AWS Amplify with GraphQL - 定义不同类型用户的身份验证规则
[英]AWS Amplify with GraphQL - Defining authentication rules by different types of users
问题描述
Using Amplify, GraphQL, AppSync, Cognito, DynamoDB
使用 Amplify、GraphQL、AppSync、Cognito、DynamoDB
Having the following model:具有以下model:
type Post
@model
{
id: ID!
content: String!
author: String!
}
I want my rules to enable the following case:我希望我的规则启用以下情况:
- Only Admin users can create, update and delete Post只有管理员用户可以创建、更新和删除帖子
- Some Posts where only premium users allow to read一些只有高级用户才允许阅读的帖子
- Some Posts where all logged in users allow to read一些所有登录用户都允许阅读的帖子
- Some Posts where all users (also unauthenticated) allow to read所有用户(也未经身份验证)允许阅读的一些帖子
What is the best way to implement it using the mentioned tools?使用上述工具实现它的最佳方法是什么?
Thanks谢谢
2 个解决方案
解决方案1
2 已采纳 2020-10-09 01:22:20
From your question, it is not clear how you define "Some Posts" and how you would differentiate one from another.从你的问题来看,不清楚你如何定义“一些帖子”以及你如何将一个帖子与另一个帖子区分开来。 If I was designing this, I would have at least one more field in my Post type to manage the access level (For example: 3 (Admin) > 2 (Premium) > 1 (Logged-in) > 0 (Unregistered)), like so;如果我正在设计这个,我将在我的Post类型中至少有一个字段来管理访问级别(例如:3(管理员)> 2(高级)> 1(登录)> 0(未注册)),像这样;
type Post
@model
{
id: ID!
content: String!
author: String!
accessLevel: Int!
}
To manage this on user level, I think your best bet is to manage it using Cognito groups (like mentioned in the official documentation ) and assign appropriate permission for each group.要在用户级别进行管理,我认为最好的办法是使用 Cognito 组(如官方文档中所述)进行管理,并为每个组分配适当的权限。
Things you would need in Cognito:在 Cognito 中你需要的东西:
A user pool which will contain all of your registered users.
一个包含所有注册用户的用户池。A user group for premium members.
高级会员的用户组。A user group for your admins.
您的管理员的用户组。
Things you would need in your AppSync:您在 AppSync 中需要的东西:
For Admin users to create, update and delete Post:
管理员用户创建、更新和删除帖子:type Mutation { createPost(id:ID,: content,String:: author:String:),Post: @aws_auth(cognito_groups, ["Admin"]) updatePost(id:ID:: content:String,: author,String:):Post: @aws_auth(cognito_groups: ["Admin"]) deletePost(id:ID!, content:String!, author:String!):Post! @aws_auth(cognito_groups: ["Admin"]) }For some posts only visible to premium , logged-in or unregistered users to read:
对于一些只对premium 、登录或未注册用户可见的帖子:type Query { getPost(id:ID:):Post! @aws_api_key @aws_cognito_user_pools }Furthermore, you can use the
accessLevelin your resolver to filter out the result based on which post you want to be visible to premium, logged-in or unregistered users.此外,您可以使用解析器中的accessLevel根据您希望高级用户、登录用户或未注册用户看到的帖子来过滤结果。
解决方案2
2 2020-10-11 07:50:58
I used @Myz answers.我使用了@Myz 的答案。 And https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/ for full solution:和https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/完整的解决方案:
type Post
@model
@auth(
rules: [
{ allow: owner }
{ allow: groups, groups: ["Admin"], operations: [create, update, delete] }
{ allow: groups, groupsField: "group", operations: [read] }
]
) {
id: ID!
content: String!
author: String!
group: [String] # or String for a single group
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.