多租户数据库REST API按客户分离 [英] Rest API with multi-tenant database separated by client
问题描述
我有组合键的多租户数据库
I have a multi-tenant database with the composite key
clientId - docId
路由看起来是这样的。
The routing looks like this
/api/controller/clientId/docId
有关身份验证我用一个全球性的用户名,如电子邮件+密码,在通过https每个请求的HTTP头发送。用户名地映射到客户端,并且可以在后端。
For authentication I use a "global" username such as an email + password, sent in the http-header of every request via https. The username maps explicitly to a client and is available on the backend.
什么是与休息,做正确,并有最佳的安全的方式?
What's the way to do it properly with rest and have best security?
- 路线上面一样,只是验证根据用户名ClientID的比在路由相同
或
-
更改路由如下,并保存记录之前,从一个数据库中的clientId?
Change the routing as below and get the clientId from a database before saving a record?
/ API /控制器/的docId
这可能是一个明显的问题,但我很担心潜在的安全问题。或者是它只是一个没有脑子用较短的路由去了?
This may be an obvious question, but I'm worried about potential security issues. Or is it just a no-brainer to go with the shorter routing?
谢谢!
推荐答案
我觉得 / API /控制器/的docId 可能是最好的办法还是使用单一的代理键重新present客户端Id和的docId(我的preference)。
I think /api/controller/docId is probably the best idea or a use a single surrogate key to represent ClientId and docId (my preference).
除非你需要允许客户端查看其他客户资源,我会隐藏它从URI方案,在最坏的情况可以认为它是信息泄漏充其量是多余的,因为你已经验证的客户,知道他们是谁呢。这也是一个开销,即你还必须检查在URL中的客户端ID映射到请求的用户名和密码,所以你需要反正检索每个请求的客户端ID。
Unless you ever need to allow clients to view other clients resources I would hide it from the URI scheme, at worst it could be considered information leakage at best it is redundant as you have authenticated the client and know who they are anyway. It is also an overhead i.e. you still must check the client id in the url is mapped to the username and password of the request so you need to retrieve the client id on each request anyway.
如果您看到了如何等多租户环境中工作,例如销售队伍的,你可以看到,他们必须通过安全机制推断客户端或足够幸运,对每一个对象/资源的唯一ID。
If you looked at how other multi tenanted environments work e.g. Sales Force's you can see that they must infer the client via the security mechanism or are lucky enough to have a unique id for every object/resource.
我见过的一种方法是在URL的根把客户标识符(通常somekind的代理键,避免让其他用户分贝的ID!)例如/ API / {}的clientId /控制器/的docId。在多租户环境中的每个资源可能是/定义独有的客户端。
An approach I have seen is to put the client identifier (usually a surrogate key of somekind, avoid exposing other users db id's!) at the root of the URL e.g. /api/{clientId}/controller/docId. In a multi tenanted environment every resource is probably/by definition unique to that client.
有时这种方法给的理由是,有每个客户助攻唯一的URL与缓存... / API / {}的clientId /控制器/的docId或/ API /控制器/ {}的clientId /的docId
A reason sometimes given for this approach is that having a unique url per customer assists with caching... /api/{clientId}/controller/docId or /api/controller/{clientId}/docId
在基本身份验证的简要说明
没有错,你的做法,但考虑......你可以检索客户端编号,同时验证密码和用户名,并补充说,作为对IPrinciple索赔。至少,这是随后在code没有任何进一步的分贝看看UPS可以找到它(即要求的期限内)。
Nothing wrong with your approach but consider... you could retrieve the client Id whilst validating the password and user name and add that as a claim on the IPrinciple. At least that is then available in the code without any further db look ups to find it (within the life of that request).
再进一步...考虑实际上是在令牌作为索赔与客户ID其中一个令牌发出两步认证机制(以下正确的用户名和密码)。这样,后续的令牌请求意味着你将不再需要回调的分贝为每个请求进行认证和检索信息。看看OAuth的承载令牌<一个href=\"http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html\">http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html (一定要他们签名),或一些其他方法...
Going a step further... consider a two step authentication mechanism where a token is issued (following correct username and password) with the client Id actually in the token as a claim. This way, subsequent requests with the token mean you won't need to call back the the db for every request to authenticate and retrieve information. Take a look at OAuth bearer tokens http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html (be sure to sign them) or some of the other approaches...
这篇关于多租户数据库REST API按客户分离的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
