访问控制机制(例如 RBAC 或 ABAC)如何保护资源? [英] How does an access control mechanism (e.g., RBAC or ABAC) protect resources?
问题描述
访问控制机制(例如 RBAC 或 ABAC)如何保护资源?我知道 RBAC、ABAC 等访问控制机制是如何工作的.换句话说,我知道访问控制引擎如何评估请求并做出决定(允许、拒绝等).但是,我不知道他们是如何保护资源的.
我的意思是,例如,ABAC 如何强制执行拒绝决定?
- 资源是否加密?
- 或者它们是否存储在安全的数据库中?
RBAC 和 ABAC 以不同的方式工作以实现类似的目标:访问控制.
两者的原理都是一样的:简化授权管理.但是,RBAC 主要发生在您分配用户角色和权限的管理时间.然后让目标应用程序根据用户拥有的角色和权限强制执行授权.OAuth2 和范围采用类似的方法.这导致了耦合授权,因为由应用程序来强制执行授权.你会得到类似 if UserInRole(r) then...
RBAC 还需要角色工程,并且可以实现某种程度的静态职责分离(例如,购买者不能同时成为审批者).
在 ABAC 中,您清楚地将应用程序与授权逻辑分离.该应用程序所做的只是调用一个返回 Permit 或 Deny 的策略决策点(根据
PEP 或策略执行点通常是位于您要保护的应用程序前面或内部的拦截器或代理.它可以是一个 API 网关,例如 Mulesoft 或一个 Servlet 过滤器.它们通常非常容易编写.Axiomatics(这是我工作的地方)提供了几个 SDK 来帮助您无缝地做到这一点.
How does an access control mechanism (e.g., RBAC or ABAC) protect resources? I know how access control mechanisms such as RBAC, ABAC and so on work. In other words, I know how the access control engine evaluates requests and makes decisions (permit, deny, etc.). But, I do not know how they protect the resources.
I mean, how does, for example, ABAC enforce a Deny decision?
- Are the resources encrypted?
- Or are they stored in a secure database?
RBAC and ABAC work in different ways to achieve similar goals: access control.
Both of their rationales are the same: to simplify authorization management. RBAC, though, happens mainly at administrative time where you assign users roles and permissions. You then let the target application enforce the authorizations based on the roles and permissions a user has. OAuth2 and scopes take on a similar approach. This leads to coupled authorization since it is up to the app to enforce the authorization. You will get code like if UserInRole(r) then...
RBAC also requires role engineering and can achieve some level of static segregation-of-duty (for instance a purchaser cannot be an approver at the same time).
In ABAC, you clearly decouple the application from the authorization logic. All the app does is call a Policy Decision Point that returns either a Permit or a Deny (according to the xacml standard).
The architecture is as follows (along with flow):
The PEP or Policy Enforcement Point is typically an interceptor or agent sitting in front of or inside the application you wish to protect. It can be an API gateway such as Mulesoft or a Servlet Filter. They are extremely easy to write usually. Axiomatics (which is where I work) provides a couple of SDKs to help you do that seamlessly.
这篇关于访问控制机制(例如 RBAC 或 ABAC)如何保护资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
