授权与访问控制：实现精细化的权限管理

授权与访问控制：实现精细化的权限管理

引言

认证回答"你是谁"的问题，而授权回答"你能做什么"的问题。在复杂的业务系统中，精细化的授权管理至关重要。本文将深入探讨RBAC、ABAC等授权模型，并提供Go语言实现方案。

一、授权模型概述

1.1 常见的授权模型

1.2 RBAC模型核心概念

用户 (User) ──属于──> 角色 (Role) ──关联──> 权限 (Permission) │ └──> 资源 (Resource) + 操作 (Action)

二、RBAC权限模型实现

2.1 数据模型设计

package authz import ( "errors" "sort" "strings" ) var ( ErrRoleNotFound = errors.New("role not found") ErrPermissionDenied = errors.New("permission denied") ErrInvalidResource = errors.New("invalid resource") ) type User struct { ID string Email string Roles []string } type Role struct { Name string Permissions []Permission Parent string } type Permission struct { Resource string Actions []string } func NewPermission(resource string, actions ...string) Permission { return Permission{ Resource: resource, Actions: actions, } } func (p Permission) Matches(resource string, action string) bool { if p.Resource != resource && p.Resource != "*" { return false } for _, a := range p.Actions { if a == action || a == "*" { return true } } return false }

2.2 权限检查服务

package authz import ( "fmt" "sync" ) type PolicyEngine struct { mu sync.RWMutex roles map[string]*Role } func NewPolicyEngine() *PolicyEngine { return &PolicyEngine{ roles: make(map[string]*Role), } } func (pe *PolicyEngine) RegisterRole(role *Role) error { pe.mu.Lock() defer pe.mu.Unlock() if _, exists := pe.roles[role.Name]; exists { return fmt.Errorf("role %s already exists", role.Name) } pe.roles[role.Name] = role return nil } func (pe *PolicyEngine) AddPermission(roleName string, perm Permission) error { pe.mu.Lock() defer pe.mu.Unlock() role, exists := pe.roles[roleName] if !exists { return ErrRoleNotFound } role.Permissions = append(role.Permissions, perm) return nil } func (pe *PolicyEngine) CheckPermission(user *User, resource, action string) error { pe.mu.RLock() defer pe.mu.RUnlock() visited := make(map[string]bool) for _, roleName := range user.Roles { if pe.checkRolePermission(roleName, resource, action, visited) { return nil } } return ErrPermissionDenied } func (pe *PolicyEngine) checkRolePermission( roleName, resource, action string, visited map[string]bool, ) bool { if visited[roleName] { return false } visited[roleName] = true role, exists := pe.roles[roleName] if !exists { return false } for _, perm := range role.Permissions { if perm.Matches(resource, action) { return true } } if role.Parent != "" { return pe.checkRolePermission(role.Parent, resource, action, visited) } return false } func (pe *PolicyEngine) GetUserPermissions(user *User) []Permission { pe.mu.RLock() defer pe.mu.RUnlock() permMap := make(map[string]bool) var permissions []Permission visited := make(map[string]bool) for _, roleName := range user.Roles { perms := pe.collectRolePermissions(roleName, visited) for _, p := range perms { key := fmt.Sprintf("%s:%v", p.Resource, p.Actions) if !permMap[key] { permMap[key] = true permissions = append(permissions, p) } } } sort.Slice(permissions, func(i, j int) bool { return permissions[i].Resource < permissions[j].Resource }) return permissions } func (pe *PolicyEngine) collectRolePermissions( roleName string, visited map[string]bool, ) []Permission { if visited[roleName] { return nil } visited[roleName] = true role, exists := pe.roles[roleName] if !exists { return nil } var permissions []Permission permissions = append(permissions, role.Permissions...) if role.Parent != "" { parentPerms := pe.collectRolePermissions(role.Parent, visited) permissions = append(permissions, parentPerms...) } return permissions }

