在 AWS Cognito 中管理多个团队和组
[英]Manage multiple teams and groups in AWS Cognito
问题描述
I have a Jamstack site with Cognito authentication which is deployed through Netlify.
我有一个通过 Netlify 部署的具有 Cognito 身份验证的 Jamstack 站点。 The aim should be to have only one codebase and a user pool with predefinded groups for each team for the application.目标应该是只有一个代码库和一个用户池,其中每个团队都为应用程序预定义了组。 Each deployed version of the codebase is routet to their own URL of a team.代码库的每个部署版本都路由到他们自己的团队的 URL。 A team includes the roles of manager, editor & staff and is setup by myself and the first user has the role of manager to manage and signup further users within the application via the admin api. How can I solve the problem to get to know the right user pool of the team the user belongs to at login?一个团队包括经理、编辑和员工的角色,由我自己设置,第一个用户具有经理的角色,通过管理员 api 在应用程序中管理和注册更多用户。我如何解决问题以了解登录时用户所属团队的正确用户池?
2 个解决方案
解决方案1
0 2023-01-21 15:10:01
Use a single user pool only for authentication (logging in).仅将单个用户池用于身份验证(登录)。 Create identity pools (federated identities) for each team and use custom authentication method for authenticating users against identity pools.为每个团队创建身份池(联合身份),并使用自定义身份验证方法根据身份池对用户进行身份验证。 Then use identity pool identities for authorization (granting permissions).然后使用身份池身份进行授权(授予权限)。
https://docs.aws.amazon.com/cognito/latest/developerguide/concepts.html https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html https://docs.aws.amazon.com/cognito/latest/developerguide/concepts.html https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
解决方案2
0 2023-01-25 01:17:36
No code solution无代码解决方案
Amplify makes it easy to deploy to multiple environment, eg dev, test, prod. Amplify 可以轻松部署到多个环境,例如开发、测试、生产。 You could use that mechanism to deploy each "team" into their own environment.您可以使用该机制将每个“团队”部署到他们自己的环境中。 That also gives you a unique URL per team.这也为您提供了每个团队唯一的 URL。
The major downside to this approach is that each team would have their own environment (probably their own git branch) so it will be annoying to deploy changes across all teams.这种方法的主要缺点是每个团队都有自己的环境(可能是他们自己的 git 分支),因此在所有团队中部署更改会很烦人。
I wouldn't recommend the above unless you only have 2-3 teams.除非你只有 2-3 个团队,否则我不会推荐以上内容。
Just use groups只需使用组
Another approach would be to use GROUPS to distinguish teams as well as roles.另一种方法是使用 GROUPS 来区分团队和角色。 eg add groups for each team: TEAM_xxxx, and roles: ROLE_ADMIN, ROLE_MANAGER, ROLE_EDITOR, ROLE_STAFF.例如,为每个团队添加组:TEAM_xxxx,以及角色:ROLE_ADMIN、ROLE_MANAGER、ROLE_EDITOR、ROLE_STAFF。 All data is co-located, but you can use group auth to limit visibility of data per team and role.所有数据都位于同一位置,但您可以使用组身份验证来限制每个团队和角色的数据可见性。
You can give the site multiple domains.您可以为站点提供多个域。 I'm not sure how to enforce each team uses "their" domain, but that shouldn't matter as they'll only be able to see/change data for the teams they belong to.我不确定如何强制每个团队使用“他们的”域,但这无关紧要,因为他们只能查看/更改他们所属团队的数据。
When new users sign up add the domain they used as a cognito custom attribute and check it in an auth hook.当新用户注册时,添加他们用作 cognito 自定义属性的域,并在 auth hook 中检查它。 If all looks good, add that user to a 'pending approval' db table and email that team's managers.如果一切看起来不错,将该用户添加到“待批准”数据库表和 email 该团队的经理。 Managers log in see users pending approval and approve/reject them.管理员登录查看待批准的用户并批准/拒绝他们。 Users with ROLE_MANAGER can add others to any group they themselves belong to, obviously done server-side.具有 ROLE_MANAGER 的用户可以将其他人添加到他们自己所属的任何组,显然是在服务器端完成的。
I've done the above for "poor man's multi-tenant" w/ Amplify and it works quite nicely.我已经为带有 Amplify 的“穷人的多租户”完成了上述操作,并且效果很好。
If you can't tolerate the data shared across teams with only permissions separating it, then you probably want to ditch Amplify and use CDK to deploy the codebase and all resources per-team.如果您不能容忍跨团队共享的数据只有权限将其分开,那么您可能想要放弃 Amplify 并使用 CDK 来部署代码库和每个团队的所有资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.