REST，缓存和多用户角色授权 [英] REST, caching, and authorizing with multiple user roles

问题描述

我们有多个不同级别的访问多租户系统 - 有时甚至为同一用户，因为它们多个角色之间切换。我们正在移动到一个RESTful实现的事情开始的讨论。我刚开始让我的脚湿与整个REST的事情。

We have a multi-tenant system with multiple different levels of access--sometimes even for the same user as they switch between multiple roles. We're beginning a discussion on moving over to a RESTful implementation of things. I'm just starting to get my feet wet with the whole REST thing.

那么，如何去限制访问正确的记录，当他们访问资源，尤其是考虑缓存考虑什么时候？如果用户A访问 example.com/employees ，他们将获得比用户B不同的反应;他切换到不同的角色用户A甚至可以收到不同的回应。为了帮助促进高速缓存，如果角色的ID被以某种方式并入URI？也许像 example.com/employees/123 （违反REST的规则），或者作为某种从属资源如 example.com/员工/角色/ 123 （这似乎是愚蠢的，因为角色/ ### 即将所有的地方追加到的URI）。我不禁想起我在这里失去了一些东西。

So how do I go about limiting access to the correct records when they access a resource, particularly when taking caching into consideration? If user A access example.com/employees they would receive a different response than user B; user A may even receive a different response as he switches to a different role. To help facilitate caching, should the id of the role be somehow incorporated into the uri? Maybe something like example.com/employees/123 (which violates the rules of REST), or as some sort of subordinate resource like example.com/employees/role/123 (which seems silly, since role/### is going to be appended to URIs all over the place). I can help but think I'm missing something here.

的编辑提多租户的

推荐答案

具有用户凭据作为一个带外资源标识符（即presenting同一URL不同的角色不同的看法）将会变成讨厌下降马路。用户和它们之间的应用程序交换的URL，事情变味这种情况发生时和URL只是简单地返回不同的凭据不同的内容。

Having the user credentials act as an out of band resource identifier (ie. presenting different views on the same URL to different roles) will turn nasty down the road. Users and applications exchange URLs between them, things turn sour when that happens and the URL simply returns different content for different credentials.

我想说的是每个角色拥有世界不同的看法，因此每个角色应该对服务的访问不同的路径：

I would say that each role has a different view of the world, therefore each role should access a different path to the service:

• 管理员连接到example.com/admin/employees


• 用户连接到example.com/users/employees


• 角色富可能连接到example.com/foo/employees

您分开'这个角色看待世界某某的一部分来自这样这个世界观是角色富访问的一部分。管理员可以连接到example.com/users/employees并验证普通用户如何看待这个世界，W / O不必先模拟一个低权限的别名的管理。

This way you separate the 'this role sees the world as such and such' part from the 'this view of the world is accessible to role foo' part. An admin can connect to example.com/users/employees and verify how an ordinary user sees the world, w/o the admin having to impersonate a lower privileged alias first.

您也可以使用同样的目的DNS部分：admin.example.com/employees与users.example.com/employees。这是一个相关的情况下，特别是可行的，当角色是不是安全的作用，但多租户命名空间（即每个服务供应帐户获取服务自己的看法）。

You can also use the DNS part for same purpose: admin.example.com/employees vs. users.example.com/employees. This is specially viable for a related scenario, when the 'role' is not a security role but a multi-tenant namespace (ie. each service provisioned account gets its own 'view' of the service).

这篇关于REST，缓存和多用户角色授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！