2.3 中间件集成

package middleware import ( "net/http" "strings" "github.com/4jiang_style/csdn-users/authz" ) type AuthzMiddleware struct { engine *authz.PolicyEngine } func NewAuthzMiddleware(engine *authz.PolicyEngine) *AuthzMiddleware { return &AuthzMiddleware{engine: engine} } func (m *AuthzMiddleware) RequirePermission(resource, action string) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { user := getUserFromContext(r.Context()) if user == nil { http.Error(w, "unauthorized", http.StatusUnauthorized) return } if err := m.engine.CheckPermission(user, resource, action); err != nil { http.Error(w, "forbidden", http.StatusForbidden) return } next.ServeHTTP(w, r) }) } } func (m *AuthzMiddleware) RequireRole(role string) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { user := getUserFromContext(r.Context()) if user == nil { http.Error(w, "unauthorized", http.StatusUnauthorized) return } for _, r := range user.Roles { if strings.EqualFold(r, role) { next.ServeHTTP(w, r) return } } http.Error(w, "forbidden", http.StatusForbidden) }) } } func getUserFromContext(ctx context.Context) *authz.User { return ctx.Value("user").(*authz.User) }

三、基于策略的访问控制（PBAC）

3.1 策略定义

package authz import ( "fmt" "regexp" ) type Policy struct { ID string Description string Effect Effect Conditions []Condition Resource string Actions []string Subjects []Subject } type Effect string const ( EffectAllow Effect = "allow" EffectDeny Effect = "deny" ) type Subject struct { Users []string Roles []string Groups []string } type Condition struct { Type string Field string Operator string Value interface{} } type ConditionEvaluator func(resource map[string]interface{}, subject map[string]interface{}) bool func (c Condition) Evaluate(resource, subject map[string]interface{}) bool { switch c.Type { case "StringEquals": return c.evaluateStringEquals(resource, subject) case "StringLike": return c.evaluateStringLike(resource, subject) case "NumericEquals": return c.evaluateNumericEquals(resource, subject) case "DateEquals": return c.evaluateDateEquals(resource, subject) case "IPAddress": return c.evaluateIPAddress(resource, subject) default: return false } } func (c Condition) evaluateStringEquals(resource, subject map[string]interface{}) bool { fieldValue := getFieldValue(c.Field, resource, subject) return fmt.Sprintf("%v", fieldValue) == fmt.Sprintf("%v", c.Value) } func (c Condition) evaluateStringLike(resource, subject map[string]interface{}) bool { fieldValue := getFieldValue(c.Field, resource, subject) strValue := fmt.Sprintf("%v", fieldValue) pattern := fmt.Sprintf("%v", c.Value) matched, _ := regexp.MatchString(pattern, strValue) return matched } func (c Condition) evaluateNumericEquals(resource, subject map[string]interface{}) bool { fieldValue := getFieldValue(c.Field, resource, subject) var numValue float64 switch v := fieldValue.(type) { case int: numValue = float64(v) case int64: numValue = float64(v) case float64: numValue = v default: return false } compareValue, ok := c.Value.(float64) if !ok { return false } return numValue == compareValue } func (c Condition) evaluateDateEquals(resource, subject map[string]interface{}) bool { return c.evaluateStringEquals(resource, subject) } func (c Condition) evaluateIPAddress(resource, subject map[string]interface{}) bool { return true } func getFieldValue(field string, resource, subject map[string]interface{}) interface{} { switch { case len(field) > 8 && field[:8] == "resource": return resource[field[9:]] case len(field) > 8 && field[:8] == "subject": return subject[field[9:]] default: return nil } }

