基于角色的可扩展身份验证
我目前正在为许多用户拥有不同访问权限的资源设计一个基于角色的身份验证系统。
角色可以是单个用户,也可以是一组角色(因此角色是角色树)。 (参见下图)
一个资源可以有多个身份验证属性(如读、写、删除),其中每个这是允许访问该操作的角色列表。 (见下图)
问题是,如果我想检查用户是否有权访问某个属性,在最坏的情况下我必须遍历 n 棵树(其中 n 是分配给某个属性的角色数量)。
例如,要检查“Max”是否可以读取该属性,我可能必须检查“营销”、“管理”和“管理”树是否包含“Max”。
您是否知道任何算法或替代方法可以消除相当昂贵的树搜索,同时维护角色系统或同样强大的东西。
完美的情况是对 n 个角色进行类似 O(log(n)) 的查找。
谢谢, 芬恩
I am currently designing a role based authentication system for resources where many users have different access rights to it.
A role may be a single user, or a group of roles (so a role is a tree of roles). (see graphic below)
A resource can have multiple authentication properties (like read, write, delete), where each of this is a list of roles allowed to do access the operation. (see graphic below)
The problem is if I want to check if a user has the right to access a property, i have to traverse n trees in worst case (where n is the number of roles assigned to an property).
So for example to check if 'Max' may read the property I might have to check the Marketing, Management and Administration trees if they contain 'Max'.
Do you know of any algorithm or alternative approach which removes the quite expensive tree searches while maintaining the role system or something equally powerful.
The perfect case would be some lookup like O(log(n)) for n roles.
Thanks,
Fionn
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您是否对此进行了测量并确定此遍历是性能瓶颈?
我从未见过一个具有如此多角色/级别的系统,以至于遍历这种结构的成本会成为一个问题。 如果树真的那么大,我会更担心管理员将很难理解谁有权做什么。
关于可伸缩性,我通常会使用 ASP.NET 缓存来缓存资源和角色之间映射的完整树,并设置合适的缓存超时。 并单独缓存从用户到角色的映射(例如在会话中或使用 ASP.NET 缓存中的用户特定键)。
与每次访问数据库相比,从缓存访问信息通常快得令人眼花缭乱。
Have you measured this and determined that this traversal is a performance bottleneck?
I've never seen a system with so many roles / levels that the cost of traversing this kind of structure would become an issue. And if the tree really is that large, I'd be more concerned that administrators would have difficulty in understanding who is authorized to do what.
Regarding scalability, I would typically use the ASP.NET cache to cache the complete tree that maps between resources and roles, with a suitable cache timeout. And separately cache the mapping from Users to Roles (e.g. in Session or with a user-specific key in the ASP.NET cache).
Accessing the information from the cache will typically be blindingly fast compared with going to the database each time.
如果您将角色放入 SQL 数据库中,查找将基本上按照您所描述的方式执行。 如果您有兴趣,我可以帮助您了解数据库结构。
If you put your roles in a SQL database, lookups will perform substantially as you describe. I can help you with the database structure, if you're interested.
您需要反转您的指针。
“Harry”是“Site2 管理员”的成员,对“Site2”具有“管理员”访问权限,因此他可以“删除”、“写入”和“读取该内容。
为什么“管理”应该是“ Harry”和“Joe”我不清楚。Harry 是一个站点的管理员,但只是另一个站点的用户,Joe 反之亦然。
You need to reverse your pointers.
"Harry" is a member of "Site2 Admins" which has "Administrators" access to "Site2", so he can thus "Delete," "Write" and "Read that content.
Why "Administration" should be a common thing between "Harry" and "Joe" I'm not clear. Harry is an administrator on one site, but just a user on another, and Joe vice versa.