请参见管理策略
Do note that Keycloak has much more powerful policies. See Managing Policies
- 再次在
Authorization
标签下,单击Permissions
- 选择
Resource-Based
- 为
Name
键入View Account Resource Permission
- 在
Resources
下键入View Account Resource Permission
- 在
Apply Policy
下选择Only Bank Teller and Account Owner Policy
- 确保将
Decision Strategy
设置为Unanimous
- 点击
Save
- Again under the
Authorization
tab, click onPermissions
- Select
Resource-Based
- Type
View Account Resource Permission
for theName
- Under
Resources
typeView Account Resource Permission
- Under
Apply Policy
selectOnly Bank Teller and Account Owner Policy
- Ensure that the
Decision Strategy
is set toUnanimous
- Click
Save
请参见创建基于资源的权限
Phew ...
- 再次在
Authorization
标签下,选择Evaluate
- 在
User
下输入bob
- 在
Roles
下选择user
- 这是我们将用户与我们创建的角色相关联的地方.
- Again under the
Authorization
tab, selectEvaluate
- Under
User
enterbob
- Under
Roles
selectuser
- This is where we will associate our user with our created roles.
- 这很有意义,因为我们只允许两个角色通过
Only Bank Teller and Account Owner Policy
访问该资源.让我们对其进行测试,以确保这是正确的! - 点击评估结果上方的
Back
链接 - 将鲍勃的角色更改为
account_owner
,然后单击Evaluate
.现在,您应该将结果显示为PERMIT
.如果您返回并将角色更改为bank_teller
,则可以达成相同的协议
- This makes sense because we only allow two roles access to that resource via the
Only Bank Teller and Account Owner Policy
. Let's test this to make sure this is true! - Click on the
Back
link right above the evaluation result - Change bob's role to
account_owner
and click onEvaluate
. You should now see the result asPERMIT
. Same deal if you go back and change the role tobank_teller
请参见评估和测试政策
- 返回
Permissions
部分 - 这次在
Create Permission
下拉列表中选择Scope-Based
. - 在
Name
下,输入View Account Scope Permission
- 在
Scopes
下,输入account:view
- 在
Apply Policy
下,输入Only Account Owner Policy
- 确保将
Decision Strategy
设置为Unanimous
- 点击
Save
- Go back to the
Permissions
section - Select
Scope-Based
this time under theCreate Permission
dropdown. - Under
Name
, enterView Account Scope Permission
- Under
Scopes
, enteraccount:view
- Under
Apply Policy
, enterOnly Account Owner Policy
- Ensure that the
Decision Strategy
is set toUnanimous
- Click
Save
请参见创建基于范围的权限
第二次试运行
- 返回
Authorization
部分 - 点击
Evaluate
- 用户应为
bob
- 角色应该为
bank_teller
- 资源应为
View Account Resource
,然后单击Add
- 单击
Evaluate
,我们应该会得到DENY
.- 同样,这并不奇怪,因为
bank_teller
可以访问resource
,但不能访问scope
.在这里,一个许可权评估为true,另一个许可权评估为false.给定资源服务器的Decision Strategy
设置为Unanimous
,最后的决定是DENY
.
- 同样,这并不奇怪,因为
- Go back to the
Authorization
section - Click on
Evaluate
- User should be
bob
- Roles should be
bank_teller
- Resources should be
View Account Resource
and clickAdd
- Click on
Evaluate
and we should getDENY
.- Again this should come as no surprise as the
bank_teller
has access to theresource
but not thescope
. Here one permission evaluates to true, and the other to false. Given that the resource server'sDecision Strategy
is set toUnanimous
, the final decision isDENY
.
- Again this should come as no surprise as the
整洁:)希望这会有所帮助.
Neat :) Hope this helps.
这篇关于密钥斗篷中的资源,范围,权限和策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!