行级安全性与实体框架 [英] Row Level Security with Entity Framework

问题描述

我一直试图去考虑如何行级安全性可以与实体框架来实现。这个想法是有一个数据库无关的手段，将提供方法来限制​​从ObjectContext中传来的行。

I've been trying to consider how Row Level Security could be implemented with the Entity Framework. The idea is to have a database agnostic means that would offer methods to restrict the rows coming from the ObjectContext.

我的一些inital想法都涉及修改由创建的部分类在EDMGEN工具，并且提供了一些有限的支持。用户仍然可以使用自己的ESQL语句和QueryObject来解决这个问题的解决方案。

Some of my inital ideas have involved modifying the partial classes created by the EDMGEN tool and that has offered some limited support. Users are still able to get around this solution by using their own eSQL statements and a QueryObject.

我一直在寻找一种将存在上面的数据库供应商，使其将保持不可知的全面解决方案。

I've been looking for a comprehensive solution that would exist above the database providers so that it would remain agnostic.

推荐答案

当然，你可以做到这一点。做最重要的事情是要阻止对对象上下文直接访问（防止用户建立自己的ObjectQuery），而是给客户端在其中访问和变异实体较窄的网关。我们与实体库模式做到这一点。你可以找到的示例实现这种模式在这个博客帖子实体框架。再次，关键是阻止访问对象上下文。注意对象上下文类是局部的。所以，你应该能够防止实例化，即你的资料库组件外部的山寨版的手段。

Sure you can do it. The important thing to do is to block direct access to the object context (preventing users from building their own ObjectQuery), and instead give the client a narrower gateway within which to access and mutate entities. We do it with the Entity Repository pattern. You can find an example implementation of this pattern for the entity framework in this blog post. Again, the key is blocking access to the object context. Note that the object context class is partial. So you should be able to prevent "unauthorized" means of instantiating it, namely, outside of your repository assembly.

不过，也有微妙的考虑。如果实施通过存储库模式有一定的实体类型行级查看安全性，那么你必须考虑由一个客户端可以访问相同的实体其他手段。例如，通过导航关系。您可能需要做一些这些关系私有的，你可以在你的模型做的。您还可以的指定自定义查询或存储过程加载/保存实体。存储过程往往是数据库服务器的特定，但SQL可以在一个通用的方式来写。

However, there are subtleties to consider. If you implement row-level view security on a certain entity type via the repository pattern, then you must consider other means by which a client could access the same entities. For example, via navigational relationships. You may need to make some of those relationships private, which you can do in your model. You also have the option of specifying a custom query or stored procedure for loading/saving entities. Stored procedures tend to be DB server specific, but SQL can be written in a generic manner.

虽然我不同意这不能与实体框架来完成，我也同意了做数据库服务器上的意见只要你应该实现防御深度。

While I don't agree that this cannot be done with the Entity Framework, I do agree with the "do it on the DB server" comments insofar as you should implement defense in depth.

这篇关于行级安全性与实体框架的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！