CoSec v1.16.8 发布,基于 RBAC 和策略的多租户响应式安全框架
基于 RBAC 和策略的多租户响应式安全框架
更新内容(v1.16.8) 🎉 🎉 🎉
- 特性:新增
CompositeActionMatcher
{
"name": "TestComposite",
"effect": "allow",
"action": {
"composite": [
"/user/#{principal.id}/*",
{
"path": {
"method": "POST",
"pattern": [
"/user/#{principal.id}/order/*"
]
}
}
]
}
}
- 特性:新增
InRoleConditionMatcher
{
"name": "TestInRole",
"effect": "allow",
"action": "*",
"condition": {
"inRole": {
"value": "admin"
}
}
}
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
如何自定义 ActionMatcher (SPI)
class CustomActionMatcherFactory : ActionMatcherFactory {
companion object {
const val TYPE = "[CustomActionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomActionMatcher(configuration)
}
}
class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher {
override val type: String
get() = CustomActionMatcherFactory.TYPE
override fun match(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
如何自定义 ConditionMatcher (SPI)
class CustomConditionMatcherFactory : ConditionMatcherFactory {
companion object {
const val TYPE = "[CustomConditionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomConditionMatcher(configuration)
}
}
class CustomConditionMatcher(configuration: Configuration) :
AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
策略 Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"rateLimiter": {
"permitsPerSecond": 10
}
}
]
}
},
"statements": [
{
"action": {
"path": {
"pattern": "/user/#{principal.id}/*",
"options": {
"caseSensitive": false,
"separator": "/",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "Anonymous",
"action": [
"/auth/register",
"/auth/login"
]
},
{
"name": "UserScope",
"action": "/user/#{principal.id}/*",
"condition": {
"authenticated": {}
}
},
{
"name": "Developer",
"action": "*",
"condition": {
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"action": "*",
"condition": {
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
}
},
{
"name": "AllowDeveloperOrIpRange",
"action": "*",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
}
],
"or": [
{
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
},
{
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
]
}
}
},
{
"name": "TestContains",
"effect": "allow",
"action": "*",
"condition": {
"contains": {
"part": "request.attributes.ipRegion",
"value": "上海"
}
}
},
{
"name": "TestStartsWith",
"effect": "allow",
"action": "*",
"condition": {
"startsWith": {
"part": "request.attributes.ipRegion",
"value": "中国"
}
}
},
{
"name": "TestEndsWith",
"effect": "allow",
"action": "*",
"condition": {
"endsWith": {
"part": "request.attributes.remoteIp",
"value": ".168.0.1"
}
}
}
]
}
应用权限元数据 Schema
配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
应用权限元数据 Demo
{
"id": "manage",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"groupedRateLimiter": {
"part": "request.remoteIp",
"permitsPerSecond": 10,
"expireAfterAccessSecond": 1000
}
},
{
"inTenant": {
"value": "default"
}
}
]
}
},
"groups": [
{
"name": "order",
"description": "order management",
"permissions": [
{
"id": "manage.order.ship",
"name": "Ship",
"description": "Ship",
"action": "/order/ship"
},
{
"id": "manage.order.issueInvoice",
"name": "Issue an invoice",
"description": "Issue an invoice",
"action": "/order/issueInvoice"
}
]
}
]
}
OpenTelemetry
CoSec 遵循 OpenTelemetry General identity attributes 规范。
感谢
CoSec 权限策略设计参考 AWS IAM 。
关注公众号
低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
-
上一篇
TensorFlow 2.12 正式发布
TensorFlow 是一个用于机器学习的端到端开源平台。它有一个全面灵活的工具、库和社区资源所组成的生态,让开发人员轻松建立和部署由 ML 驱动的应用程序。 TensorFlow 最初用于进行机器学习和深度神经网络研究。但该系统具有足够的通用性,也适用于其他广泛的领域。 重要变化 构建、编译和打包 删除了多余的软件包 tensorflow-gpu 和 tf-nightly-gpu。这些包被删除,取而代之的是分别引导用户切换到 tensorflow 或 tf-nightly 的包。自 TensorFlow 2.1 以来,这两组包之间唯一的区别是它们的名字,所以没有损失的功能或 GPU 支持。 tf.function: tf.function 现在直接使用 Python inspect 库来解析它所装饰的 Python 函数的签名。这一改变可能会破坏那些函数签名错误,但之前被忽略的代码,例如: 在一个具有不同签名的函数上使用 functools.wraps 在无效的 tf.function 输入下使用 functools.partial tf.function 现在强制要求输入的参数名必...
-
下一篇
智能制造一体化 v3.9.7 发布,财务基础更新
智能制造一体化管理系统[SpringBoot2 - 快速开发平台],适用于制造业、建筑业、汽车行业、互联网、教育、政府机关等机构的管理。包含文件在线操作、工作日志、多班次考勤、CRM、ERP 进销存、项目管理、EHR、拖拽式生成问卷、日程、笔记、工作计划、行政办公、薪资模块、动态表单、知识库、公告模块、企业论坛、云售后模块、生产模块、系统模块化同步模块等多种复杂业务功能。 有一些小伙伴很好奇最近更新的内容和智能制造有什么关系? 答:目前 Skyeye 整体在做重构,优先从底层的一些功能开始,所以现在大家看到的和智能制造的联系不是很大,也希望大家能够理解,一个大型的智能制造对底层的依赖性也是非常高的。 智能制造一体化 v3.9.7 发布,更新内容如下: 已完成测试的组件:输入框,下拉框,文本框,上传组件,枚举卡槽,文字分割线,编码规则,附件上传,数据字典卡槽,团队模板,部门信息,用户选择,往来单位,凭证,账户,账套 已托管到表单布局的功能:角色管理,桌面管理,前台服务配置,编码管理,联系人管理(新增/编辑),CRM客户管理,CRM客户合同(新增/编辑),CRM客户商机(新增/编辑),CR...
相关文章
文章评论
共有0条评论来说两句吧...
微信收款码
支付宝收款码