正文

CoSec v1.9.0 发布,基于 RBAC 和策略的多租户响应式安全框架

admin
admin V管理员 /0 评论 /254 阅读
0109
此篇文章发布距今已超过684天,您需要注意文章的内容或图片是否可用!

CoSec

基于 RBAC 和策略的多租户响应式安全框架

License GitHub release Maven Central Codacy Badge codecov Integration Test Status

更新内容(v1.9.0) 🎉 🎉 🎉

特性

  • 特性:新增  RequestAttributesAppender API。

  • 特性:新增  Ip2RegionRequestAttributesAppender,支持IP区域匹配器。

     {       "name": "RegionWhitelist",       "effect": "deny",       "actions": [         {           "type": "all"         }       ],       "conditions": [         {           "negate": true,           "type": "reg",           "part": "request.attributes.ipRegion",           "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"         }       ]     }

认证

Authentication-Flow

授权

Authorization-Flow

OAuth

OAuth-Flow

建模类图

Modeling

安全网关服务

Gateway

授权策略流程

Authorization Policy

内置策略匹配器

ActionMatcher

ActionMatcher

ConditionMatcher

ConditionMatcher

策略 Schema

Policy Schema

策略 Demo

 {   "id": "id",   "name": "name",   "category": "category",   "description": "description",   "type": "global",   "tenantId": "tenantId",   "statements": [     {       "name": "Anonymous",       "effect": "allow",       "actions": [         {           "type": "path",           "pattern": "/auth/register"         },         {           "type": "path",           "pattern": "/auth/login"         }       ]     },     {       "name": "UserScope",       "effect": "allow",       "actions": [         {           "type": "path",           "pattern": "/user/#{principal.id}/*"         }       ],       "conditions": [         {           "type": "authenticated"         }       ]     },     {       "name": "Developer",       "effect": "allow",       "actions": [         {           "type": "all"         }       ],       "conditions": [         {           "type": "in",           "part": "context.principal.id",           "in": [             "developerId"           ]         }       ]     },     {       "name": "RequestOriginDeny",       "effect": "deny",       "actions": [         {           "type": "all"         }       ],       "conditions": [         {           "type": "reg",           "negate": true,           "part": "request.origin",           "pattern": "^(http|https)://github.com"         }       ]     },     {       "name": "IpBlacklist",       "effect": "deny",       "actions": [         {           "type": "all"         }       ],       "conditions": [         {           "type": "path",           "part": "request.remoteIp",           "path": {             "caseSensitive": false,             "separator": ".",             "decodeAndParseSegments": false           },           "pattern": "192.168.0.*"         }       ]     },     {       "name": "RegionWhitelist",       "effect": "deny",       "actions": [         {           "type": "all"         }       ],       "conditions": [         {           "negate": true,           "type": "reg",           "part": "request.attributes.ipRegion",           "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"         }       ]     }   ] }

感谢

CoSec 权限策略设计参考 AWS IAM 。

ZhouSa.com