NetSqlAzMan vs AzMan vs(?????)

我一直试图“在线之间阅读”关于NetSqlAzMan项目的原始(和/或当前)动机。

这是写的吗?

  1. 适用于Windows授权管理器(AzMan)的适配器。 NetSqlAzMan中的方法只是将调用传递给(Windows授权管理器(AzMan)),但可能使用更好/更清晰的方法?

  2. (Windows授权管理器(AzMan))的替代品。 在(Windows授权管理器(AzMan))中可用的function(大部分或全部)在NetSqlAzMan中重新创建,但代码是独立开发的。 (也许是为了提供DotNet 4.0支持???)(也许是为了删除任何COM依赖项)

  3. 提供比(Windows授权管理器(AzMan))提供的更多function。 Aka,(Windows授权管理器(AzMan))的“更智能”/“更好”版本。

  4. 重写,但通过开源保持一个半死的项目。 (可能是(Windows授权管理器(AzMan)))是微软的一个死的或被遗弃的项目。

  5. 其他?

…………….

我喜欢NetSqlAzMan的对象模型。 但我需要捍卫任何将其用于我的项目经理和其他开发人员的决定。 对象模型似乎“恰到好处”(想想金发姑娘和中间床)就我对安全的渴望而言。 我不想做基于角色的安全性。 我想要正确(或任务或许可)的安全性。

(参见: http : //lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/和http://granadacoder.wordpress.com/ 2010/12/01 / rant-hard-coded-security-roles / )

基本上提出的问题是:“使用NetSqlAzMan而不是(Windows授权管理器(AzMan))有什么好处?”

子问题是“Windows授权管理器(AzMan)死了吗?”。 (还有Long Live NetSqlAzMan的内容!)。

………………

我的一般要求是:

非Active Directory用户。 (在路上Active Directory和/或LDAP支持会很好,但不是必需的)。 密码未存储为纯文本。 能够处理安全检查的权利。
将权利归入任何角色。 为用户分配角色。 (但同样,代码将检查权限,而不是执行操作时的角色。)允许(有时)将权限分配给用户。 使用拒绝覆盖。 (Aka,一个做愚蠢事情的用户(比如“删除员工”)可以撤销该权利。)可以为多个应用程序维护角色和权限。

所以欢迎其他想法。 但Windows Identity Foundation似乎有点矫枉过正。

谢谢。

我昨晚终于找到了一篇“比较”的文章。

http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx

我将在这里粘贴相关部分(下面)。 (以防网站将来不再存在。我知道,机会很小,但我讨厌“答案就在这里”链接,当你点击链接时,它就是一个死机。)

从我所知道的。

NetSqlAzMan提供了一个(表)用户定义的函数,您可以重载该函数以提供用户列表(分配给角色/任务)。 NetSqlAzMan不仅提供“Yeah you can”映射(Grant),还提供Deny和Grant-With-Delegate。 NetSqlAzMan和Azman允许用户(组)进行角色映射。 只有NetSqlAzMan允许用户进行任务映射。

看了几个样本…… NetSqlAzMan的对象模型非常干净。

================================================== =====

授权管理器(AzMan)与.NET Sql授权管理器(NetSqlAzMan)

如前所述,类似的Microsoft产品已经存在,被称为授权管理器(AzMan); 默认情况下,AzMan存在于Windows Server 2003中,并且通过Admin Pack设置存在于Windows XP中。

AzMan和NetSqlAzMan之间的重要区别在于,第一个是基于角色的,即基于属性 – 角色概念和每个角色中的操作容器,而第二个是基于项目(或者如果您更喜欢基于操作) ,即可以或不可以属于角色或执行此类任务和/或操作(项目)的用户或用户组或组的组。

这里介绍两种产品最重要的特点和区别:

阿兹曼女士:

* It's COM. * It's equipped by a MMC 2.0 (COM) console. * Its storage can be an XML file or ADAM (Active Directory Application Mode - e un LDAP). * It's role-based. * It supports static/dynamic applicative groups, members/not-members. * Structure based on Roles -> Tasks -> Operations. (Hierarchical Roles and Tasks , none Operations). * Authorizations can be added only to Roles. * It doesn't implement the "delegate" concept. * It doesn't manage authorizations "in the time". * It doesn't trigger events. * The only type of authorization is "Allow". (to "deny" it needs to remove the user/group from his Role). * It supports Scripting / Biz rules. * It supports Active Directory users/groups and ADAM users. 

