如何处理身份验证和授权节俭？ [英] How to handle authentication and authorization with thrift?

问题描述

我正在开发它采用节俭的系统。我想检查客户的身份和被ACLED操作。是否节俭为那些任何支持？

I'm developing a system which uses thrift. I'd like clients identity to be checked and operations to be ACLed. Does Thrift provide any support for those?

推荐答案

不能直接。要做到这一点的唯一方法是有它在服务器上创建一个（临时）密钥的身份验证方法，然后更改所有的方法，使第一个参数是这个关键，他们都还抛出一个没有身份验证的错误。例如：

Not directly. The only way to do this is to have an authentication method which creates a (temporary) key on the server, and then change all your methods so that the first argument is this key and they all additionally raise an not-authenticated error. For instance:

exception NotAuthorisedException {
    1: string errorMessage,
}

exception AuthTimeoutException {
    1: string errorMessage,
}

service MyAuthService {
    string authenticate( 1:string user, 2:string pass )
        throws ( 1:NotAuthorisedException e ),

    string mymethod( 1:string authstring, 2:string otherargs, ... )
        throws ( 1:AuthTimeoutException e, ... ),
}

我们使用这种方法和我们的钥匙保存在一个安全的memcached实例与30分钟超时键把一切都活泼。谁收到客户端的 AuthTimeoutException 预计reauthorise并重新和我们有一些防火墙规则来阻止蛮力攻击。

We use this method and save our keys to a secured memcached instance with a 30min timeout for keys to keep everything "snappy". Clients who receive an AuthTimeoutException are expected to reauthorise and retry and we have some firewall rules to stop brute-force attacks.

这篇关于如何处理身份验证和授权节俭？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！