I'm migrating a system from symfony2 to node. Most of it is going fine, but I've had some trouble understanding how ACL works. I've got an idea now, but looking at the mysql schema, I see that I have 2 columns with the actual permissions, ace_order and mask. Can someone please tell me why are there 2 fields instead of only one and/or how to interpret them so I can translate to a simpler schema.
我正在将系统从symfony2迁移到节点。其中大部分都很顺利,但我在理解ACL如何工作方面遇到了一些麻烦。我现在有了一个想法,但是看看mysql架构,我看到我有2列具有实际权限,ace_order和mask。有人可以告诉我为什么有2个字段而不是只有一个和/或如何解释它们所以我可以转换为更简单的模式。
CREATE TABLE `acl_entries` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`class_id` int(10) unsigned NOT NULL,
`object_identity_id` int(10) unsigned DEFAULT NULL,
`security_identity_id` int(10) unsigned NOT NULL,
`field_name` varchar(50) COLLATE utf8_unicode_ci DEFAULT NULL,
`ace_order` smallint(5) unsigned NOT NULL, <== first col
`mask` int(11) NOT NULL, <== second col
`granting` tinyint(1) NOT NULL,
`granting_strategy` varchar(30) COLLATE utf8_unicode_ci NOT NULL,
`audit_success` tinyint(1) NOT NULL,
`audit_failure` tinyint(1) NOT NULL,
PRIMARY KEY (`id`),
... other key stuff ...
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci ROW_FORMAT=COMPACT;
Edit:
I'm mostly interested on how ace_order affects the permissions.
编辑:我最感兴趣的是ace_order如何影响权限。
1 个解决方案
#1
2
There is only one column that contains the actual permissions, and that is mask
. This column contains a bitmask, which is called the "permission mask", which is stored as an integer, which represents the cumulative permissions in the ACE.
只有一列包含实际权限,即掩码。此列包含一个位掩码,称为“权限掩码”,它存储为整数,表示ACE中的累积权限。
Other columns can influence if permission is granted:
如果授予权限,其他列可能会影响:
ace_order
is used to determine which ACE is checked first. If the ACE's is applicable, it will be used to grant (or deny) permission. If not, the next ACE is checked.
ace_order用于确定首先检查哪个ACE。如果ACE适用,它将用于授予(或拒绝)许可。如果没有,则检查下一个ACE。
The order is determined by the order of adding ACE's: The last ACE added will have order 0
, the first will have the highest number. As a general rule you should add ACE's from least specific to most specific, meaning the most specific one will be checked first.
订单由添加ACE的顺序决定:添加的最后一个ACE将具有订单0,第一个将具有最高编号。作为一般规则,您应该从最具体到最具体的ACE添加ACE,这意味着将首先检查最具体的ACE。
granting
is a boolean (stored as integer) that specifies if the permissions in the ACE are granted or denied.
granting是一个布尔值(存储为整数),指定是授予还是拒绝ACE中的权限。
granting_strategy
specifies how the permissions you ask for are compared with the ones in the ACE. In other words: if the ACE is applicable. You can find an explanation in the source of PermissionGrantingStrategy.
granting_strategy指定如何将您要求的权限与ACE中的权限进行比较。换句话说:如果ACE适用。您可以在PermissionGrantingStrategy的源代码中找到解释。
#1
2
There is only one column that contains the actual permissions, and that is mask
. This column contains a bitmask, which is called the "permission mask", which is stored as an integer, which represents the cumulative permissions in the ACE.
只有一列包含实际权限,即掩码。此列包含一个位掩码,称为“权限掩码”,它存储为整数,表示ACE中的累积权限。
Other columns can influence if permission is granted:
如果授予权限,其他列可能会影响:
ace_order
is used to determine which ACE is checked first. If the ACE's is applicable, it will be used to grant (or deny) permission. If not, the next ACE is checked.
ace_order用于确定首先检查哪个ACE。如果ACE适用,它将用于授予(或拒绝)许可。如果没有,则检查下一个ACE。
The order is determined by the order of adding ACE's: The last ACE added will have order 0
, the first will have the highest number. As a general rule you should add ACE's from least specific to most specific, meaning the most specific one will be checked first.
订单由添加ACE的顺序决定:添加的最后一个ACE将具有订单0,第一个将具有最高编号。作为一般规则,您应该从最具体到最具体的ACE添加ACE,这意味着将首先检查最具体的ACE。
granting
is a boolean (stored as integer) that specifies if the permissions in the ACE are granted or denied.
granting是一个布尔值(存储为整数),指定是授予还是拒绝ACE中的权限。
granting_strategy
specifies how the permissions you ask for are compared with the ones in the ACE. In other words: if the ACE is applicable. You can find an explanation in the source of PermissionGrantingStrategy.
granting_strategy指定如何将您要求的权限与ACE中的权限进行比较。换句话说:如果ACE适用。您可以在PermissionGrantingStrategy的源代码中找到解释。