NetSqlAzMan:

 * It's .NET 2.0. * It's equipped by a MMC 3.0 (.NET) console. * Its storage is a Sql Server database(2000/MSDE/2005/Express). * It's based on Tdo - Typed Data Object technology. * It's Item-based. * Structure based on Roles -> Tasks -> Operations. (all hierarchical ones). * Authorizations can be added to Roles, Task and Operations. * It supports static/dynamic applicative groups, members/not-members. * LDAP query testing directly from console. * It's time-dependant. * It's delegate-compliant. * It triggers events (ENS). * It supports 4 authorization types: o Allow with delegation (authorized and authorized to delegate). o Allow (authorized). o Deny (not authorized). o Neutral (neutral permission, it depends on higher level Item permission). * Hierarchical authorizations. * It supports Scripting / Biz rules (compiled in .NET - C# - VB - and not interpreted) * It supports Active Directory users/groups and custom users defined in SQL Server Database. 

这是另一个问题。

Azman示例代码: http : //channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-Code http://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan -抽样码

 using System; using System.Security.Principal; using System.Runtime.InteropServices; using AZROLESLib; namespace TreyResearch { public class AzManHelper : IDisposable { AzAuthorizationStore store; IAzApplication app; string appName; public AzManHelper(string connectionString, string appName) { this.appName = appName; try { // load and initialize the AzMan runtime store = new AzAuthorizationStore(); store.Initialize(0, connectionString, null); // drill down to our application app = store.OpenApplication(appName, null); } catch (COMException x) { throw new AzManException("Failed to initizlize AzManHelper", x); } catch (System.IO.FileNotFoundException x) { throw new AzManException(string.Format("Failed to load AzMan policy from {0} - make sure your connection string is correct.", connectionString), x); } } public void Dispose() { if (null == app) return; Marshal.ReleaseComObject(app); Marshal.ReleaseComObject(store); app = null; store = null; } public bool AccessCheck(string audit, Operations op, WindowsIdentity clientIdentity) { try { // first step is to create an AzMan context for the client // this looks at the security identifiers (SIDs) in the user's // access token and maps them onto AzMan roles, tasks, and operations IAzClientContext ctx = app.InitializeClientContextFromToken( (ulong)clientIdentity.Token.ToInt64(), null); // next step is to see if this user is authorized for // the requested operation. Note that AccessCheck allows // you to check multiple operations at once if you desire object[] scopes = { "" }; object[] operations = { (int)op }; object[] results = (object[])ctx.AccessCheck(audit, scopes, operations, null, null, null, null, null); int result = (int)results[0]; return 0 == result; } catch (COMException x) { throw new AzManException("AccessCheck failed", x); } } public bool AccessCheckWithArg(string audit, Operations op, WindowsIdentity clientIdentity, string argName, object argValue) { try { // first step is to create an AzMan context for the client // this looks at the security identifiers (SIDs) in the user's // access token and maps them onto AzMan roles, tasks, and operations IAzClientContext ctx = app.InitializeClientContextFromToken( (ulong)clientIdentity.Token.ToInt64(), null); // next step is to see if this user is authorized for // the requested operation. Note that AccessCheck allows // you to check multiple operations at once if you desire object[] scopes = { "" }; object[] operations = { (int)op }; object[] argNames = { argName }; object[] argValues = { argValue }; object[] results = (object[])ctx.AccessCheck(audit, scopes, operations, argNames, argValues, null, null, null); int result = (int)results[0]; return 0 == result; } catch (COMException x) { throw new AzManException("AccessCheckWithArg failed", x); } } // use this to update a running app // after you change the AzMan policy public void UpdateCache() { try { store.UpdateCache(null); Marshal.ReleaseComObject(app); app = store.OpenApplication(appName, null); } catch (COMException x) { throw new AzManException("UpdateCache failed", x); } } } public class AzManException : Exception { public AzManException(string message, Exception innerException) : base(message, innerException) {} } } 

