access-control-rbac

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Access Control & RBAC

访问控制与RBAC

Implement secure access control systems with fine-grained permissions using RBAC, ABAC, or hybrid approaches.

使用RBAC、ABAC或混合方案实现具备细粒度权限的安全访问控制系统。

Access Control Models

访问控制模型

Model	Description	Best For
RBAC	Role-based - users assigned to roles with permissions	Most applications
ABAC	Attribute-based - policies evaluate user/resource attributes	Complex rules
MAC	Mandatory - system-enforced classification levels	Government/military
DAC	Discretionary - resource owners control access	File systems
ReBAC	Relationship-based - access via entity relationships	Social apps

模型	说明	适用场景
RBAC	基于角色——为用户分配带有权限的角色	大多数应用
ABAC	基于属性——通过策略评估用户/资源属性	复杂规则场景
MAC	强制访问控制——系统强制执行分类级别	政府/军事领域
DAC	自主访问控制——资源所有者控制访问权限	文件系统
ReBAC	基于关系——通过实体关系授予访问权限	社交类应用

Node.js RBAC Implementation

Node.js RBAC 实现

javascript

class Permission {
  constructor(resource, action) {
    this.resource = resource;
    this.action = action;
  }

  matches(resource, action) {
    return (this.resource === '*' || this.resource === resource) &&
           (this.action === '*' || this.action === action);
  }
}

class Role {
  constructor(name, permissions = [], parent = null) {
    this.name = name;
    this.permissions = permissions;
    this.parent = parent;
  }

  hasPermission(resource, action) {
    if (this.permissions.some(p => p.matches(resource, action))) return true;
    return this.parent?.hasPermission(resource, action) ?? false;
  }
}

class RBACSystem {
  constructor() {
    this.roles = new Map();
    this.userRoles = new Map();
  }

  createRole(name, permissions = [], parentRole = null) {
    const parent = parentRole ? this.roles.get(parentRole) : null;
    this.roles.set(name, new Role(name, permissions, parent));
  }

  assignRole(userId, roleName) {
    const userRoles = this.userRoles.get(userId) || [];
    userRoles.push(this.roles.get(roleName));
    this.userRoles.set(userId, userRoles);
  }

  can(userId, resource, action) {
    const roles = this.userRoles.get(userId) || [];
    return roles.some(role => role.hasPermission(resource, action));
  }
}

// Express middleware
const requirePermission = (resource, action) => (req, res, next) => {
  if (!rbac.can(req.user.id, resource, action)) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  next();
};

// Setup default roles
const rbac = new RBACSystem();
rbac.createRole('viewer', [new Permission('*', 'read')]);
rbac.createRole('editor', [new Permission('*', 'write')], 'viewer');
rbac.createRole('admin', [new Permission('*', '*')], 'editor');

javascript

class Permission {
  constructor(resource, action) {
    this.resource = resource;
    this.action = action;
  }

  matches(resource, action) {
    return (this.resource === '*' || this.resource === resource) &&
           (this.action === '*' || this.action === action);
  }
}

class Role {
  constructor(name, permissions = [], parent = null) {
    this.name = name;
    this.permissions = permissions;
    this.parent = parent;
  }

  hasPermission(resource, action) {
    if (this.permissions.some(p => p.matches(resource, action))) return true;
    return this.parent?.hasPermission(resource, action) ?? false;
  }
}

class RBACSystem {
  constructor() {
    this.roles = new Map();
    this.userRoles = new Map();
  }

  createRole(name, permissions = [], parentRole = null) {
    const parent = parentRole ? this.roles.get(parentRole) : null;
    this.roles.set(name, new Role(name, permissions, parent));
  }

  assignRole(userId, roleName) {
    const userRoles = this.userRoles.get(userId) || [];
    userRoles.push(this.roles.get(roleName));
    this.userRoles.set(userId, userRoles);
  }

  can(userId, resource, action) {
    const roles = this.userRoles.get(userId) || [];
    return roles.some(role => role.hasPermission(resource, action));
  }
}

