基于 RBAC 和策略的多租户响应式安全框架。
策略 Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"statements": [
{
"name": "Anonymous",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/auth/register"
},
{
"type": "path",
"pattern": "/auth/login"
}
]
},
{
"name": "UserScope",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/user/#{principal.id}/*"
}
],
"condition": {
"type": "authenticated"
}
},
{
"name": "Developer",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
},
{
"name": "AllowDeveloperOrIpRange",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
}
}
]
}
CoSec 权限策略设计参考 AWS IAM 。