本文介绍如何利用扩展权限对象(AXO)增强phpGACL的权限管理系统。通过引入AXO,可以更细致地划分和管理访问控制策略,实现对不同资源的精细控制。
Access eXtension Objects
扩展权限对象
Access eXtension Objects (AXOs) can add a 3rd dimension to the permissions that can be configured in phpGACL. We've seen how phpGACL allows you to combine an ARO and an ACO (2 dimensions) to create an Access Policy Directive. This is great for simple permission requests like:
在phpGACL中可以通过配置扩展权限对象(AXO对象)为第三方添加权限。我们已经知道了phpGACL是如何将ARO对象和ACO对象组成一个访问控制策略指令的,这主要用于简单的权限要求象:
Luke (ARO) requests access to "Guns" (ACO)
Luke(ARO对象)要求访问"武器室"(ACO对象)的权限
If that's all you need, that's fine - AXOs are totally optional.
如果这是你所需要的,那么AXO对象就完全是可选的了!
But because all ACOs are considered equal, it makes it difficult to manage if there are many ACOs. If this is the case, we can change the way we look at Access Objects to manage it more easily.
但是由于所有的ACO对象都是相同的,因此如果它们存在很多的话那管理起来将是困难的。如果是这样情况的话,我们可以通过改变思考权限对象方式来使其管理起来更加容易。
AXOs are identical to AROs in many respects. There is an AXO tree (separate from the ARO tree), with it's own Groups and AXOs. When dealing with AXOs, consider an AXO to take the old role of the ACO (i.e. "things to control access on"), and change the view of ACOs from "things to control access on" to "actions that are requested".
AXO对象在许多方面同ARO对象是一样的。这有一个AXO树(是从ARO树中分离出来的)有着自己的组和AXO对象。在处理AXO对象时,用以前看待ACO对象的方式看待AXO对象(象"需要权限控制的事物"),而改变看待ACO对象的方式,从"需要权限控制的事物"变成"被要求的运作"。
ARO and ACO-only View:
看待只有ARO和ACO对象的方式:
- AROs: Things requesting access
ARO对象:要求权限的事物 - ACOs: Things to control access on
ACO对象:需要权限控制的事物
ARO, ACO and AXO View:
看待ARO、ACO和AXO对象的方式:
- AROs: Things requesting access
ARO对象:要求权限的事物 - ACOs: Actions that are requested
ACO对象:被要求的动作 - AXOs: Things to control access on
AXO对象:需要权限控制的事物
Example: A website manager is trying to manage access to projects on the website. The ARO tree consists of all the users:
例如: 一个网站管理员想要管理访问该网站中项目的权限。一个由所有用户组成的ARO树如下所示:
Website(网站)
├─Administrators(管理者)
│ ├─Alice
│ └─Carol
└─Users(用户)
├─Bob
└─Alan
The projects are organized by Operating System into categories in the AXO tree:
在AXO树中通过操作系统分类项目被组织成:
Projects(项目)
├─Linux
│ ├─SpamFilter2
│ └─AutoLinusWorshipper
└─Windows
├─PaperclipKiller
└─PopupStopper
The actions that can be taken with each project are "View" and "Edit". These are the ACOs.
对于每个项目而言,动作是"观看"和"编辑"。这些是ACO对象。
Now we want Bob to have "View" access to all the Linux projects, so it's possible to add an ADP that links Bob's ARO to the View ACO and the Linux AXO, and thus we can ask the question:
现在我们想要Bob对所有的Linux项目有"观看"的权限,因此可以添加一个ADP将Bob的ARO对象与观看的ACO对象和Linux的AXO对象连接在一起。于是我们可以问一个问题:
Bob (ARO) requests access to "View" (ACO) the project(s) called "Linux" (AXO)
Bob(ARO对象)要求对一个叫Linux的项目(AXO对象)有"观看"(ACO对象)的权限
Keep in mind AXO's are optional, if you don't specify an AXO when calling acl_check() and a matching ADP exists with no AXO, it will be allowed. However if only APDs exist with AXO's, and you call acl_check() without an AXO, it will fail.
记住AXO是可选的,如果你在调用acl_check()函数时没有指明AXO对象或匹配到一个没有AXO对象的ADP,这是允许的。然而如果只有AXO对象的APD而你却调用没有AXO对象的acl_check()函数,那么系统将失败。
So basically as soon as you specify an AXO when calling acl_check(), acl_check() will only search ACLs containing AXO's. If no AXO is specified, only ACLs without AXOs are searched. This in theory (I haven't benchmarked) gives us a slight performance increase as well.
所以一旦你在调用acl_check()函数时指定了AXO对象的话,acl_check()函数就只搜索含有AXO对象的ACL列表。如果AXO对象没有被指定,那么只有不含有AXO对象的列表才会被搜索。基于上述理论也使系统在性能上有所提升。
扫一扫
1473
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
