clarification
This article is part of the OverallAuth 2.0 series of articles, which is updated weekly with an article in the series (Complete System Development from 0 to 1).
I will try to be very detailed in this system article, so that it can be understood by novice and veteran alike.
Description:OverallAuth 2.0 is a simple, easy to understand and powerful permission + visual process management system.
Friendly reminder: this post is part of a series of articles, before reading that article, it is recommended to read the previous articles to better understand the structure of the project.
qq group: 801913255, into the group what do not understand despite the question, the group owner will patiently answer.
Follow me. Beat me if you can't learn.
Note: The article is theoretical and the full process of development will follow.If you are interested, please follow me (*^▽^*).
01 Classification of system privileges
Generally speaking, the division of a system's permissions is mainly divided into 2 major categories: function-level permissions and data-level permissions. So how they are categorized, let's look at the following figure.
As you can see from the diagram above. The difference between function-level permissions and data-level permissions is that they divide permissions at different levels of granularity.Functional level permissions: as its name suggests, more biased towards the functional side of permission control.Data-level permissions: more skewed towards permissions control on the data side.02 What are the design patterns for permissions
After understanding the division of permissions in a system, then how do we go about planning and designing these permissions. Minimize the maintenance cost of system permissions and the coupling of permissions. Is a serious problem that developers have been facing.
From my understanding, there are four popular permission design patterns.
With the above figure, we can understand that the design patterns of permissions are categorized into those four.So next we'll use the Novella form, respectively, to talk about the use of these four patterns of scenarios and the realization of the process.
03 ACL User-Based Privilege Design
Ride the wind is a startup company developers, because it is a startup company, the size is small, the R & D staff is only poor 3 people, usually face the R & D task is very tight.One evening, Ride the Wind stretched hard and looked around at the empty seats. He was about to pack up and go home when his boss called out to him.Xiao Cheng, how the financial red can see the operation of the data, can let different people view different data well.Ride's boss wasn't very tech savvy either, and the requirements just said: let different people see different data.Ride the Wind replied confidently, Yes boss.The next day, Ride the Wind put together a solution for rights management based on ACLs according to the boss's needs.
Above is the permission designed by Ride based on ACL. It can be seen that the menu and personnel are directly linked, can be simple and effective to do each employee to access different menus, so as to realize the needs of the boss.
04 RABC Role-Based Privilege Design
4.1 Role Privileges
With the passage of time, the company is also in the stage of rapid development, finally one day after 2 years. The boss of the company found already is the R & D team leader of the ride the wind said: small ride ah, this morning the operation gave me said, they now spend too much time every day on the distribution of personnel rights, every time there is a personnel change, personnel to join the need to re-adjust the permissions, and can not be operated in batches, greatly reduces their work efficiency. Do you see any way to solve this problem.
When Ride the wind heard this, he said without hesitation. Yes boss, tomorrow I will give you a program.
The boss was very happy to hear this, and patted Ride the Wind's shoulder and left, he very much appreciated Ride the Wind's style of doing this kind of work, clean, and always solved the problem.
Ride's confidence comes from the fact that he learns and specializes day after day. He understood that he could solve his boss's needs perfectly with RABC. So he made the following program design on the next day
The above 2 diagrams it has the same authorization result, but obviously the authorization method based on RABC is more flexible.The reason for this is that Ridewind abstracts a role layer between people and permissions, which not only reduces the coupling between systems, but also greatly reduces the operation and maintenance time for operations staff.
Why? Let's take a simple example: when the permission [Permission 4] is a piece of permission that I don't want anyone to use, then in RABC, I just need to remove it from [Role 3]. On the contrary, ACL is more troublesome, you need to remove the permissions of personnel 1 and personnel 3 successively. Imagine this is 3 employees, if it is 10 100, how troublesome it must be.
Soon Ride the Wind's program was recognized by his boss and he was given a promotion and a raise.
