REVIEW COMMENT from AKT
Rand - based on community feedback, can we add Permissions to this page title? Authentication and Authorization makes sense to our enterprise folks, but not so much so to the small developer, much less than non-English native speaking folks.
Most applications need to control who (or what) can access data or call services. Typically, this involves requiring users to login to access protected data, or requiring authorization tokens for other applications to access protected data.Rand - based on community feedback, can we add Permissions to this page title? Authentication and Authorization makes sense to our enterprise folks, but not so much so to the small developer, much less than non-English native speaking folks.
For a simple example of implementing LoopBack access control, see the GitHub loopback-example-access-control repository.
LoopBack apps access data through models (see Defining models), so controlling access to data means putting restrictions on models; that is, specifying who or what can read/write the data or execute methods on the models.
Access control 概念
LoopBack's access control system is built around a few core concepts.
Term | 描述 | 职能 | 举例 |
---|---|---|---|
Principal | 一个可以被识别或验证的个体 | 代表一个需要请求受保护资源的个体 |
|
Role | 一组有着相同权限的Pricipals | 主要为了将Priciple分组后赋予相同的权限 |
|
RoleMapping | 赋予 Principle 相关的 Roles | 静态地为Priciplals分配角色 |
|
ACL | 访问控制表 | 定义了一个pricipal是否能对一个资源进行某种操作 |
|
General process
The general process to implement access control for an application is:
- Specify user roles. Define the user roles that your application requires. For example, you might create roles for anonymous users, authorized users, and administrators.
- Define access for each role and model method. For example, you might enable anonymous users to read a list of banks, but not allow them to do anything else.
LoopBack models have a set of built-in methods, and each method maps to either the READ or WRITE access type. In essence, this step amounts to specifying whether access is allowed for each role and each Model + access type, as illustrated in the example below. - Implement authentication: in the application, add code to create (register) new users, login users (get and use authentication tokens), and logout users.