CoSec v1.16.8 发布,基于 RBAC 和策略的多租户响应式安全框架
基于 RBAC 和策略的多租户响应式安全框架
更新内容(v1.16.8) 🎉 🎉 🎉
- 特性:新增
CompositeActionMatcher
{ "name": "TestComposite", "effect": "allow", "action": { "composite": [ "/user/#{principal.id}/*", { "path": { "method": "POST", "pattern": [ "/user/#{principal.id}/order/*" ] } } ] } }
- 特性:新增
InRoleConditionMatcher
{ "name": "TestInRole", "effect": "allow", "action": "*", "condition": { "inRole": { "value": "admin" } } }
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
如何自定义 ActionMatcher
(SPI)
class CustomActionMatcherFactory : ActionMatcherFactory { companion object { const val TYPE = "[CustomActionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomActionMatcher(configuration) } } class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher { override val type: String get() = CustomActionMatcherFactory.TYPE override fun match(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
如何自定义 ConditionMatcher
(SPI)
class CustomConditionMatcherFactory : ConditionMatcherFactory { companion object { const val TYPE = "[CustomConditionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomConditionMatcher(configuration) } } class CustomConditionMatcher(configuration: Configuration) : AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) { override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
策略 Demo
{ "id": "id", "name": "name", "category": "category", "description": "description", "type": "global", "tenantId": "tenantId", "condition": { "bool": { "and": [ { "authenticated": {} }, { "rateLimiter": { "permitsPerSecond": 10 } } ] } }, "statements": [ { "action": { "path": { "pattern": "/user/#{principal.id}/*", "options": { "caseSensitive": false, "separator": "/", "decodeAndParseSegments": false } } } }, { "name": "Anonymous", "action": [ "/auth/register", "/auth/login" ] }, { "name": "UserScope", "action": "/user/#{principal.id}/*", "condition": { "authenticated": {} } }, { "name": "Developer", "action": "*", "condition": { "in": { "part": "context.principal.id", "value": [ "developerId" ] } } }, { "name": "RequestOriginDeny", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.origin", "pattern": "^(http|https)://github.com" } } }, { "name": "IpBlacklist", "effect": "deny", "action": "*", "condition": { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } }, { "name": "RegionWhitelist", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.attributes.ipRegion", "pattern": "^中国\\|0\\|(上海|广东省)\\|.*" } } }, { "name": "AllowDeveloperOrIpRange", "action": "*", "condition": { "bool": { "and": [ { "authenticated": {} } ], "or": [ { "in": { "part": "context.principal.id", "value": [ "developerId" ] } }, { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } ] } } }, { "name": "TestContains", "effect": "allow", "action": "*", "condition": { "contains": { "part": "request.attributes.ipRegion", "value": "上海" } } }, { "name": "TestStartsWith", "effect": "allow", "action": "*", "condition": { "startsWith": { "part": "request.attributes.ipRegion", "value": "中国" } } }, { "name": "TestEndsWith", "effect": "allow", "action": "*", "condition": { "endsWith": { "part": "request.attributes.remoteIp", "value": ".168.0.1" } } } ] }
应用权限元数据 Schema
配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
应用权限元数据 Demo
{ "id": "manage", "condition": { "bool": { "and": [ { "authenticated": {} }, { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } }, { "inTenant": { "value": "default" } } ] } }, "groups": [ { "name": "order", "description": "order management", "permissions": [ { "id": "manage.order.ship", "name": "Ship", "description": "Ship", "action": "/order/ship" }, { "id": "manage.order.issueInvoice", "name": "Issue an invoice", "description": "Issue an invoice", "action": "/order/issueInvoice" } ] } ] }
OpenTelemetry
CoSec 遵循 OpenTelemetry General identity attributes 规范。
感谢
CoSec 权限策略设计参考 AWS IAM 。
低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
- 上一篇
TensorFlow 2.12 正式发布
TensorFlow 是一个用于机器学习的端到端开源平台。它有一个全面灵活的工具、库和社区资源所组成的生态,让开发人员轻松建立和部署由 ML 驱动的应用程序。 TensorFlow 最初用于进行机器学习和深度神经网络研究。但该系统具有足够的通用性,也适用于其他广泛的领域。 重要变化 构建、编译和打包 删除了多余的软件包 tensorflow-gpu 和 tf-nightly-gpu。这些包被删除,取而代之的是分别引导用户切换到 tensorflow 或 tf-nightly 的包。自 TensorFlow 2.1 以来,这两组包之间唯一的区别是它们的名字,所以没有损失的功能或 GPU 支持。 tf.function: tf.function 现在直接使用 Python inspect 库来解析它所装饰的 Python 函数的签名。这一改变可能会破坏那些函数签名错误,但之前被忽略的代码,例如: 在一个具有不同签名的函数上使用 functools.wraps 在无效的 tf.function 输入下使用 functools.partial tf.function 现在强制要求输入的参数名必...
- 下一篇
智能制造一体化 v3.9.7 发布,财务基础更新
智能制造一体化管理系统[SpringBoot2 - 快速开发平台],适用于制造业、建筑业、汽车行业、互联网、教育、政府机关等机构的管理。包含文件在线操作、工作日志、多班次考勤、CRM、ERP 进销存、项目管理、EHR、拖拽式生成问卷、日程、笔记、工作计划、行政办公、薪资模块、动态表单、知识库、公告模块、企业论坛、云售后模块、生产模块、系统模块化同步模块等多种复杂业务功能。 有一些小伙伴很好奇最近更新的内容和智能制造有什么关系? 答:目前 Skyeye 整体在做重构,优先从底层的一些功能开始,所以现在大家看到的和智能制造的联系不是很大,也希望大家能够理解,一个大型的智能制造对底层的依赖性也是非常高的。 智能制造一体化 v3.9.7 发布,更新内容如下: 已完成测试的组件:输入框,下拉框,文本框,上传组件,枚举卡槽,文字分割线,编码规则,附件上传,数据字典卡槽,团队模板,部门信息,用户选择,往来单位,凭证,账户,账套 已托管到表单布局的功能:角色管理,桌面管理,前台服务配置,编码管理,联系人管理(新增/编辑),CRM客户管理,CRM客户合同(新增/编辑),CRM客户商机(新增/编辑),CR...
相关文章
文章评论
共有0条评论来说两句吧...