Механизмы авторизации
Авторизация — это процесс проверки разрешений пользователя на доступ к определенным ресурсам или выполнение определенных действий в системе после подтверждения его личности.
Авторизация определяет, что пользователь имеет право делать. Она следует за аутентификацией, которая подтверждает, кто является пользователем. Авторизация опирается на механизмы контроля доступа, такие как role-based access control (RBAC) или attribute-based access control (ABAC), чтобы предоставить или запретить доступ на основе предопределенных правил и политик. Этот процесс гарантирует, что пользователи имеют доступ только к ресурсам и функциям, которые они имеют право использовать, повышая безопасность и предотвращая несанкционированные действия.
graph LR
Center["Механизмы авторизации"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Rel_rbac["rbac"]:::related -.-> Center
click Rel_rbac "/terms/rbac"
Rel_authentication["authentication"]:::related -.-> Center
click Rel_authentication "/terms/authentication"
Rel_single_sign_on_sso["single-sign-on-sso"]:::related -.-> Center
click Rel_single_sign_on_sso "/terms/single-sign-on-sso"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 Простыми словами
Это как разные виды охраны. Есть охранник на дверях (PEP), который спрашивает пропуск. Есть начальник охраны (PDP), который решает, действителен ли этот пропуск сегодня. А есть книга правил (PAP), где записано, кому куда можно ходить.
🤓 Expert Deep Dive
``markdown
## Technical Specification: Authorization - Deep Dive Analysis
Authorization is the process of verifying and enforcing access rights and permissions for an authenticated principal (user, service, etc.) to specific resources and actions. It operates after successful authentication.
### Core Concepts
Distinction from Authentication: Authentication confirms identity ('who you are'); Authorization defines permissible operations ('what you can do').
Policy-Based Decision Making: Access is granted or denied based on evaluating predefined policies against requests.
Granularity of Permissions: Permissions range from broad roles to fine-grained actions (e.g., read, write, delete, execute) on specific resources.
Resource-Centric vs. Identity-Centric: Authorization can be modeled by defining what principals can access a resource, or what resources and actions a principal is allowed.
Contextual Authorization: Access decisions may incorporate dynamic environmental factors (e.g., time, location, device posture).
### Authorization Models
Access Control Lists (ACLs): Permissions attached to resources, specifying access for principals.
Role-Based Access Control (RBAC): Permissions are assigned to roles, which are then assigned to users. Simplifies management.
Attribute-Based Access Control (ABAC): Access decisions are based on policies evaluating attributes of the subject, object, action, and environment. Highly flexible.
Policy-Based Access Control (PBAC): Access is driven by explicit, declarative policies; often encompasses ABAC.
### Authorization Decision Lifecycle
Policy Enforcement Point (PEP): Intercepts requests and forwards them for decision.
Policy Decision Point (PDP): Evaluates policies and makes a Permit/Deny decision.
Policy Information Point (PIP): Provides context or attributes to the PDP.
* Policy Administration Point (PAP): Manages policies.
### Technical Considerations
Includes data storage (IAM, databases), enforcement mechanisms (API gateways, service meshes), dynamic vs. static authorization, distributed system challenges (JWTs, microservices), scalability, revocation, auditing, the Principle of Least Privilege, and Separation of Duties.
### ELI5 Analogy: The Library System
Authentication is showing ID for a library card. Authorization is what your card allows: borrowing books, accessing study rooms, or viewing rare archives. The librarian checks your card's permissions against library rules (policies) to determine your access.
``