那是Azman帮手代码。 这是丑陋的COM / Interopish的东西。 <

现在检查NetSqlAzMan代码示例:

http://netsqlazman.codeplex.com/wikipage?title=Samples

 ///  /// Create a Full Storage through .NET code ///  private void CreateFullStorage() { // USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Administrators //Sql Storage connection string string sqlConnectionString = "data source=(local);initial catalog=NetSqlAzManStorage;user id=netsqlazmanuser;password=password"; //Create an instance of SqlAzManStorage class IAzManStorage storage = new SqlAzManStorage(sqlConnectionString); //Open Storage Connection storage.OpenConnection(); //Begin a new Transaction storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted); //Create a new Store IAzManStore newStore = storage.CreateStore("My Store", "Store description"); //Create a new Basic StoreGroup IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), "My Store Group", "Store Group Description", String.Empty, GroupType.Basic); //Retrieve current user SID IAzManSid mySid = new SqlAzManSID(WindowsIdentity.GetCurrent().User); //Add myself as sid of "My Store Group" IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(mySid, WhereDefined.Local, true); //Create a new Application IAzManApplication newApp = newStore.CreateApplication("New Application", "Application description"); //Create a new Role IAzManItem newRole = newApp.CreateItem("New Role", "Role description", ItemType.Role); //Create a new Task IAzManItem newTask = newApp.CreateItem("New Task", "Task description", ItemType.Task); //Create a new Operation IAzManItem newOp = newApp.CreateItem("New Operation", "Operation description", ItemType.Operation); //Add "New Operation" as a sid of "New Task" newTask.AddMember(newOp); //Add "New Task" as a sid of "New Role" newRole.AddMember(newTask); //Create an authorization for myself on "New Role" IAzManAuthorization auth = newRole.CreateAuthorization(mySid, WhereDefined.Local, mySid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null); //Create a custom attribute IAzManAttribute attr = auth.CreateAttribute("New Key", "New Value"); //Create an authorization for DB User "Andrea" on "New Role" IAzManAuthorization auth2 = newRole.CreateAuthorization(mySid, WhereDefined.Local, storage.GetDBUser("Andrea").CustomSid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null); //Commit transaction storage.CommitTransaction(); //Close connection storage.CloseConnection(); } 

这本身讲述了一个故事。

我认为微软在他们的博客和SDK中缺乏更新的原因与他们已经将所有工具和设计转向社交网络/联盟友好的“声明模型”有关:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

与任何AzMan变体相比,在低AzMan操作级别(代码要求将其与其余部分分离)我们只有权限类型声明。 这种新的操作方式只是从您(或以后重新配置)定义的签名validation的任何受信任的声明提供者/服务发出的URN字符串/操作名称。 它们只是用户身份中的一个平面角色列表,因此很容易使用常见的IsInRole方法进行检查。

对此的理由很清楚。 现代互联网解决方案(以及一旦隐私法律得到改进,可能还有一些未来的公司内部网应用程序)需要多域身份validation和授权,例如此StackOverflow.com用户帐户和连接的Facebook帐户或您可能已链接的任何OpenID帐户。

因此,对于授权,您现在可以使用CODE规则来映射外部声明和内部“权限声明”(类似于AzMan操作)。 但是,没有标准格式,层次结构或管理工具。

也许索赔服务(身份validation)+ AzMan XML / SQL(声明映射的角色)+声明权限需求的混合解决方案是前进的方式。 到目前为止我找到的所有样本都只有中间的代码。 我希望看到从Active Directory解析为Roles to Tasks的递归组成员身份到我们已经与AzMan一样的声明(操作)。

需要更多的调查来实现“老旧”但仍然必不可少的“基于角色的安全”模式与新技术……

如果您希望开始,请转向最初出现在.NET 3.5.1中的Microsoft Windows Identity Foundation(WIF),但此后已集成到.NET 4.5框架中。

http://msdn.microsoft.com/en-us/library/hh377151(v=vs.110).aspx