Chinese Documentation : 用户认证和授权

Prerequisites

Icon
REVIEW COMMENT from AKT
Rand - based on community feedback, can we add Permissions to this page title? Authentication and Authorization makes sense to our enterprise folks, but not so much so to the small developer, much less than non-English native speaking folks.

See also:

See also:

Most applications need to control who (or what) can access data or call services.  Typically, this involves requiring users to login to access protected data, or requiring authorization tokens for other applications to access protected data.

For a simple example of implementing LoopBack access control, see the GitHub loopback-example-access-control repository.

LoopBack apps access data through models (see Defining models), so controlling access to data means putting restrictions on models; that is, specifying who or what can read/write the data or execute methods on the models. 

Access control 概念

LoopBack's access control system is built around a few core concepts. 

Term描述职能举例
Principal一个可以被识别或验证的个体 代表一个需要请求受保护资源的个体 
  • User 用户
  • Application 应用
  • Role 角色(Role本身也是个principle)
Role

一组有着相同权限的Pricipals

主要为了将Priciple分组后赋予相同的权限 
  • 动态的 role: 
    • $everyone (每个用户都有的Role)
    • $unauthenticated (未认证的用户)
    • $owner (一个资源的拥有者)

  • 静态的 role: 
    • admin (一个实现定义好的管理员)
RoleMapping

赋予 Principle 相关的 Roles

静态地为Priciplals分配角色 
  • 为 id 是 1的用户赋予 role1
  • 'admin' role 赋予 role 1
ACL

访问控制表

定义了一个pricipal是否能对一个资源进行某种操作

  • 不允许 everyone 访问项目资源
  • 允许 'admin' 角色执行项目资源上的find()方法

General process

The general process to implement access control for an application is:

  1. Specify user roles.  Define the user roles that your application requires.  For example, you might create roles for anonymous users, authorized users, and administrators. 
  2. Define access for each role and model method.   For example, you might enable anonymous users to read a list of banks, but not allow them to do anything else.
    LoopBack models have a set of built-in methods, and each method maps to either the READ or WRITE access type.  In essence, this step amounts to specifying whether access is allowed for each role and each Model + access type, as illustrated in the example below.
  3. Implement authentication: in the application, add code to create (register) new users, login users (get and use authentication tokens), and logout users.