// Express middleware
const requirePermission = (resource, action) => (req, res, next) => {
  if (!rbac.can(req.user.id, resource, action)) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  next();
};

// Setup default roles
const rbac = new RBACSystem();
rbac.createRole('viewer', [new Permission('*', 'read')]);
rbac.createRole('editor', [new Permission('*', 'write')], 'viewer');
rbac.createRole('admin', [new Permission('*', '*')], 'editor');

Python ABAC Pattern

Python ABAC 模式

python

class Policy:
    def __init__(self, name, effect, resource, action, conditions):
        self.name = name
        self.effect = effect  # 'allow' or 'deny'
        self.resource = resource
        self.action = action
        self.conditions = conditions

    def matches(self, context):
        if self.resource != "*" and self.resource != context.get("resource"):
            return False
        if self.action != "*" and self.action != context.get("action"):
            return False
        return True

    def evaluate(self, context):
        return all(cond(context) for cond in self.conditions)


class ABACEngine:
    def __init__(self):
        self.policies = []

    def add_policy(self, policy):
        self.policies.append(policy)

    def check_access(self, context):
        for policy in self.policies:
            if policy.matches(context) and policy.evaluate(context):
                return policy.effect == 'allow'
        return False  # Deny by default

python

class Policy:
    def __init__(self, name, effect, resource, action, conditions):
        self.name = name
        self.effect = effect  # 'allow' or 'deny'
        self.resource = resource
        self.action = action
        self.conditions = conditions

    def matches(self, context):
        if self.resource != "*" and self.resource != context.get("resource"):
            return False
        if self.action != "*" and self.action != context.get("action"):
            return False
        return True

    def evaluate(self, context):
        return all(cond(context) for cond in self.conditions)


class ABACEngine:
    def __init__(self):
        self.policies = []

    def add_policy(self, policy):
        self.policies.append(policy)

    def check_access(self, context):
        for policy in self.policies:
            if policy.matches(context) and policy.evaluate(context):
                return policy.effect == 'allow'
        return False  # Deny by default

Condition functions

def is_resource_owner(ctx): return ctx.get("user_id") == ctx.get("resource_owner_id")

def is_within_business_hours(ctx): from datetime import datetime return 9 <= datetime.now().hour < 18


See [references/python-abac.md](references/python-abac.md) for complete implementation with Flask integration.

def is_resource_owner(ctx): return ctx.get("user_id") == ctx.get("resource_owner_id")

def is_within_business_hours(ctx): from datetime import datetime return 9 <= datetime.now().hour < 18


查看[references/python-abac.md](references/python-abac.md)获取包含Flask集成的完整实现方案。

Java Spring Security

See references/java-spring-security.md for enterprise implementation with:

Spring Security configuration
Method-level security with
```
@PreAuthorize
```
Custom permission service
Custom security expressions

查看references/java-spring-security.md获取企业级实现方案，包括：

Spring Security 配置
基于
```
@PreAuthorize
```
的方法级安全控制
自定义权限服务
自定义安全表达式

Best Practices

最佳实践

Do:

Apply least privilege principle
Use role hierarchies to reduce duplication
Audit all access changes
Review permissions quarterly
Cache permission checks for performance
Separate authentication from authorization

Don't:

Hardcode permission checks
Allow permission creep without review
Skip audit logging
Use overly broad wildcards

建议：

遵循最小权限原则
使用角色层级减少重复配置
审计所有访问变更
每季度复查权限
缓存权限检查以提升性能
将认证与授权分离

避免：

硬编码权限检查逻辑
允许权限无审查地逐步扩大
跳过审计日志
使用过于宽泛的通配符

access-control-rbac

Original

Translation

Access Control & RBAC

访问控制与RBAC

Access Control Models

访问控制模型

Node.js RBAC Implementation

Node.js RBAC 实现

Python ABAC Pattern

Python ABAC 模式

Condition functions

Condition functions

Java Spring Security

Java Spring Security

Best Practices

最佳实践

References

参考资料