{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"ACL 訪問控制列表"}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:部門隔離 適用資源:客戶頁面、人事頁面"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在ACL權限模型下,權限管理是圍繞"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"來設定的。我們可以對不同部門的頁面設定可以訪問的用戶。配置形式如下:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"ACL配置表\n \n 資源: 客戶頁面\n 主體: 銷售部(組)\n 操作:增刪改查\n \n 主體: 王總(用戶)\n 操作: 增刪改查\n \n 資源: 人事頁面\n 主體: 王總(組)\n 操作: 增刪改查"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"注:主體可以是用戶,也可以是組。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在維護性上,一般在粗粒度和相對靜態的情況下,比較容易維護。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在細粒度情況下,比如將不同的客戶視爲不同的資源,1000個客戶就需要配置1000張ACL表。如果1000個客戶的權限配置是有規律的,那麼就要對每種資源做相同的操作;如果權限配置是無規律的,那麼ACL不妨也是一種恰當的解決方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在動態情況下,權限經常變動,每添加一名員工,都需要配置所有他需要訪問的資源,這在頻繁變動的大型系統裏,也是很難維護的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在一些情況下,ACL也可應用於細粒度場景,接下來將介紹兩種ACL的拓展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"DAC 自主訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" 同時,"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"可以將"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":"的權限,授予其他"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:文件系統 適用資源:人事培訓文檔"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DAC是ACL的一種實現,強調靈活性。純粹的ACL,權限由中心管理員統一分配,缺乏靈活性。爲了加強靈活性,在ACL的基礎上,DAC模型將授權的權力下放,允許擁有權限的用戶,"},{"type":"text","marks":[{"type":"strong"}],"text":"可以自主地將權限授予其他用戶"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,在純粹ACL模型下,每次新人培訓,人事總監都要通知IT部,將培訓文檔的訪問權限授予新人。在DAC模型下,人事總監只需將文檔的訪問權限授予人事專員。之後,每次新人培訓,由人事專員將文檔的訪問權限授予不同的新人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"MAC 強制訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"a. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"類別的主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" b. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"等級的資源"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" 當一個操作,同時滿足a與b時,允許操作。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:保密系統 適用資源:機密檔案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"MAC是ACL的另一種實現,強調安全性。MAC會在系統中,對資源與主體,都劃分類別與等級。比如,等級分爲:祕密級、機密級、絕密級;類別分爲:軍事人員、財務人員、行政人員。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,一份機密級的財務檔案,可以確保只有主體的等級是機密級,且是財務人員才能訪問。如果是機密級的行政人員就無法訪問。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"資源配置表\n 資源: 財務文檔\n 主體: 財務人員\n 等級:機密級\n 操作:查看\n主體配置表\n \n 主體: 李女士\n 類別: 財務人員\n 等級:機密級"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以,MAC的優勢就是實現資源與主體的雙重驗證,確保資源的交叉隔離,提高安全性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"RBAC 基於角色的訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"a. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"角色"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" b. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"擁有哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"角色"},{"type":"text","text":" 當一個操作,同時滿足a與b時,允許操作。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:企業數據 適用資源:客戶信息"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC的思想,來源於現實世界的企業結構。比如,銷售角色,擁有查看客戶信息的權限。當一個銷售人員小王入職了,可以把銷售角色賦予小王,那麼小王就擁有了查看客戶的權限。這種方式,避免了ACL模型下,每次新人入職,需要逐個配置資源表的情況。同樣,權限變動也變得很方便,只要修改角色,即可實現多用戶的權限修改。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"權限表\n \n 名稱:創建客戶\n 資源: 客戶信息\n 操作:創建\n \n 名稱:刪除客戶\n 資源: 客戶信息\n 操作:刪除\n \n 名稱:查看客戶\n 資源: 客戶信息\n 操作:查看\n \n 名稱:修改客戶\n 資源: 客戶信息\n 操作:修改\n\n\n\n\n角色表\n \n 名稱:銷售角色\n 權限: 創建客戶、刪除客戶、查看客戶、修改客戶\n\n\n用戶表\n \n 主體:小王\n 角色: 銷售角色"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RABC並不總能滿足所有權限的場景。比如,我們無法對銷售角色,進行個體定製。比如,銷售角色擁有創建、刪除的權限。如果我們要對銷售小李,去掉刪除的權限。那麼,我們就必須創建另一個角色,來滿足需求。如果這種情況很頻繁,就會喪失角色的統一性,降低系統的可維護性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色和組兩個概念可能會讓人混淆,在這裏做個區分:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色賦予的是主體,主體可以是用戶,也可以是組"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色是權限的集合"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"組是用戶的集合"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"ABAC 基於屬性的訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的主體"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的資源"},{"type":"text","text":"在哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的情況"},{"type":"text","text":"下進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":","}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:防火牆 適用資源:端口訪問"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ABAC其中的屬性就是與主體、資源、情況相關的所有信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主體的屬性:指的是與主體相關的所有信息,包括主體的年齡、性別、職位等。