2

我正在设计授权服务。它根据分配给用户的角色和对内容设置的权限执行访问控制。用户可以属于多个组。这些组也可以属于其他组。组下组下组的深度并没有那么大。内容可以在用户级别或组级别共享。内容也可以与多个组共享。内容上允许的操作是to-readto-read-write

这是我对设计上述问题的解决方案的想法。问题是,它看起来非常简单。我担心我遗漏了一些会损害设计性能或可扩展性的点。这是设计。

数据存储: 每个用户可以有多个角色。角色是一个字符串,看起来像命名空间。supergroup.group.subgroup.rolename. 每个内容可以有多个权限。权限是一个字符串,看起来像带有操作类型前缀的命名空间。canreadwrite.supergroup.group.subgroup.rolename

授权算法 授权函数算法是这样的(PS这只是为了展示基础,实际上角色和权限数组会被排序,并且会使用某种形式的二进制搜索来进行匹配)

public bool CanReadWrite(string[] roles, string[] permissions)
{
    foreach (var role in roles)
    {
        foreach (var permission in permissions.Where(s => s.StartsWith(canreadwrite)))
        {
            string barePermission = permission.Remove(0, canreadwrite.Length);

            if (role.StartsWith(barePermission))
            {
                return true;
            }
        }
    }

    return false;
}

你觉得这个设计有什么问题吗?有性能问题吗?可扩展性问题?

4

2 回答 2

2

Your application is not very clear, especially how these hierarchies of user groups relate to the roles/permissions design.

First I'd avoid to implement binary search by your own, but just to use dictionaries.

Second I'd assume you might have large numbers of content items and large numbers of users. It looks like you could end up with large numbers of "dotted permission strings" per content item, but you should keep the number of role/permission entries per content small for performance and maintainability of rights.

Maybe you can split the role definition/maintenance from these user group hierarchies, i.e. content items do only "know" some roles, not these groups.

Third, if you really need hierarchies of user groups, I'd consider to allow to attach roles/permissions on higher level groups where approriate to avoid the need to define/maintain roles/permissions always on lowest level (assuming many low level groups possible).

s.a. RBAC at wikipedia

于 2013-04-06T06:58:12.200 回答
0

canreadwrite除了两个非常奇怪的名为or的顶级组之外,我找不到该方法的任何真正问题canread。如果一个愚蠢的管理员创建这样的组,你的算法就会失败。

因此,我建议使用类似canreadwrite:supergroup.group.subgroup.rolename.

作为替代方案,您可以格式化关联,如 rolehierarcy:permission,测试角色 withStartsWith(roleName)和权限 with EndsWith(":" + permissionName)

例如supergroup.group.subgroup.rolename:canreadwrite

于 2013-04-09T10:20:25.047 回答