本文由 AI 分析生成
Summary
Shawn Hsu explains the evolution of access control models from ACL (Access Control List) through RBAC (Role-Based), ABAC (Attribute-Based), and PBAC (Policy-Based) access control, with Casbin as the implementation framework. The article progresses from why ACL doesn’t scale, to how RBAC groups permissions into roles, to how ABAC enables fine-grained context-aware decisions, to how PBAC unifies everything into policies.
本文介紹從 ACL(存取控制清單)到 RBAC(角色型)、ABAC(屬性型)、PBAC(政策型)存取控制的演進,以 Casbin 作為實作框架。從 ACL 不可擴展的原因,到 RBAC 如何將權限分組為角色,到 ABAC 如何實現細粒度的情境感知決策,再到 PBAC 如何統一為政策。
Key Points
- ACL: per-resource permission lists — doesn’t scale when you have thousands of users and resources
- RBAC: assign users to roles; roles have permissions — role inheritance enables hierarchical permissions
- ABAC: decisions based on attributes (user attributes, resource attributes, environment context) — enables fine-grained rules like “managers can read documents from their department between 9am-6pm”
- PBAC: policy-as-code approach; unifies RBAC and ABAC under declarative policy statements
- Casbin: open-source authorization library supporting all these models with a flexible policy model (PERM: Policy, Effect, Request, Matchers)
Insights
The progression ACL → RBAC → ABAC mirrors the evolution of most real systems. RBAC handles 80% of cases simply; ABAC handles the remaining 20% where role membership alone is insufficient (time-based, location-based, or data-sensitivity-based access). The insight that ABAC is powerful but also more complex to audit (because policies can interact in non-obvious ways) is the key tradeoff.
Connections
Raw Excerpt
透過指定的權限,來控制使用者對於資源的存取。ACL 通常是針對特定的資源,指定特定的權限。