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"資源的屬性:指的是與資源相關的所有信息,包括資源的創建時間、創建位置、密級等。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"情況的屬性:指的是客觀情況的屬性,比如當前的時間、當前的位置、當前的場景(普通狀態、緊急狀態)。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"操作:含義還是一樣,比如增刪改查等。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設定一個權限,就是定義一條含有四類屬性信息的策略(Policy)。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"策略表\n \n 效果:允許\n 操作:流入\n 主體:來自上海IP的客戶端\n 資源:所有以33開頭的端口(如3306)\n 情況:在北京時間 9:00~18:00\n \n 效果:禁止\n 操作:流出\n 主體:任何\n 資源:任何\n 情況:任何"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個請求會逐條匹配策略,如果沒有匹配到策略,則返回默認效果,默認效果可以根據場景定製,可以是默認拒絕或是默認允許。另外,匹配方式也可以根據場景定製,可以使用"},{"type":"text","marks":[{"type":"strong"}],"text":"逐條順序匹配"},{"type":"text","text":",匹配到策略直接返回。也可以使用"},{"type":"text","marks":[{"type":"strong"}],"text":"完全匹配"},{"type":"text","text":",匹配所有的策略,如果有一個拒絕(允許),則拒絕(允許)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲的RAM訪問控制運用的就是ABAC模型:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"阿里雲RAM策略配置表\n 阿里雲RAM策略配置表 \n {\n \"Version\": \"1\",\n \"Statement\":\n [{\n \"Effect\": \"Allow\",\n \"Action\": [\"oss:List*\", \"oss:Get*\"],\n \"Resource\": [\"acs:oss:*:*:samplebucket\", \"acs:oss:*:*:samplebucket/*\"],\n \"Condition\":\n {\n \"IpAddress\":\n {\n \"acs:SourceIp\": \"42.160.1.0\"\n }\n }\n }]\n }"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ABAC可以發揮權限系統最大的靈活性,但在靈活的同時,如果不對策略加以管理,也有可維護性的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c4/c4308ba420f0a876eee14012689fc70a.gif","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7c/7c3555dc54cc5fa67c557d3bb56dc98d.webp","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
【權限系統設計】ACL, DAC, MAC, RBAC, ABAC模型的不同應用場景
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"ACL 訪問控制列表"}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:部門隔離 適用資源:客戶頁面、人事頁面"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在ACL權限模型下,權限管理是圍繞"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"來設定的。我們可以對不同部門的頁面設定可以訪問的用戶。配置形式如下:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"ACL配置表\n \n 資源: 客戶頁面\n 主體: 銷售部(組)\n 操作:增刪改查\n \n 主體: 王總(用戶)\n 操作: 增刪改查\n \n 資源: 人事頁面\n 主體: 王總(組)\n 操作: 增刪改查"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"注:主體可以是用戶,也可以是組。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在維護性上,一般在粗粒度和相對靜態的情況下,比較容易維護。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在細粒度情況下,比如將不同的客戶視爲不同的資源,1000個客戶就需要配置1000張ACL表。如果1000個客戶的權限配置是有規律的,那麼就要對每種資源做相同的操作;如果權限配置是無規律的,那麼ACL不妨也是一種恰當的解決方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在動態情況下,權限經常變動,每添加一名員工,都需要配置所有他需要訪問的資源,這在頻繁變動的大型系統裏,也是很難維護的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在一些情況下,ACL也可應用於細粒度場景,接下來將介紹兩種ACL的拓展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"DAC 自主訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" 同時,"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"可以將"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":"的權限,授予其他"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:文件系統 適用資源:人事培訓文檔"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DAC是ACL的一種實現,強調靈活性。純粹的ACL,權限由中心管理員統一分配,缺乏靈活性。爲了加強靈活性,在ACL的基礎上,DAC模型將授權的權力下放,允許擁有權限的用戶,"},{"type":"text","marks":[{"type":"strong"}],"text":"可以自主地將權限授予其他用戶"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,在純粹ACL模型下,每次新人培訓,人事總監都要通知IT部,將培訓文檔的訪問權限授予新人。在DAC模型下,人事總監只需將文檔的訪問權限授予人事專員。之後,每次新人培訓,由人事專員將文檔的訪問權限授予不同的新人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"MAC 強制訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"a. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"可以被哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"類別的主體"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" b. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"等級的資源"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" 當一個操作,同時滿足a與b時,允許操作。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:保密系統 適用資源:機密檔案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"MAC是ACL的另一種實現,強調安全性。MAC會在系統中,對資源與主體,都劃分類別與等級。比如,等級分爲:祕密級、機密級、絕密級;類別分爲:軍事人員、財務人員、行政人員。