Cloud Identity 和 Cloud Endpoints,是否有任何方法可以禁止 role/group 中的某些用户向端点发出 POST/GET 请求
Cloud Identity and Cloud Endpoints, Is there any way to bar certain users within a role/group from making POST/GET Requests to an endpoint
例如,假设用户 A 需要对某个端点具有 GET 权限但没有 POST 权限。有没有办法:
- 在特定用户无法发出特定类型请求的地方创建角色
到终点?
- 确保端点遵循这些规则?
关于您的第一个问题,Cloud IAM 角色旨在控制用户帐户对项目中存在的服务和产品的访问级别。 IAM roles for Cloud Endpoints 允许限制哪些用户可以启用您的 API 但他们不提供这样的 fine-grained 权限来控制确实允许呼叫的用户如何与特定路由交互你的 API.
现在,可以限制对特定 API 方法的访问,我将在下面描述两种方法:
- 使用 Auth0 并以编程方式检查 user-authorization:当允许访问端点的用户发出请求时,其身份将传递给 [=41 下的处理代码=]
X-Endpoint-API-UserInfo。然后您可以检查谁是来电者以否定答案。这将需要一些数据库通信来检查受限用户或对用户进行硬编码的可疑天真方法。从安全的角度来看,这种方法是可靠的,因为 Cloud IAP 会阻止未经授权的用户访问 API,然后您可以根据需要进一步限制访问范围。这种方法的唯一缺点是它会产生一些延迟。请参阅 here 以获取多种语言的文档和代码示例链接。
- API keys: API keys 提供了一种 allowing/restricting access to individual methods as long as you can differentiate the endpoints routes. For instance you might allow some keys to call
yourendpoint/route/method1 but restrict yourendpoint/route/method2. There are several drawbacks with this, the first is that API keys are meant to identify project/application/website/IP rather than individual users which isn't exactly what you're asking about. The second is that they're less secure than authentication and once your API key is exposed almost anybody can use it which can incur in unexpected charges to your billing account. Nonetheless I wanted to mention it for the sake of completeness as it might be useful in other situations. See here 的方式来概览 API keys.
总的来说,我建议使用带有编程身份验证的 Auth0。
例如,假设用户 A 需要对某个端点具有 GET 权限但没有 POST 权限。有没有办法:
- 在特定用户无法发出特定类型请求的地方创建角色 到终点?
- 确保端点遵循这些规则?
关于您的第一个问题,Cloud IAM 角色旨在控制用户帐户对项目中存在的服务和产品的访问级别。 IAM roles for Cloud Endpoints 允许限制哪些用户可以启用您的 API 但他们不提供这样的 fine-grained 权限来控制确实允许呼叫的用户如何与特定路由交互你的 API.
现在,可以限制对特定 API 方法的访问,我将在下面描述两种方法:
- 使用 Auth0 并以编程方式检查 user-authorization:当允许访问端点的用户发出请求时,其身份将传递给 [=41 下的处理代码=]
X-Endpoint-API-UserInfo。然后您可以检查谁是来电者以否定答案。这将需要一些数据库通信来检查受限用户或对用户进行硬编码的可疑天真方法。从安全的角度来看,这种方法是可靠的,因为 Cloud IAP 会阻止未经授权的用户访问 API,然后您可以根据需要进一步限制访问范围。这种方法的唯一缺点是它会产生一些延迟。请参阅 here 以获取多种语言的文档和代码示例链接。 - API keys: API keys 提供了一种 allowing/restricting access to individual methods as long as you can differentiate the endpoints routes. For instance you might allow some keys to call
yourendpoint/route/method1but restrictyourendpoint/route/method2. There are several drawbacks with this, the first is that API keys are meant to identify project/application/website/IP rather than individual users which isn't exactly what you're asking about. The second is that they're less secure than authentication and once your API key is exposed almost anybody can use it which can incur in unexpected charges to your billing account. Nonetheless I wanted to mention it for the sake of completeness as it might be useful in other situations. See here 的方式来概览 API keys.
总的来说,我建议使用带有编程身份验证的 Auth0。