处理跨平台用户身份验证和授权的策略
我感兴趣的是可以使用什么策略来处理跨平台分布式系统中的用户身份验证和授权。我希望能够将系统中的操作标记为属于某个用户,并且只允许某些用户执行某些操作。
背景: 该系统目前仅在 Windows 下使用,其中用户发起的操作当前仅被标记为来自用户的特定计算机。操作基本上涉及使用 cpu 进行一些计算并返回结果。
目前没有进行任何授权,也没有对用户(或计算机之间)进行身份验证。系统作为低权限的服务运行(使用 NETWORK SERVICE 帐户)。数据不敏感,本地网络上的所有用户都可以随心所欲地使用该系统。
该系统可以部署在同构 Windows 域设置中,也可以部署在没有域控制器的工作组中,或者将域与一堆不属于该域的工作计算机混合在一起。
问题
为了向系统添加功能,例如收集每个用户的使用统计信息或显示谁在使用计算机,有必要跟踪各个用户。除此之外,如果某些操作只允许某些用户执行(例如更改系统的某些设置),则还需要某种形式的授权。
我对 Windows 执行此操作的方式有很好的了解,并且使用 Windows 中的内置身份验证和授权功能在同构 Windows 域设置中添加此类功能将非常简单。这也消除了向系统分配仅对该特定系统有效的特殊帐户的需要——一旦用户正常登录,就可以完成所有身份验证和授权,而不需要任何额外的用户交互。
但是如果系统应该能够在 Mac OSX 上运行怎么办?还是Linux?如果它要在混合环境中运行,其中一些用户在 Windows 域中,其他用户在 OSX 上,而一些工作计算机运行 Linux,该怎么办? (实际系统可以移植到所有这些系统并处理跨平台通信等)。我对这些平台上处理身份验证和授权的方式了解有限,并且不知道在平台之间交互时如何实现这一点。
在这样的分布式系统中,有什么好的策略可以用于跨平台用户身份验证和授权吗?请注意这里“跨平台”的双重用途 - 既可以为不同平台编译程序,也可以在平台之间进行交互。
我已将问题标记为 C++,因为这是编写系统的语言,但我愿意接受任何可以使用 C++ 进行交互的内容。欢迎任何想法(包括疯狂的架构变化)!
更新:
一个能够实现的有趣示例:
用户 A 登录到计算机 1,这是一台 Windows 计算机。
用户 A 打开系统的管理界面,选择计算机 2(Linux 系统)并调整设置。系统验证用户 A 实际上具有足够的权限来执行此操作。
由于 A 在登录时已经验证了他的身份,因此希望允许他/她更改此设置而无需提供额外的凭据。
I'm interested in what strategies can be used for handling user authentication and authorization in a cross-platform distributed system. I would like to be able to mark actions in the system as belonging to a certain user and also to only allow certain users to do certain actions.
Background:
The system is currently used under Windows only, where actions initiated by a user is currently only tagged as coming from the particular machine of the user. An action basically involves using the cpu for doing some calculations and returning the result.
There is currently no authorization whatsoever being done and no authentication of users (or between computers). The system is running as a service with low privileges (using the NETWORK SERVICE account). Data is not sensitive and all users on the local network are allowed to use the system to their hearts content.
The system can be deployed in both homogeneous Windows domain setups as well as workgroups without a domain controller or with a mix of a domain together with a bunch of worker computers not belonging to the domain.
Problem
In order to add functionality to the system, say for instance collecting usage statistics per user or displaying who is making use of a computer it is necessary to keep track of individual users. In addition to this, if certain actions should only be allowed to be performed by certain users (for instance changing some settings for the system), some form of authorization is also required.
I have a good understanding of the Windows way of doing this and adding this type of functionality in a homogeneous Windows domain setup would be straightforward using the built-in authentication and authorization functionality in Windows. This also eliminates the need to assign special accounts only valid for this particular system to the system - once the user has logged in normally all authentication and authorization can be done without requiring any extra user interaction.
But what if the system should be able to run on Mac OSX? Or Linux? What if it is supposed to run in a mixed environment with some users in a Windows domain, others on OSX and some worker machines running Linux? (The actual system can be ported to all of these systems and handles cross-platform communication and so on). I have limited knowledge of the way authentication and authorization is handled on these platforms and no knowledge of how this can be achieved when interacting between platforms.
Are there any good strategies to use for cross-platform user authentication and authorization in a distributed system like this? Note the dual use of "cross-platform" here - both as in being able to compile the program for different platforms and as in being able to interact between platforms.
I've tagged the question as C++, since this is the language the system is written in, but I am willing to accept anything that can be interacted with using C++. Any ideas (including wild architectural changes) are welcome!
Update:
An example of what would be interesting to be able to achieve:
User A is logged in to machine 1, which is a Windows machine.
User A opens the administrative interface for the system, selects machine 2 (a Linux system) and adjusts a setting. The system verifies that user A in fact has sufficient privileges to be allowed to do this.
Since A already verified his identity when he/she logged in, it would be desirable to allow him/her to change this setting without having to provide additional credentials.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以使用基于声明的身份验证和 SAML 令牌,它可以跨平台工作。
在 Windows 端有一个用于此目的的库:Windows Identity Foundation。
请参阅:http://msdn.microsoft.com/en-us/security/aa570351
You chould use claims based authentication with SAML tokens, which work cross platform.
On the windows side there is a library for this: Windows Identity Foundation.
See: http://msdn.microsoft.com/en-us/security/aa570351