我浏览了 XACML 文档,它解释了如何在 XML 文件中维护授权策略,同样可以通过将策略保存在数据库中来完成,我的问题是在 XML 文件中存储策略(如 XACML)而不是 DB 方法的优势是什么,因为归根结底,它只是解析 XML 或查询数据库。
2 回答
@user3405607:如果我对您的理解正确,您是在质疑数据库评估引擎执行“相同”工作时是否需要“复杂”的 XACML 标准/规范?
如果是这样,答案是基于数据库的引擎只能为简单规则提供访问控制决策,主要是与 ACL 相关。例如,如果您有资源 X、Y、Z 和用户 A、B、C,您可以设计一个简单的表,如:
+----------+----------+----------+
| X | Y | Z |
+----------+----------+----------+
A | 1 | 0 | 1 |
| | | |
B | 1 | 0 | 1 |
| | | |
C | 0 | 1 | 1 |
+----------+----------+----------+
但正如你所看到的,这不会扩展。当然,您可以制作基于角色的 ACL,而不是使用用户 -> 资源映射。但同样,这只会迎合简单的规则。
你将如何处理一个简单的规则“如果财务部门的用户不是提出订单的人并且订单金额小于他的最大批准限制,他可以批准订单”,假设部门被捕获在 Active Directory 中?
当然,如果规则中需要的所有详细信息(部门、订单签发者、金额、最大金额)都在数据库中,您可以考虑编写复杂的 SQL 查询来为您完成这项工作,但话又说回来,包含规则的策略只能变得更复杂,很快你就会得到复杂的策略,这些策略会变成一个复杂的决策树,编写数据库查询将不值得麻烦。
此外,很快您将不得不编写一个大小合适的代码来执行和解析所有这些查询和响应,实际上这将是 XACML 文献中称为 PDP 的实体。
对 XACML 的需求还不止于此,因为它定义了基于标准的策略语言以及请求-响应协议。
我建议您阅读有关此问题的一些基本材料,因为我的解释可能无法充分说明所涉及的复杂性以及对不仅仅依赖于数据库查询的专用评估引擎的需求。
XACML policy repository can be any thing, database or file system or any registry. But if you think about clustering, security, manageability and performance. I guess using database approach is good.. Let me provide few reason for it..
- If multiple PDP nodes (different machines) are running in a clustered environment, It is easy that nodes are pointed same database. Then policies can be managed by master nodes and we do not want to worry about policy distribution of across other nodes.
- XACML policy can contain meta data that is associate with it.
Policy Order
is an one of meta data that is associated with the policy. If we use file based approach, we may need to manage them in a separate way. But if it is a database it is just adding another column into policy table. Actually practical PDP, There can be some other associated meta data such as policy enable/disable, policy updater, last update time and so on. - If you are not using policy caching, I guess it is better to use database approach. It may be fast. Some database may provide caching itself. If you have meta data, they can be also retrieved by a single SQL query
However, I do not think practical PDP would never read and load policies for each request. Once PDP initializes Policy would be load into the caches. In that case, there would not be any performance issue with file base approach. But, if cache are expired frequently, then most of time policies may be loaded. So it is always better to go for database approach.