Spring ABAC数据过滤与Spring的@PostFilter

huangapple go评论73阅读模式
英文:

Spring abac data filtering vs Spring @PostFilter

问题

我正在使用ABAC模型来保护项目中的某些实体的访问。根据https://dzone.com/articles/simple-attribute-based-access-control-with-spring,我可以轻松地定义一些用于在项目中更新/删除实体的策略规则。
经过多小时的搜索,我找到了唯一正常记录的将可用数据过滤给用户的方法:使用Spring安全性的@PostFilter
问题在于这种方法的性能。有哪些可用的方法可以将数据过滤的责任转移到数据库,同时不混合业务和角色模型的逻辑?

到目前为止,我只尝试了编写JPA规范:负责角色模型的模块考虑用户的参数(id、group_id / organization_id)来组合逻辑表达式,所有业务需要进行过滤的参数都被添加到由这些规范表达式组成的表达式中。
但是这个解决方案只能强制使用规范来检索数据。而且,如何将这些表达式存储在策略存储中也不是很清楚。

英文:

I am using ABAC model for securing access to some entities in project. According to https://dzone.com/articles/simple-attribute-based-access-control-with-spring, I can easily define some policy rules for updating/deleting entities in project.
After many hours of searching, I came across the only normally documented way to filter data available to the user: using Spring security @PostFilter.
The problem is the performance of this approach. What are the available ways to shift the responsibility for filtering data to the database, while not mixing business and the logic of the role model?

So far I have tried only coding up the JPA Specification: the module responsible for the role model takes into account the user's parameters (id, group_id / organization_id) to compose logical expressions, and all the parameters by which the business needs to filter are added to
composed of such Specification expressions. But this solution forces to use only specification for data retrieval. Moreover, it is not very clear how to store these expressions in the policy store.

答案1

得分: 2

你正在涉及与授权类型有关的方面。我喜欢将其分解为三种类型:

  • 功能授权(我可以打印吗?)
  • 事务授权(我可以打印文档#123吗?)
  • 数据中心授权(列出我可以打印的文档)

前两种类型是二进制的是/否问题,并且可以很好地扩展,即您询问一个项目/记录,然后得到一个答案。

第三种类型更加棘手,因为它涉及到更多的过滤而不仅仅是授权。想象一下你有一百万条记录。您不会逐个地询问是否可以查看/编辑/打印给定的记录。这不会扩展。您需要做的是颠倒流程,并使用所谓的部分评估或反向查询。

一些数据库供应商(Informatica...)和授权供应商(Axiomatics...)提供了动态过滤数据以实现可扩展的授权的能力。我会走这条路。

英文:

You're hitting an aspect that has to do with types of authorization. I like to break it down into 3 types:

  • functional authorization (can I print?)
  • transactional authorization (can I print doc #123?)
  • data-centric authorization (list the docs I can print)

The first 2 types are binary yes/no questions and they scale well i.e. you ask about one item / record and you get one answer.

The third type is trickier because it's about filtering more so than authorization. Imagine you have a million records. You're not going to iteratively ask whether you can view / edit / print the given record. It wouldn't scale. What you need to do is reverse the process and use what's known as a partial evaluation or a reverse query.

Some database vendors (Informatica...) and authorization vendors (Axiomatics...) provide the ability to dynamically filter data to achieve scalable authorization. I would look down that path.

huangapple
  • 本文由 发表于 2020年8月28日 01:22:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/63621215.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定