3.2 策略评估引擎

package authz import ( "sort" ) type PolicyEngineV2 struct { policies []*Policy } func NewPolicyEngineV2() *PolicyEngineV2 { return &PolicyEngineV2{ policies: make([]*Policy, 0), } } func (pe *PolicyEngineV2) AddPolicy(policy *Policy) { pe.policies = append(pe.policies, policy) sort.Slice(pe.policies, func(i, j int) bool { return policy.Priority() < policy.Priority() }) } func (p *Policy) Priority() int { return 1 } func (pe *PolicyEngineV2) Evaluate( resource map[string]interface{}, subject map[string]interface{}, action string, ) (bool, error) { var lastDeny *Policy for _, policy := range pe.policies { if !pe.policyMatches(policy, resource, subject, action) { continue } if !pe.evaluateConditions(policy, resource, subject) { continue } switch policy.Effect { case EffectAllow: return true, nil case EffectDeny: lastDeny = policy } } if lastDeny != nil { return false, nil } return false, ErrPermissionDenied } func (pe *PolicyEngineV2) policyMatches(policy *Policy, resource map[string]interface{}, subject map[string]interface{}, action string) bool { if !pe.matchesResource(policy.Resource, resource) { return false } if !pe.matchesAction(policy.Actions, action) { return false } if !pe.matchesSubject(policy.Subjects, subject) { return false } return true } func (pe *PolicyEngineV2) matchesResource(pattern string, resource map[string]interface{}) bool { if pattern == "*" { return true } resType, ok := resource["type"].(string) if !ok { return false } return resType == pattern } func (pe *PolicyEngineV2) matchesAction(actions []string, action string) bool { for _, a := range actions { if a == "*" || a == action { return true } } return false } func (pe *PolicyEngineV2) matchesSubject(subjects []Subject, subject map[string]interface{}) bool { if len(subjects) == 0 { return true } for _, s := range subjects { if pe.subjectMatches(s, subject) { return true } } return false } func (pe *PolicyEngineV2) subjectMatches(s Subject, subject map[string]interface{}) bool { if len(s.Users) > 0 { subjectID, _ := subject["id"].(string) for _, u := range s.Users { if u == subjectID { return true } } } if len(s.Roles) > 0 { roles, _ := subject["roles"].([]string) for _, role := range s.Roles { for _, ur := range roles { if role == ur { return true } } } } if len(s.Groups) > 0 { groups, _ := subject["groups"].([]string) for _, group := range s.Groups { for _, ug := range groups { if group == ug { return true } } } } return len(s.Users) == 0 && len(s.Roles) == 0 && len(s.Groups) == 0 } func (pe *PolicyEngineV2) evaluateConditions(policy *Policy, resource, subject map[string]interface{}) bool { if len(policy.Conditions) == 0 { return true } for _, cond := range policy.Conditions { if !cond.Evaluate(resource, subject) { return false } } return true }

四、微服务授权实践

4.1 分布式权限校验

package authz import ( "context" "fmt" "time" "github.com/go-redis/redis/v8" ) type DistributedPolicyEngine struct { local *PolicyEngine redis *redis.Client cacheTTL time.Duration } func NewDistributedPolicyEngine(redisClient *redis.Client) *DistributedPolicyEngine { return &DistributedPolicyEngine{ local: NewPolicyEngine(), redis: redisClient, cacheTTL: 5 * time.Minute, } } func (dpe *DistributedPolicyEngine) CheckPermission( ctx context.Context, userID, resource, action string, ) error { cacheKey := fmt.Sprintf("authz:%s:%s:%s", userID, resource, action) result, err := dpe.redis.Get(ctx, cacheKey).Result() if err == nil { if result == "allowed" { return nil } return ErrPermissionDenied } user, err := dpe.loadUser(ctx, userID) if err != nil { return err } if err := dpe.local.CheckPermission(user, resource, action); err != nil { dpe.redis.Set(ctx, cacheKey, "denied", dpe.cacheTTL) return err } dpe.redis.Set(ctx, cacheKey, "allowed", dpe.cacheTTL) return nil } func (dpe *DistributedPolicyEngine) loadUser(ctx context.Context, userID string) (*User, error) { return &User{ ID: userID, Roles: []string{"user"}, }, nil } func (dpe *DistributedPolicyEngine) InvalidateUser(userID string) error { ctx := context.Background() pattern := fmt.Sprintf("authz:%s:*", userID) iter := dpe.redis.Scan(ctx, 0, pattern, 100).Iterator() for iter.Next(ctx) { dpe.redis.Del(ctx, iter.Val()) } return iter.Err() }

五、总结

授权与访问控制是系统安全的核心组成部分：

1. RBAC模型：适合结构清晰的组织架构，通过角色简化权限管理
2. PBAC/ABAC：适合复杂业务规则，支持动态策略评估
3. 权限检查：实现多层检查，包括直接权限和继承权限
4. 分布式授权：在微服务架构中，需要考虑集中式或分层式授权方案
5. 性能优化：通过缓存和批量加载减少授权检查延迟

合理的授权设计能够在保障安全的同时，保持系统的可扩展性和可维护性。