基于 RBAC 和策略的多租户响应式安全框架
![License]()
![GitHub release]()
![Maven Central]()
![Codacy Badge]()
![codecov]()
![Integration Test Status]()
更新内容(v1.16.3) 🎉 🎉 🎉
- 特性:新增
GroupedRateLimiterConditionMatcher 支持分组限流。
{
"groupedRateLimiter": {
"part": "request.remoteIp",
"permitsPerSecond": 10,
"expireAfterAccessSecond": 1000
}
}
- 特性:
Policy / AppPermission 支持顶级 Condition,降低重复配置
- 重构:重构角色权限策略,提升易用性
{
"id": "manage",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"groupedRateLimiter": {
"part": "request.remoteIp",
"permitsPerSecond": 10,
"expireAfterAccessSecond": 1000 }
}
]
}
},
"groups": [
{
"name": "订单管理",
"permissions": [
{
"id": "manage.order.ship",
"name": "发货",
"action": "/order/ship"
},
{
"id": "manage.order.issueInvoice",
"name": "开票",
"action": "/order/issueInvoice"
}
]
}
]
}
- 重构:策略 Schema,增强自动补全,提升易用性
- 依赖:更新 CosId 版本到
v1.18.5
认证
![Authentication-Flow]()
授权
![Authorization-Flow]()
OAuth
![OAuth-Flow]()
建模类图
![Modeling]()
安全网关服务
![Gateway]()
授权策略流程
![Authorization Policy]()
内置策略匹配器
ActionMatcher
![ActionMatcher]()
如何自定义 ActionMatcher (SPI)
参考 PathActionMatcher
class CustomConditionMatcherFactory : ConditionMatcherFactory {
companion object {
const val TYPE = "[CustomConditionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomConditionMatcher(configuration)
}
}
class CustomConditionMatcher(configuration: Configuration) :
AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
![ConditionMatcher]()
如何自定义 ConditionMatcher (SPI)
参考 ContainsConditionMatcher
class CustomConditionMatcherFactory : ConditionMatcherFactory {
companion object {
const val TYPE = "[CustomConditionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomConditionMatcher(configuration)
}
}
class CustomConditionMatcher(configuration: Configuration) :
AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
策略 Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"rateLimiter": {
"permitsPerSecond": 10
}
}
]
}
},
"statements": [
{
"action": {
"path": {
"pattern": "/user/#{principal.id}/*",
"options": {
"caseSensitive": false,
"separator": "/",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "Anonymous",
"action": [
"/auth/register",
"/auth/login"
]
},
{
"name": "UserScope",
"action": "/user/#{principal.id}/*",
"condition": {
"authenticated": {}
}
},
{
"name": "Developer",
"action": "*",
"condition": {
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"action": "*",
"condition": {
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
}
},
{
"name": "AllowDeveloperOrIpRange",
"action": "*",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
}
],
"or": [
{
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
},
{
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
]
}
}
},
{
"name": "TestContains",
"effect": "allow",
"action": "*",
"condition": {
"contains": {
"part": "request.attributes.ipRegion",
"value": "上海"
}
}
},
{
"name": "TestStartsWith",
"effect": "allow",
"action": "*",
"condition": {
"startsWith": {
"part": "request.attributes.ipRegion",
"value": "中国"
}
}
},
{
"name": "TestEndsWith",
"effect": "allow",
"action": "*",
"condition": {
"endsWith": {
"part": "request.attributes.remoteIp",
"value": ".168.0.1"
}
}
}
]
}
应用权限元数据 Schema
配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
应用权限元数据 Demo
{
"id": "manage",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"groupedRateLimiter": {
"part": "request.remoteIp",
"permitsPerSecond": 10,
"expireAfterAccessSecond": 1000
}
},
{
"inTenant": {
"value": "default"
}
}
]
}
},
"groups": [
{
"name": "order",
"description": "order management",
"permissions": [
{
"id": "manage.order.ship",
"name": "Ship",
"description": "Ship",
"action": "/order/ship"
},
{
"id": "manage.order.issueInvoice",
"name": "Issue an invoice",
"description": "Issue an invoice",
"action": "/order/issueInvoice"
}
]
}
]
}
OpenTelemetry
CoSec-OpenTelemetry
CoSec 遵循 OpenTelemetry General identity attributes 规范。
![CoSec-OpenTelemetry]()
感谢
CoSec 权限策略设计参考 AWS IAM 。
