在Rails App中使用Active Directory / LDAP组作为权限\角色的示例

时间:2022-02-02 02:58:58

I was wondering how other people implemented this scenario. I have an internal rails app ( inventory management, label printing, shipping,etc). I'm rewriting security on the system, cause the old way got to cumbersome to maintain ( users table, passwords, roles) - I used restful_authentication and roles. It was implemented about 3 years ago. I already implemented AuthLogic with ruby-ldap-net to authenticate users ( actually that was surprisingly easy, compared to how I struggled with other frameworks/languages before). Next step is roles. I already have groups defined in Active Directory - so I don't want to run a separate roles system in my rails app, I just want to reuse Active Directory groups - since that part of the system is already maintained for other purposes ( shared drives, backups, pc access, etc)

我想知道其他人是如何实现这种情况的。我有一个内部rails应用程序(库存管理,标签打印,运输等)。我正在重写系统的安全性,导致旧的方式变得难以维护(用户表,密码,角色) - 我使用了restful_authentication和角色。它大约在3年前实施。我已经使用ruby-ldap-net实现了AuthLogic来对用户进行身份验证(实际上,这与我以前使用其他框架/语言的方式相比非常容易)。下一步是角色。我已经在Active Directory中定义了组 - 所以我不想在我的rails应用程序中运行单独的角色系统,我只想重用Active Directory组 - 因为系统的那部分已经被维护用于其他目的(共享驱动器) ,备份,PC访问等)

So I was wondering if others had experience implementing permissions/roles in a rails app based on groups in Active Directory or LDAP. Also the roles requirements are pretty complex.

所以我想知道其他人是否有基于Active Directory或LDAP中的组在rails应用程序中实现权限/角色的经验。角色要求也非常复杂。

Here is an example:

这是一个例子:

For instance I have users that belong to the supervisors group in AD and to inventory dept, so I was that user to be able to run "advanced" tasks in invetory - adjust qty, run reports, however other "supervisors" from other departmanets, shouldn't be able to do this, also Top Management - should be able to use those reports (regardless weather they belong to the invetory or not), but not Middle Management, unless they are in inventory group. Admins of the system (Domain Admins) should have unrestricted access to the system , except for HR & Finances part unless they are in HR ( like you don't want all system admins (except for one authorized one) to see personal info of other employees).

例如,我有属于AD的主管组和库存部门的用户,所以我是那个用户能够在invetory中运行“高级”任务 - 调整数量,运行报告,然而其他“主管”来自其他的离线,不应该这样做,也是最高管理层 - 应该能够使用这些报告(无论他们是否属于投资者的天气),而不是中层管理人员,除非他们在库存组中。除HR和财务部分外,系统管理员(Domain Admins)应具有对系统的无限制访问权限,除非他们在HR中(就像您不希望所有系统管理员(一个授权的管理员除外)看到其他人的个人信息雇员)。

I looked at acl9, cancan, aegis. I was wondering if there are any advantaged/cons to using one versus the other for this particular use of system access based on AD. Suggest other systems if you had good experience.

我看着acl9,cancan,aegis。我想知道在使用基于AD的系统访问的特定用途中是否有任何优势/缺点。如果您有良好的经验,建议其他系统。

Thank you!!!

1 个解决方案

#1


5  

ActiveLDAP (Documentation, Github) has some of the features you're looking for, specifically:

ActiveLDAP(Documentation,Github)具有您正在寻找的一些功能,具体来说:

  • You can map LDAP objects (Object Class instances) to objects in a Rails application. The API doesn't mirror ActiveRecord exactly, but it's pretty easy to understand and learn.
  • 您可以将LDAP对象(对象类实例)映射到Rails应用程序中的对象。 API并不完全镜像ActiveRecord,但它很容易理解和学习。

  • It's obviously not possible to join, etc. across LDAP and Relational Databases, but you could write some mildly clever code to make composite data easily accessible from either the ActiveLDAP object or the ActiveRecord object.
  • 显然不可能在LDAP和关系数据库之间加入等,但您可以编写一些稍微聪明的代码,以便从ActiveLDAP对象或ActiveRecord对象轻松访问复合数据。

  • ActiveLDAP also provides methods to write to LDAP which allows you to manage your users and roles in LDAP from rails, eliminating the requirement to manage a user table in the database, however, a user database table would likely still be necessary to store application specific data about a user.
  • ActiveLDAP还提供了写入LDAP的方法,允许您从rails管理LDAP中的用户和角色,无需管理数据库中的用户表,但是,仍可能需要用户数据库表来存储特定于应用程序的数据关于用户。

  • Additionally, you could integrate AuthLogic with ActiveLDAP. Here's one attempt I found of just that: LDAP Pass-through Authentication with Authlogic and ActiveLdap
  • 此外,您可以将AuthLogic与ActiveLDAP集成。以下是我发现的一次尝试:使用Authlogic和ActiveLdap进行LDAP传递身份验证

  • You could then use Declarative Authorization (Pundit) to handle your roles and authorization.
  • 然后,您可以使用声明性授权(Pundit)来处理您的角色和授权。

#1


5  

ActiveLDAP (Documentation, Github) has some of the features you're looking for, specifically:

ActiveLDAP(Documentation,Github)具有您正在寻找的一些功能,具体来说:

  • You can map LDAP objects (Object Class instances) to objects in a Rails application. The API doesn't mirror ActiveRecord exactly, but it's pretty easy to understand and learn.
  • 您可以将LDAP对象(对象类实例)映射到Rails应用程序中的对象。 API并不完全镜像ActiveRecord,但它很容易理解和学习。

  • It's obviously not possible to join, etc. across LDAP and Relational Databases, but you could write some mildly clever code to make composite data easily accessible from either the ActiveLDAP object or the ActiveRecord object.
  • 显然不可能在LDAP和关系数据库之间加入等,但您可以编写一些稍微聪明的代码,以便从ActiveLDAP对象或ActiveRecord对象轻松访问复合数据。

  • ActiveLDAP also provides methods to write to LDAP which allows you to manage your users and roles in LDAP from rails, eliminating the requirement to manage a user table in the database, however, a user database table would likely still be necessary to store application specific data about a user.
  • ActiveLDAP还提供了写入LDAP的方法,允许您从rails管理LDAP中的用户和角色,无需管理数据库中的用户表,但是,仍可能需要用户数据库表来存储特定于应用程序的数据关于用户。

  • Additionally, you could integrate AuthLogic with ActiveLDAP. Here's one attempt I found of just that: LDAP Pass-through Authentication with Authlogic and ActiveLdap
  • 此外,您可以将AuthLogic与ActiveLDAP集成。以下是我发现的一次尝试:使用Authlogic和ActiveLdap进行LDAP传递身份验证

  • You could then use Declarative Authorization (Pundit) to handle your roles and authorization.
  • 然后,您可以使用声明性授权(Pundit)来处理您的角色和授权。