我实在不知道该怎么叫这个题目,所以只好写作碎碎念,堆积一点资料吧。昨天看到了一篇文章: (需要***访问)其中阐述到基于角色访问控制方案的硬伤To illustrate this point, consider the following situation. You have just completed coding a wonderful project management application for Big Humungous Inc. that filled all the requirements, is unhackable, and even has a list of features far exceeding the clients requests. One day you recieve a call that your client is creating a special group of representatives that need to have administrative access to customer accounts that belong to Group A between 2pm and 3pm every Monday, Wednesday, and Friday. Now you have a problem. A role is an all-or-nothing access mechanism. So you can't just add the users to the Administrator Role, so your only option is to go back into the code and add a new check in the code that says am I in this role, and do I meet all these other requisites to do the requested action. Then you need to implement that code in every place where you would normally ask is the user an administrator?类似的问题越来越多,而Role Based AC 已经不能满足越来越灵活的需求了。所以作者提出了一种 Context Based Access Control但是我觉得这就是 Capability based Security 的一种体现。对于访问控制的方式,主流有两种,一种是, 一种是 在wikipedia上把 Capability based Security 和 Linux Kernel 中的 POSIX Capabilities是区分开的,但我觉得本质还是很相似。EROS的一篇很重要的阐述ACL和capabilities的文章:关于 Linux Kernel 中的 Capabilities 可以参考:Linux Capabilities FAQ 0.2
Introduction to Linux Capabilities and ACL'sCapabilities主要理解为一种subject(可以是用户、进程)访问object(可以是文件等资源)的一种能力在 Linux 的 Capablities 中,是需要包含object描述符,以及访问权限的标识(比如RW)的.而capabilities一般是需要通过技术防止伪造和篡改,是一个非常特殊的token。对于object来说,只认capabilities,不认人。有这个capabilities的,就能访问它。这种思想,常常被用于以说明 ACL 的不足之处。而 confused deputy problem 最著名的一个例子,就是 CSRF所以可以很好的理解了,在解决CSRF的方案中,我们是增加一个不可预测的token,CSRF要去请求的那个url,只认token是否合法。而这个token,就可以理解为是一个 capability,是一种访问该数据的能力。再回到 Role based Access Control 的问题上来,现在的灵活性要求已经越来越难以满足了。当我在 中讲到的那个“水平权限控制”问题时,就体现出了 Role Based Access Control 的难解之处。
也许需要重新设计一套新的访问控制体系,才能根本的更好的解决这个问题,Capabilities Based Security 带来了一线曙光。
但是Capabilities也有自己的问题,分发,回收,失效,共享,怎样更好更合理的管理capabilities,将会带来新的挑战。
阅读(1743) | 评论(0) | 转发(0) |