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,一份機密級的財務檔案,可以確保只有主體的等級是機密級,且是財務人員才能訪問。如果是機密級的行政人員就無法訪問。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"資源配置表\n 資源: 財務文檔\n 主體: 財務人員\n 等級:機密級\n 操作:查看\n主體配置表\n \n 主體: 李女士\n 類別: 財務人員\n 等級:機密級"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以,MAC的優勢就是實現資源與主體的雙重驗證,確保資源的交叉隔離,提高安全性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"RBAC 基於角色的訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"a. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"角色"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"資源"},{"type":"text","text":"進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":" b. 規定"},{"type":"text","marks":[{"type":"strong"}],"text":"主體"},{"type":"text","text":"擁有哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"角色"},{"type":"text","text":" 當一個操作,同時滿足a與b時,允許操作。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:企業數據 適用資源:客戶信息"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC的思想,來源於現實世界的企業結構。比如,銷售角色,擁有查看客戶信息的權限。當一個銷售人員小王入職了,可以把銷售角色賦予小王,那麼小王就擁有了查看客戶的權限。這種方式,避免了ACL模型下,每次新人入職,需要逐個配置資源表的情況。同樣,權限變動也變得很方便,只要修改角色,即可實現多用戶的權限修改。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"權限表\n \n 名稱:創建客戶\n 資源: 客戶信息\n 操作:創建\n \n 名稱:刪除客戶\n 資源: 客戶信息\n 操作:刪除\n \n 名稱:查看客戶\n 資源: 客戶信息\n 操作:查看\n \n 名稱:修改客戶\n 資源: 客戶信息\n 操作:修改\n\n\n\n\n角色表\n \n 名稱:銷售角色\n 權限: 創建客戶、刪除客戶、查看客戶、修改客戶\n\n\n用戶表\n \n 主體:小王\n 角色: 銷售角色"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RABC並不總能滿足所有權限的場景。比如,我們無法對銷售角色,進行個體定製。比如,銷售角色擁有創建、刪除的權限。如果我們要對銷售小李,去掉刪除的權限。那麼,我們就必須創建另一個角色,來滿足需求。如果這種情況很頻繁,就會喪失角色的統一性,降低系統的可維護性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色和組兩個概念可能會讓人混淆,在這裏做個區分:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色賦予的是主體,主體可以是用戶,也可以是組"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"角色是權限的集合"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"組是用戶的集合"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule"},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"ABAC 基於屬性的訪問控制"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規定哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的主體"},{"type":"text","text":"可以對哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的資源"},{"type":"text","text":"在哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"屬性的情況"},{"type":"text","text":"下進行哪些"},{"type":"text","marks":[{"type":"strong"}],"text":"操作"},{"type":"text","text":","}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"場景:防火牆 適用資源:端口訪問"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ABAC其中的屬性就是與主體、資源、情況相關的所有信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主體的屬性:指的是與主體相關的所有信息,包括主體的年齡、性別、職位等。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"資源的屬性:指的是與資源相關的所有信息,包括資源的創建時間、創建位置、密級等。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"情況的屬性:指的是客觀情況的屬性,比如當前的時間、當前的位置、當前的場景(普通狀態、緊急狀態)。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"操作:含義還是一樣,比如增刪改查等。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設定一個權限,就是定義一條含有四類屬性信息的策略(Policy)。"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"策略表\n \n 效果:允許\n 操作:流入\n 主體:來自上海IP的客戶端\n 資源:所有以33開頭的端口(如3306)\n 情況:在北京時間 9:00~18:00\n \n 效果:禁止\n 操作:流出\n 主體:任何\n 資源:任何\n 情況:任何"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個請求會逐條匹配策略,如果沒有匹配到策略,則返回默認效果,默認效果可以根據場景定製,可以是默認拒絕或是默認允許。另外,匹配方式也可以根據場景定製,可以使用"},{"type":"text","marks":[{"type":"strong"}],"text":"逐條順序匹配"},{"type":"text","text":",匹配到策略直接返回。也可以使用"},{"type":"text","marks":[{"type":"strong"}],"text":"完全匹配"},{"type":"text","text":",匹配所有的策略,如果有一個拒絕(允許),則拒絕(允許)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲的RAM訪問控制運用的就是ABAC模型:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"阿里雲RAM策略配置表\n 阿里雲RAM策略配置表 \n {\n \"Version\": \"1\",\n \"Statement\":\n [{\n \"Effect\": \"Allow\",\n \"Action\": [\"oss:List*\", \"oss:Get*\"],\n \"Resource\": [\"acs:oss:*:*:samplebucket\", \"acs:oss:*:*:samplebucket/*\"],\n \"Condition\":\n {\n \"IpAddress\":\n {\n \"acs:SourceIp\": \"42.160.1.0\"\n }\n }\n }]\n }"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ABAC可以發揮權限系統最大的靈活性,但在靈活的同時,如果不對策略加以管理,也有可維護性的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c4/c4308ba420f0a876eee14012689fc70a.gif","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7c/7c3555dc54cc5fa67c557d3bb56dc98d.webp","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章