使用 WSO2IS 配置用户对实体的访问权限
[英]Use WSO2IS to configure user access to entities
问题描述
I'm trying to implement WSO2IS for authorization.
我正在尝试实施 WSO2IS 进行授权。 My understanding is that in the WSO2 realm, the concept of a permission broadly restricts a user's access to an action, or a resource.我的理解是,在 WSO2 realm 中,权限的概念广泛地限制了用户对操作或资源的访问。 So, for instance, if my app is a bookstore, I could configure whether a user has "read" access to authors at large, and toggle their access to the GetAuthors() endpoint.因此,例如,如果我的应用程序是书店,我可以配置用户是否具有对广大作者的“阅读”访问权限,并切换他们对 GetAuthors() 端点的访问权限。 However, I need to configure a user's access to certain authors.但是,我需要配置用户对某些作者的访问权限。 Is there a way I can store a whitelist of authors on a per-user basis?有没有办法可以按用户存储作者白名单? What I'd like to accomplish is to have a user call a GetBooks() endpoint and return only the books written by the authors that the user can access.我想要完成的是让用户调用 GetBooks() 端点并仅返回用户可以访问的作者编写的书籍。
It sounds like one possibility is to store this information in an external datastore, and implement a custom PIP to read from that datastore.听起来一种可能性是将此信息存储在外部数据存储中,并实现自定义 PIP 以从该数据存储中读取。
Another possible option would be to create a custom attribute on the User type and store the whitelist of author IDs in an array on each user.另一种可能的选择是在 User 类型上创建自定义属性,并将作者 ID 白名单存储在每个用户的数组中。
Is there a better way to do this?有一个更好的方法吗? I'd prefer not to implement a custom external datastore just to store relationships between users and entity ids.我不希望仅仅为了存储用户和实体 ID 之间的关系而实现自定义外部数据存储。 Is it possible to do this with XACML and policies?是否可以使用 XACML 和策略来做到这一点? Is it possible to have WSO2IS stick this information on a claim that is returned to my controller so that I can limit my underlying query based on the user's whitelist of allowed entity IDs?是否可以让 WSO2IS 将此信息粘贴到返回给我的 controller 的声明上,以便我可以根据用户的允许实体 ID 白名单限制我的基础查询?
1 个解决方案
解决方案1
0 2021-03-22 05:12:36
AFAIU you need to maintain a claim to track the accessibility for reading. AFAIU 您需要维护一个声明以跟踪阅读的可访问性。 You can easily create a custom claim to track it by following the article[1].您可以按照文章 [1] 轻松创建自定义声明以跟踪它。 In this way, you can refer to the custom claim at the controller to make further decisions.这样,您可以参考 controller 处的自定义声明以做出进一步的决定。
You have to update this claim value for each user.您必须为每个用户更新此声明值。 For this, you can use SCIM API[2] by following doc[3] to extend the SCIM endpoint for custom claims.为此,您可以按照 doc[3] 使用 SCIM API[2] 来扩展自定义声明的 SCIM 端点。
[1] https://medium.com/@inthiraj1994/lets-add-a-custom-claim-to-oidc-in-wso2-is-d871e418d6b0 [2] https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/#/scim-20-api-definition [3] https://is.docs.wso2.com/en/latest/develop/extending-scim2-user-schemas/#extending-scim-20-user-schemas [1] https://medium.com/@inthiraj1994/lets-add-a-custom-claim-to-oidc-in-wso2-is-d871e418d6b0 [2] https://is.docs.wso2.com/ en/latest/develop/scim2-rest-apis/#/scim-20-api-definition [3] https://is.docs.wso2.com/en/latest/develop/extending-scim2-user-schemas/ #extending-scim-20-user-schemas
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.