CoSec
基于 RBAC 和策略的多租户响应式安全框架。
更新内容(v1.10.0) 🎉 🎉 🎉
⭐ 更新内容
- 依赖:更新
io.opentelemetry:opentelemetry-bom
到 v1.22.0。 -
特性:新增
BoolConditionMatcher
,Bool 条件匹配器,支持无限级嵌套,以增强条件匹配器语义。
{
"name": "AllowDeveloperOrIpRange",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
}
}
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
ConditionMatcher
策略 Schema
Policy Schema
策略 Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"statements": [
{
"name": "Anonymous",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/auth/register"
},
{
"type": "path",
"pattern": "/auth/login"
}
]
},
{
"name": "UserScope",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/user/#{principal.id}/*"
}
],
"condition": {
"type": "authenticated"
}
},
{
"name": "Developer",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
},
{
"name": "AllowDeveloperOrIpRange",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
}
}
]
}
感谢
CoSec 权限策略设计参考 AWS IAM 。