基于资源的访问控制与基于角色的访问控制 [英] Resource Based Access Control vs Role Based Access Control
问题描述
我正在学习 Apache Shiro,发现这篇文章:
I am learning Apache Shiro, and I found this article:
作者说:
.......你可以将行为(权限)直接分配给角色,如果你想.从这个意义上说,您仍然会有一个基于角色的访问控制安全策略 - 只是你会有一个明确的 RBAC 策略而不是传统的隐式策略.
.......you could assign behaviors (permissions) directly to a Role if you want. In this sense, you would still have a Role-Based Access Control security policy - it is just you would have an explicit RBAC policy instead of the traditional implicit strategy.
但这引出了一个问题——为什么要停留在角色上?你可以分配直接针对用户、群组或其他任何您的行为安全政策可能允许.
But that begs the question - why stop at roles? You can assign behaviors directly to users, or to groups, or to anything else your security policy might allow.
作者似乎更喜欢直接存储 User 和 Permission 的关系,而不是通过 Role 存储.
It seems that the author prefer to store the relationship of User and Permission directly instead of through a Role.
虽然这看起来简单明了,但我还是有一些疑问:
Though it seems this is simple and straightforward, I have some questions:
两者之间有什么本质区别吗?
Are there any essential differences between two of them?
数据库架构.
在基于角色的访问控制中,通常我们使用三个表来描述关系:
In a Role Based Access Control, normally we use three tables to describe the relationship:
user
role
user_role
否,如果我使用基于资源的访问控制,构建表的常规做法是什么?
No if I use the Resource Based Access Control, what is the normal practice for building the tables?
推荐答案
这是我第一次听说基于资源的访问控制.
This is the first time I hear of resource-based access control.
我会非常小心地走这条路.在授权领域,基本上有两个标准:
I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:
- 由 NIST 标准化并在数千个应用和框架中实施的基于角色的访问控制 (RBAC)在主要供应商(CA、Oracle、IBM...)的支持下
- 基于属性的访问控制 (ABAC) 已由 NIST(也此处)并且同样被 IBM、Oracle 和 Axiomatics 等供应商实施得很好.
- Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
- Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.
基于资源的访问控制似乎是 Stormpath 发明的一种模型,只有他们支持.这可能很好,但它只适用于他们的环境.
Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.
基于角色和基于属性的访问控制是广为接受的范式,得到了 NIST 和其他标准化机构的支持,例如 OASIS(SAML 和 XACML 于 10 年前定义,今天仍受支持).
Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).
您的问题是:为什么基于角色的访问控制对您来说还不够?你有角色爆炸的问题吗?还不够表达吗?您是否需要实现用户、资源和上下文之间的关系?
The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?
ABAC 和 XACML 可以让您做到这一点.不久前,我在 YouTube 上发布了一个简单的视频,该视频涉及基于属性的访问控制.看看.
ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.
最重要的是,RBAC 和 ABAC 是跨多个应用程序和层工作的标准.基于资源的访问控制仅适用于 Apache Shiro.
The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.
这篇关于基于资源的访问控制与基于角色的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
