云身份和云端点，是否有任何方法可以阻止角色/组中的某些用户向端点发出POST/GET请求 [英] Cloud Identity and Cloud Endpoints, Is there any way to bar certain users within a role/group from making POST/GET Requests to an endpoint

问题描述

例如，假设用户A需要具有GET权限，但没有对特定端点的POST权限.有什么办法可以做到:

For example, let's say user A needs to have GET permissions but no POST permissions to a certain endpoint. Is there any way to:

1. 在某些用户无法发出某些类型的请求的地方担任角色到端点?
2. 确保端点遵循这些规则吗?

推荐答案

关于第一个问题，Cloud IAM角色旨在控制用户帐户对项目中存在的服务和产品的访问级别. Cloud Endpoints的IAM角色允许限制哪些用户可以启用您的API，但他们不提供这种细粒度的权限来控制确实允许调用的用户如何与您API的特定路由进行交互.

Regarding your first question, Cloud IAM roles are meant to control the access level of user accounts to the services and products that exist within your project. The IAM roles for Cloud Endpoints allow to restrict which users can enable your API but they don't offer such fine-grained permissions to control how users, that are indeed allowed to call, can interact with particular routes of your API.

现在，可以限制对特定API方法的访问，我在下面介绍两种方法:

Now, it is possible to restrict access to particular API methods, I describe below two approaches:

• 使用Auth0并以编程方式检查用户授权:当允许访问端点的用户发出请求时，其身份将传递到标头 X-Endpoint-API-下的处理代码UserInfo .然后，您可以检查谁是主叫方，以便否定答案.这将需要一些数据库通信来检查受限用户或对用户进行硬编码的天真方法.从安全的角度来看，这种方法是可靠的，因为Cloud IAP会阻止未经授权的用户访问API，然后您可以根据需要进一步限制访问范围.该方法的唯一缺点是它会产生一些延迟.请参阅此处，以获取文档和指向示例代码的链接几种语言.
• API密钥:API密钥提供了一种允许/限制对单个方法的访问，只要您可以区分端点路由即可.例如，您可能允许某些键调用 yourendpoint/route/method1 ，但限制 yourendpoint/route/method2 .这样做有几个缺点，第一个缺点是API密钥是用来标识项目/应用程序/网站/IP的，而不是单个用户的，这并不是您所要的.第二个问题是，它们不如身份验证安全，一旦您的API密钥公开，几乎任何人都可以使用它，这会对您的计费帐户产生意外费用.尽管如此，为了完整起见，我还是要提及它，因为它在其他情况下可能会很有用.有关API密钥的概述，请参见此处./li>

• Using Auth0 and checking user-authorization programmatically: When a user allowed to reach the endpoint makes a request it's identity is passed to the handling code under the header X-Endpoint-API-UserInfo. You might then check who's the caller in order to negate an answer. This would require some database communication to check the restricted users or the questionable naive approach of hardcoding the users. This approach is solid from security point of view since Cloud IAP would block unauthorized users to reach the API and then you can further restrict access scopes as needed. The only downside of this method is that it creates some latency. See here for documentation and links to code samples in several languages.
• API keys: API keys provide a way of allowing/restricting access to individual methods as long as you can differentiate the endpoints routes. For instance you might allow some keys to call yourendpoint/route/method1 but restrict yourendpoint/route/method2. There are several drawbacks with this, the first is that API keys are meant to identify project/application/website/IP rather than individual users which isn't exactly what you're asking about. The second is that they're less secure than authentication and once your API key is exposed almost anybody can use it which can incur in unexpected charges to your billing account. Nonetheless I wanted to mention it for the sake of completeness as it might be useful in other situations. See here for an overview of API keys.

总体而言，我建议将Auth0与程序验证一起使用.

Overall I would suggest using Auth0 with programmatic authentication.

这篇关于云身份和云端点，是否有任何方法可以阻止角色/组中的某些用户向端点发出POST/GET请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！