CoSec是基于RBAC和策略的多租户响应式安全框架。
认证授权OAuth建模类图安全网关服务授权策略流程内置策略匹配器ActioMatcher如何自定义 ActioMatcher (SPI)参考 PathActioMatcherclassCustomCoditioMatcherFactory:CoditioMatcherFactory{compaioobject{costvalTYPE="[CustomCoditioType]"}overridevaltype:Strigget()=TYPEoverridefucreate(cofiguratio:Cofiguratio):CoditioMatcher{returCustomCoditioMatcher(cofiguratio)}}classCustomCoditioMatcher(cofiguratio:Cofiguratio):AbstractCoditioMatcher(CustomCoditioMatcherFactory.TYPE,cofiguratio){overridefuiteralMatch(request:Request,securityCotext:SecurityCotext):Boolea{//Custommatchiglogic}}META-INF/services/me.ahoo.cosec.policy.actio.ActioMatcherFactory#CustomActioMatcherFactoryfullyqualifiedameCoditioMatcher如何自定义 CoditioMatcher (SPI)参考 CotaisCoditioMatcherclassCustomCoditioMatcherFactory:CoditioMatcherFactory{ compaioobject{ costvalTYPE="[CustomCoditioType]" } overridevaltype:Strig get()=TYPE overridefucreate(cofiguratio:Cofiguratio):CoditioMatcher{ returCustomCoditioMatcher(cofiguratio) }}classCustomCoditioMatcher(cofiguratio:Cofiguratio): AbstractCoditioMatcher(CustomCoditioMatcherFactory.TYPE,cofiguratio){ overridefuiteralMatch(request:Request,securityCotext:SecurityCotext):Boolea{ //Custommatchiglogic }}META-INF/services/me.ahoo.cosec.policy.coditio.CoditioMatcherFactory#CustomCoditioMatcherFactoryfullyqualifiedame策略Schema配置 PolicySchema 以支持IDE(ItelliJIDEA)输入自动完成。策略Demo{"id":"id","ame":"ame","category":"category","descriptio":"descriptio","type":"global","teatId":"teatId","coditio":{"bool":{"ad":[{"autheticated":{}},{"rateLimiter":{"permitsPerSecod":10}}]}},"statemets":[{"actio":{"path":{"patter":"/user/#{pricipal.id}/*","optios":{"caseSesitive":false,"separator":"/","decodeAdParseSegmets":false}}}},{"ame":"Aoymous","actio":["/auth/register","/auth/logi"]},{"ame":"UserScope","actio":"/user/#{pricipal.id}/*","coditio":{"autheticated":{}}},{"ame":"Developer","actio":"*","coditio":{"i":{"part":"cotext.pricipal.id","value":["developerId"]}}},{"ame":"RequestOrigiDey","effect":"dey","actio":"*","coditio":{"regular":{"egate":true,"part":"request.origi","patter":"^(http|https)://github.com"}}},{"ame":"IpBlacklist","effect":"dey","actio":"*","coditio":{"path":{"part":"request.remoteIp","patter":"192.168.0.*","optios":{"caseSesitive":false,"separator":".","decodeAdParseSegmets":false}}}},{"ame":"RegioWhitelist","effect":"dey","actio":"*","coditio":{"regular":{"egate":true,"part":"request.attributes.ipRegio","patter":"^中国\\|0\\|(上海|广东省)\\|.*"}}},{"ame":"AllowDeveloperOrIpRage","actio":"*","coditio":{"bool":{"ad":[{"autheticated":{}}],"or":[{"i":{"part":"cotext.pricipal.id","value":["developerId"]}},{"path":{"part":"request.remoteIp","patter":"192.168.0.*","optios":{"caseSesitive":false,"separator":".","decodeAdParseSegmets":false}}}]}}},{"ame":"TestCotais","effect":"allow","actio":"*","coditio":{"cotais":{"part":"request.attributes.ipRegio","value":"上海"}}},{"ame":"TestStartsWith","effect":"allow","actio":"*","coditio":{"startsWith":{"part":"request.attributes.ipRegio","value":"中国"}}},{"ame":"TestEdsWith","effect":"allow","actio":"*","coditio":{"edsWith":{"part":"request.attributes.remoteIp","value":".168.0.1"}}}]}应用权限元数据Schema配置 AppPermissioSchema 以支持IDE(ItelliJIDEA)输入自动完成。应用权限元数据Demo{"id":"maage","coditio":{"bool":{"ad":[{"autheticated":{}},{"groupedRateLimiter":{"part":"request.remoteIp","permitsPerSecod":10,"expireAfterAccessSecod":1000}},{"iTeat":{"value":"default"}}]}},"groups":[{"ame":"order","descriptio":"ordermaagemet","permissios":[{"id":"maage.order.ship","ame":"Ship","descriptio":"Ship","actio":"/order/ship"},{"id":"maage.order.issueIvoice","ame":"Issueaivoice","descriptio":"Issueaivoice","actio":"/order/issueIvoice"}]}]}OpeTelemetryCoSec-OpeTelemetryCoSec遵循OpeTelemetry Geeralidetityattributes 规范。感谢CoSec权限策略设计参考 AWSIAM 。
评论