简体繁体 English

基于角色的访问控制与金字塔

[英]Role-based access control with Pyramid

原文 2011-12-21 15:45:50 8 1 python/ pyramid/ zope/ rbac

I am considering using Pyramid to build a middle sized web application. 我正在考虑使用Pyramid来构建一个中等大小的Web应用程序。 I would need to implement RBAC . 我需要实施RBAC 。 What would be the best choice? 什么是最好的选择？ Would it be possible to use Zope components? 是否可以使用Zope组件？

1 个解决方案

Well Pyramid implements an ACL authorization policy which maps principals to permissions. Well Pyramid实现了ACL授权策略，该策略将主体映射到权限。

Principals are configurable by you to mean whatever you like and are derived from the request (user) itself. 您可以将主体配置为您喜欢的任何内容，并从请求（用户）本身派生。
A permission is a string attached to an individual view or "operation". 权限是附加到单个视图或“操作”的字符串。

Maybe I'm wrong, but RBAC seems to fit pretty naturally into this idea. 也许我错了，但RBAC似乎非常适合这个想法。 I understand that RBAC tends to be more of a global policy whereas ACLs are generally contextual and thus attached to the data. 我知道RBAC往往更像是一个全局策略，而ACL通常是上下文的，因此附加到数据上。 This isn't really a problem though and depends on how you plan to structure the rest of your application. 这不是一个真正的问题，取决于您计划如何构建应用程序的其余部分。

You could also fairly simply implement your own RBACAuthorizationPolicy . 您也可以相当简单地实现自己的RBACAuthorizationPolicy 。 In Pyramid it will be passed the principals and the permission and from there you could query your access mappings to determine whether to return an Allowed or Denied value for that user. 在Pyramid中，它将传递主体和权限，然后您可以查询访问映射以确定是否为该用户返回“ Allowed或“ Denied值。