4.2 Role level authority
This design pattern was quickly implemented and used in the system, and did greatly solve many practical problems. However, it didn't last long, and the company grew faster and faster over the next few years.increasing in size. This design approach presents the same problems as ACLs.When user permissions are split very thinly, almost every user corresponds to a role.It seems to go back to the ACL design pattern of a few years ago。
So Ride the wind by constantly analyzing the system and specializing in technology, hoping to get an effective solution from it.
Maybe it was a day dream. One night, Ride got the solution in his sleep.He dreamed.Establishes levels for previously set characters. This means that higher level characters inherit all the permissions of lower level characters.
Ride the wind that got the answer, and not sleepy, it was too late to put on clothes and pants. Just like this wearing a pair of big pants to open the computer, drew the following design.
You read that right, it's actually similar to an organization, so how do we achieve it? Please see the following figure
You can see that [Role 1-2] inherits all the permissions of [Role 1-2-1]. According to this principle, we don't need to give permission 3 and 4 to [Role 1-2] separately.
Ah-choo, Ride touched his nose. A sneeze made him in realizing that his whole body was down to a pair of big pants. Looking at the design program Ride the Wind said faintly.
Am I really a genius? Then it was off to dreamland.
05 ABAC Attribute-Based Permission Design
The years are long, life is like a dream, in the blink of an eye a few years have passed. Ride the wind is no longer young, not the current just entered the company's white, but also exactly the same. He seems to have lost the yearning for technology and the enthusiasm for specialization, because he always felt that his skills were already at a very high level. Until one day, the boss found him again.
Sayana, the boss pushed open the office of the multiplier and saw that the multiplier was making tea, his eyebrows frowned slightly, but then quickly disappeared.
Boss, Ride the Wind didn't notice the boss's abnormality and got up and said
Xiaoshan, when I went to inspect the finance department yesterday, I found that Xiao Li of the finance department could actually see the wages of all the employees of our company. It is reasonable to say that except for the financial manager who has the authority to view it, no one below the financial department should have the authority to view the salary of the employees.
And the personnel department of the small Zhang, how can he arbitrarily view the company's leadership personnel data, and even modify it at will, this is not nonsense?
You are the head of the R&D department, you should consider to consider, the data security of the system, what data can that writer look at, what data can be modified, to be adjustable.
Over the next few hours, the Ride Boss talked to him a lot. Most of it centered around the issue of data security.
By the way, your tea set is quite complete, the whole thing is good. The boss, who walked to the door, suddenly turned around and said to Ride the Wind.
The boss's last words sent Ride the Wind into deep contemplation.
Looking back at myself in the past, I have an indescribable feeling inside, from the beginning of positively improving my abilities to the present day, when I have been slacking off and becoming complacent.
The words of his boss today made him realize a lot.After summarizing the ride, he resolved to find himself, and then summarized the needs according to the boss briefly as follows
1: Different people need to view different data to make it adjustable.
2: Different people have different operating privileges on the data to make it adjustable.
These questions came up and gave Ride the Wind a headache, not knowing where to start.So it was as if he had gone back to his past self, trying to access information and improve his skills.
Finally got a solution that works. That is ABAC's attribute-based permission designThis means that ABAC can perform privilege control by dynamically calculating an attribute or a set of attributes.
So what are the ABAC attributes roughly sublocated?
Ride the Wind, who got the answer, immediately started designing the ABAC attribute-based permission design. The iteration of the permission system was soon completed.
As he learned more, Ride the Wind also began to summarize his own problems. Which previous point of confidence in their own skills now seemed to be conceit and complacency.There is no pinnacle of technology, only a constant quest for knowledge and exploration.
06 RABC+ABAC authority design
This one doesn't need to be taken literally.We use RABC for our OverallAuth 2.0!+ ABAC'sPermission Design.
That's all there is to this post, thanks for your patience!
Backend WebApiPreview at http://139.155.137.144:8880/swagger/
Frontend vue preview at http://139.155.137.144:8881
Follow the public number: send [permission], get the front and back end code
If you are interested, please follow my weibo public number (*^▽^*).
Follow me: a full-stack multi-terminal treasure blogger, regularly sharing technical articles, irregularly sharing open source projects. Follow me to bring you to know a different program world!