框架
Hope 实现 Authentication、Authorization、JWT 与 RBAC
ApiHug 把权限定义拆成两部分:
Customer、执行权限检查这样做的好处是,接口契约、权限文档、运行时校验都来自同一份定义。
enum BookAuthorityEnum {
option (hope.swagger.enm) = {
description: "Authority used in book project";
};
BOOK_ADD = 0 [(hope.constant.field) = {
code: 1,
message: "book:add",
message2: "Authority to add book"
}];
BOOK_DELETE = 1 [(hope.constant.field) = {
code: 2,
message: "book:delete",
message2: "Authority to delete book"
}];
BOOK_MODIFY = 2 [(hope.constant.field) = {
code: 3,
message: "book:modify",
message2: "Authority to modify book"
}];
}
"authority": {
"enumClass": "com.novel.book.proto.infra.settings.BookAuthorityEnum",
"codePrefix": 10240000
}
rpc ListCategory (CategoryListRequest) returns (CategoryVoResponse) {
option (hope.swagger.operation) = {
get: "/list-category";
description: "List all supported categories";
priority: MIDDLE;
output_repeated: true;
authorization: {
rbac: {
authorities: ["BOOK_DELETE"];
combinator: OR;
predefined_role_checker: PLATFORM_MANAGER;
}
};
};
}
这里要注意两点:
output_repeated,不要继续使用已废弃的 out_pluralauthorities 是列表,应该写成 ["BOOK_DELETE"],而不是单个字符串生成代码通常会在 ${PKG}.infra.security 下提供这些入口:
AnonymousBookCustomerBookCustomerBookJWTPickerBookQuickCustomerRoleCheckerBookSecurityCustomerContextCustomizerBookSecurityCustomizer它们的职责通常是:
| 类型 | 作用 |
|---|---|
*Customer | 当前登录用户对象 |
*JWTPicker | 从 Header / Cookie / Session 中提取 Token |
*QuickCustomerRoleChecker | 平台 / 租户等预定义角色校验 |
*SecurityCustomerContextCustomizer | 从 Token 或其他来源补充用户上下文 |
*SecurityCustomizer | 自定义全局安全策略 |
最常见的方式仍然是 RBAC。
例如:
BOOK_ADD: book:add
BOOK_DELETE: book:delete
USER_BLOCK: user:block
USER_EDIT: user:edit
ORDER_APPROVE: order:approve
ORDER_DELETE: order:delete
ORDER_MODIFY: order:modify
这会自然形成稳定的权限层次:
book
add
delete
user
block
edit
order
approve
delete
modify
这里不建议再写“禁用 Spring Security”的指导。ApiHug Security 本身就是建立在 Spring Security 之上的扩展,正确做法通常是:
如果你需要运行时细节,请继续阅读: