Keycloak 授权 - 最佳实践角色与组
[英]Keycloak Authorization - best practice roles vs groups
问题描述
I have a web-application secured with Keycloak.
我有一个使用 Keycloak 保护的 Web 应用程序。 To keep the description of the service short, we have Users and Documents as entities in the service.为了使服务描述简短,我们将用户和文档作为服务中的实体。 The users may have access to none or more documents and may edit or read the document.用户可以访问一个或多个文档,并且可以编辑或阅读该文档。
Currently we have roles such as Admin, EndUser, Developer etc. We then keep a database table outside of Keycloak that maps the documents to users and what user has what access level to what document.目前我们有管理员、最终用户、开发人员等角色。然后我们在 Keycloak 之外保留一个数据库表,用于将文档映射到用户以及哪些用户对哪些文档具有什么访问级别。 All our end-users have the EndUser role in Keycloak.我们所有的最终用户在 Keycloak 中都有 EndUser 角色。 Every single time an EndUser tries to read/edit a Document, we have to make a lookup in the database table for authorization.每次最终用户尝试读取/编辑文档时,我们都必须在数据库表中进行查找以进行授权。
We would like to migrate that table to Keycloak.我们想将该表迁移到 Keycloak。 As I understand it I basically have two options:据我了解,我基本上有两种选择:
Create a lot of roles, two for each document with names such as
doc_read_[DOCUMENT-ID]anddoc_edit_[DOCUMENT-ID]and so on.创建很多角色,每个文档两个,名称分别为doc_read_[DOCUMENT-ID]和doc_edit_[DOCUMENT-ID]等。 Then assign the correct role to the correct user.然后将正确的角色分配给正确的用户。 The downside here is that the number of roles will grow A LOT.这里的缺点是角色的数量会增加很多。 Also, the number of roles attached to a user will be very large.此外,附加到用户的角色数量将非常大。Create a group for each document, with the name of the document id.
为每个文档创建一个组,名称为文档 ID。 Have different sub-groups for read/write and then add the users in the correct groups.有不同的子组进行读/写,然后将用户添加到正确的组中。 The downside is that the number of groups will be very large.缺点是组的数量会非常大。 Also, I will rely Authorization on group names, so the list of group names has to be mapped to the token.另外,我将在组名上依赖授权,因此组名列表必须映射到令牌。
I do not want to add a user-attribute with the document-ids to each user.我不想为每个用户添加带有文档 ID 的用户属性。 With this approach I can not get an overview of a document and see what users have access to a given Document.使用这种方法,我无法获得文档的概览,也无法查看哪些用户可以访问给定的文档。
What is the best practice here?这里的最佳做法是什么? Are there any other solutions to solve this issue?有没有其他解决方案可以解决这个问题? This must be a very common setup.这一定是一个非常常见的设置。
2 个解决方案
解决方案1
2 2021-02-24 16:12:29
This is just my opinion.这只是我的看法。
From what I understand both solutions are suboptimal, adding a role per document is unnatural and too finer grain.据我了解,这两种解决方案都不是最理想的,为每个文档添加一个角色是不自然的,而且粒度太细。 And as you already mention this would lead to too many roles that probably you will have to add them into the token.正如您已经提到的那样,这会导致过多的角色,您可能必须将它们添加到令牌中。
I would personally use Keycloak just for the authentication part and do the authorization part in the backend.我个人将 Keycloak 仅用于身份验证部分并在后端进行授权部分。 I would also try to group the documents in a way that reflect which user roles are allowed to manipulate them.我还将尝试以反映允许哪些用户角色操作它们的方式对文档进行分组。
Alternatively you might try to use Keycloak's Authorization features to handle that use-case, however I have never used it, so there is not much that I can say about this option.或者,您可能会尝试使用 Keycloak 的授权功能来处理该用例,但是我从未使用过它,因此关于此选项我无话可说。
解决方案2
0 2021-02-25 14:05:07
In my opinion what you want to achieve is something that is very tied to your business logic, I wouldn't recomend depending on keycloak to do it.在我看来,您想要实现的目标与您的业务逻辑非常相关,我不建议您依赖 keycloak 来实现。 Your token would constantly grow and management would be a nightmare really.你的代币会不断增长,管理真的是一场噩梦。
I see no problem in having a service with good cache to lookup permissions, the bulk of the data won't change much over time.我认为拥有具有良好缓存以查找权限的服务没有问题,大部分数据不会随着时间的推移而发生太大变化。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.