Defining access control with phpGACL
用phpGACL设置权限控制
It seems that for large or complex situations, this 'access matrix' approach is clearly unsuitable. We need a better system that maintains the advantages (fine-grain control and a clear idea of who has access to what) but removes the disadvantages (difficult to summarize, and difficult to manage large groups of people at once). One solution is phpGACL.
看来对于大型或复杂的情况来说,采用"权限表"方法明显不适用。我们需要一个更好的系统来继承权限表的优点(精细权限控制及谁能访问什么的清晰思路)同时摒弃它的不足(总结和大规模权限管理的困难)。phpGACL就是这样的系统之一。
phpGACL doesn't describe access from the 'bottom-up' like the Access Matrix above. Instead, it describes it 'top-down', like the textual description of Han's access policy. This is a very flexible system that allows you to manage access in large groups, it neatly summarizes the access policy, and it's easy to see who has access to what.
phpGACL并不象上面"权限表"那样采用"自底向上"的方式来描述权限,相反,它采取"由顶向下"来描述权限,象Han所说那段话所表现的权限策略那样。这是一个十分灵活的系统允许你去管理大量的权限,它能简明扼要地总结权限策略而且更容易看清是谁有权访问什么。
An ARO tree defines a hierarchy of Groups and AROs (things that request access). This is very similar to a tree view of folders and files. The 'folders' are the Groups and the 'files' are AROs.
ARO树定义ARO对象(要求访问权限的事物)和组的等级关系,它同文件目录树非常相似,其中的组就相当于文件夹而ARO对象则相当于文件。
Let's make an ACL tree for the people on Han's ship. First we define some categories for the people. It's clear that Han and Chewie run the ship, and the rest of them are just passengers:
让我们为Han的船上的人建立一个ACL树。首先我们先把人分成几类,可以很清楚地知道Han和Chewi是开船的,其他人则是乘客:
Millennium Falcon Passengers(千年隼号乘客) Group(组)
├─Crew(船员) Group(组)
│ ├─Han ARO
│ └─Chewie ARO
└─Passengers (乘客) Group(组)
├─Obi-wan ARO
├─Luke ARO
├─R2D2 ARO
└─C3PO ARO
This tree by itself doesn't specify any access policy; it just shows how we're grouping the people who might request access (AROs).
该树自身并不指定任何权限策略;它只是显示我们如何对需要权限的人(即ARO对象)进行分组。
We apply access restrictions by assigning instructions about a particular room (ACO) to Groups or AROs in the tree. Han says: "By default, no-one should be allowed access to any room on the Millennium Falcon. But the Crew should have access to every room. The Passengers should only have access to the Lounge."
我们将对指定房间(ACO对象)的权限限制应用到树中的组或ARO对象上。Han说:"在缺省情况下,千年隼号上没有人有权力进入房间。除了船员可以进入任何房间,而乘客只能进休息室。
Millennium Falcon Passengers(千年隼号乘客)
├─Crew (船员) [ALLOW: ALL(允许:全部)]
│ ├─Han
│ └─Chewie
└─Passengers (乘客) [ALLOW: Lounge(允许:休息室)]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO
To interpret this ARO tree, we start from the top and work our way down.
我们按我们的方式"自顶向下"地来解释这个ARO树。
Firstly, the default policy is always to deny access. Permissions have been overridden for the "Crew", so they have access to everywhere ("ALL" is a synonym for all rooms: "Cockpit, Lounge, Guns, Engines"). The "Passengers" have access only to the Lounge.
首先,缺省的策略总是拒绝任何访问权限的。许可对于船员来说是无效的,因此他们拥有去任何房间的权限("ALL"权限对所有房间都一样,如驾驶室,休息室,武器室和发动机室)。而乘客则只有到休息室的权限。
This way of describing the access policy is much clearer than the access matrix. You can easily see who has access to what, and it's easier to determine why they've got access (it seems obvious that Han and Chewie would have access to everything, since they're grouped under "Crew").
这种描述权限策略的方式比用权限表更加简明。人们可以很容易地看出谁对什么拥有权限,并且也可以很清楚地说明为什么他们拥有权限(这看上去很显然,Han和Chewie拥有去任何房间的权限,因为他们被分在"船员"组)
To summarize
总结:
- Access Control Objects (ACOs) are the things we want to control access to (e.g. web pages, databases, rooms, etc).
权限控制对象(ACO对象)是我们想要控制的事物(如网页,数据库,房间等) - Access Request Objects (AROs) are the things that request access (e.g. people, remote computers, etc)
权限需求对象(ARO对象)是要求权限的事物(如人们,远程计算机等) - ARO trees define a hierarchy of Groups and AROs. Groups can contain other Groups and AROs.
ARO树则定义了ARO对象及组的级别,组可以包含其他组和ARO对象。 - The default 'catch-all' policy for the ARO tree is always "DENY ALL".
ARO树缺省的"catch-all"(全部阻止了)策略总是拒绝所有权限的。 - To assign access policy, work your way down the tree, explicitly assigning permissions to Groups and AROs for each ACO as the need arises.
为分配权限策略,在ARO树上按照你的想法自顶向下明确地为每一个ACO对象分配所需的权限给组和ARO对象
118
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
