我需要使用规则引擎在系统中实现角色权限(这可能有点过分吗?),但是权限本身有点复杂。我对如何授予访问权限或不使用规则引擎感到困惑。

我也对我应该使用的设计存有疑问,以便以可扩展和可维护的方式实现它。因此,任何设计方面的帮助或向我解释如何使用规则引擎都会很棒。

使用nools 、mongoDB、node.js 作为后端。

我正在考虑在我的 Node.js 应用程序的 Bootstrap 中创建一个封装 Nools 的规则引擎实例(可能是一个反模式 inner-platform?),并将其作为全局变量。

类似于:

'use strict'; 
 
var nools = require('nools'); 
var flows = require('./rule-engine.flows'); 
 
// A flow is a container of rules, so each flow could be a category of rules  
// In the same flow could have some more specific subcategories would be actionGroups? 
 
// I'm creating a ruleEngine instance that would contain nools but I'm not sure 
// if that would be a good practice, I have that to maybe encapsulate boilerplate code 
// or some straight forward operations in the future.. don't sure of this. 
var ruleEngine = function(){ 
    this.nools = nools; 
}; 
 
ruleEngine.prototype.getFlowSession = function(flow){ 
    if(this.nools.hasFlow(flow)){ 
        return this.nools.getFlow(flow).getSession(); 
    }else{ 
        var fl = this.nools.flow(flow, flows[flow]); 
        return fl.getSession(); 
    } 
}; 
 
ruleEngine.prototype.createRule = function(flow, rule){ 
    if(this.nools.hasFlow(flow)){ 
    // implementation to add rules to a flow 
    } 
}; 
 
ruleEngine.prototype.editRule = function(flow, rule, update){}; 
ruleEngine.prototype.retractRule = function(flow, rule){}; 
 
//could be global object, or cache object but certainly should be a single object.     
if(!GLOBAL.ruleEngine){  
    var ruleEngineInstance = new ruleEngine(); 
    GLOBAL.ruleEngine = ruleEngineInstance; 
} 
 
//module.exports = GLOBAL.ruleEngine; 

规则引擎.流程:

'use strict'; 
 
var flowName = function(flow){ 
// query the rules to database or to cache.. then add the rules to the flow. 
// query bla bla function(results){ 
for(Var i=0; i<results.length; i++) 
    flow.rule(results[i].name, results[i].constraints, results[i].action); 
 
// alternately, I could just from the bootstrap create a flow,  
// and create a function to add, modify or retract rules of a specific flow.  
// What would be the better design approach ? or combine two approach ?  
// bring from database the first time, and later use ruleModify,  
// ruleCreate or rule retract functions. 
}; 
 
module.exports = { 
    flowName: flowName,  
// each would be a flow that would be a category of rules for the system 
    flowName2: flowName2 
}; 

如何使用它来实现权限,是规则引擎和外部app/代码通过事件进行通信的唯一方式吗?

这些是我创建的一些规则,只是为了搞乱(同时是用于创建模拟缓存规则或 MongoDB 规则的 flowName 的规则)。

var results = [ 
    { 
        name: 'userAllow', 
        constraints: [Object, 'obj', 'obj.systemRole === \'user\''], 
        action: function(facts, session, next){ 
            session.emit('event:userAllow', {data: 'user is allow'}); 
            next(); 
        } 
    }, 
    { 
        name: 'userNotAllow', 
        constraints: [Object, 'obj', 'obj.systemRole !== \'user\''], 
        action: function(facts, session, next){ 
            session.emit('event:userNotAllow', {data: 'user is not allow'}); 
            next(); 
        } 
    }, 
    { 
        name: 'adminAllow', 
        constraints: [Object, 'obj', 'obj.systemRole === \'admin\''], 
        action: function(facts, session, next){ 
            session.emit('event:adminAllow', {data: 'admin is allow!'}); 
            next(); 
        } 
    }, 
    { 
        name: 'adminNotAllow', 
        constraints: [Object, 'obj', 'obj.systemRole !== \'admin\''], 
        action: function(facts, session, next){ 
            session.emit('event:adminNotAllow', {data: 'admin not allow'}); 
            next(); 
        } 
    } 
]; 

因此,通过这几条规则,我只想在 user.systemRole 为管理员时授予访问权限......我应该按以下方式使用事件吗?

系统中的X方法:

//validate delete with ruleEngine... supposed only admin would be able to delete 
var self = this; 
var session = ruleEngine.getFlowSession('flowName'); 
session.assert({systemRole: User.role}); //User.role = 'user' || 'admin' 
session.on('event:adminAllow', function(d){ 
    console.log('do the job because the user is admin'); 
    // Delete implementation. 
}); 
session.on('event:adminNotAllow', function(d){ 
    console.log('User not allow because is not admin'); 
}); 
session.on('fire',function(name){ 
    console.log(name); 
}); 
session.match().then(function(){ 
    session.dispose(); 
}); 

到目前为止,我在这个实现上遇到了一些问题。事件可以多次触发,并且我不能允许它在删除操作或创建操作或类似操作上触发两次。

所以除了我需要修复的错误(不知道如何修复) 编辑:

我评论了规则的最后一个 next() ,之后事件被触发一次。 我还有其他疑问:

  1. 是否有良好实践被打破或反模式?
  2. 这是可扩展的并且易于维护吗?
  3. 这是使用规则引擎的正常方式吗?
  4. 此实现的优点和缺点?
  5. 有更好的方法吗?

预先感谢您的帮助。

请您参考如下方法:

您是否致力于使用 nools?如果没有,有一个更简单的(恕我直言)选项来使用node_acl创建访问控制系统。 。

访问控制系统基于三件事:角色;资源和权限。您定义某些角色和资源,然后只需为每个资源设置每个角色的权限。例如,您可以拥有“admin”角色,并在资源“系统配置”上设置“可以修改”权限。然后您需要做的就是根据需要为用户分配角色。

如果您愿意,我很乐意提供一些示例代码,但您可以查看我在 creating an access control system for nodejs 上编写的教程.


评论关闭
IT源码网

微信公众号号:IT虾米 (左侧二维码扫一扫)欢迎添加!