[翻译]PhpGACL手册(二)
2005-02-19 00:00
411 查看
不知不觉已经开始写了,看来只要下定决心,速度还是不赖的嘛。这样看来本人的行动力还行,就是翻译的水平差了点,大家也就将就将就吧,反正大致意思是 不会错的!呵呵!!E文好的牛人们呢,有心的你就直接看原文,有心的你就帮忙改改(有点象走江湖的口吻,有钱的捧个钱场,无钱的捧个人场,^-^)如果您 老实在看不下来,那就自己再译一个,我这也算是间接为文档中文化做出了点贡献,呵呵!
Defining access control with phpGACL
It seems that for large or complex situations, this 'access matrix' approach is clearly unsuitable. We need a better system that maintains the advantages (fine-grain control and a clear idea of who[/u] has access to what[/u]) but removes the disadvantages (difficult to summarize, and difficult to manage large groups of people at once). One solution is phpGACL.
看来对于大型或复杂的情况来说,采用"权限表"方法明显不适用。我们需要一个更好的系统来继承权限表的优点(精细权限控制及谁[/u]能访问什么[/u]的清晰思路)同时摒弃它的不足(总结和大规模权限管理的困难)。phpGACL就是这样的系统之一。
phpGACL doesn't describe access from the 'bottom-up' like the Access Matrix above. Instead, it describes it 'top-down', like the textual description of Han's access policy. This is a very flexible system that allows you to manage access in large groups, it neatly summarizes the access policy, and it's easy to see who [/u]has access to what[/u].
phpGACL并不象上面"权限表"那样采用"自底向上"的方式来描述权限,相反,它采取"由顶向下"来描述权限,象Han所说那段话所表现的权限策略那样。这是一个十分灵活的系统允许你去管理大量的权限,它能简明扼要地总结权限策略而且更容易看清是谁[/u]有权访问什么[/u]。
An ARO tree defines a hierarchy of Groups and AROs (things that request access). This is very similar to a tree view of folders and files. The 'folders' are the Groups and the 'files' are AROs.
ARO树定义ARO对象(要求访问权限的事物)和组的等级关系,它同文件目录树非常相似,其中的组就相当于文件夹而ARO对象则相当于文件。
Let's make an ACL tree for the people on Han's ship. First we define some categories for the people. It's clear that Han and Chewie run the ship, and the rest of them are just passengers:
让我们为Han的船上的人建立一个ACL树。首先我们先把人分成几类,可以很清楚地知道Han和Chewi是开船的,其他人则是乘客:
phpGACL
Millennium Falcon Passengers(千年隼号乘客) Group(组)
├─Crew(船 员) Group(组)
│ ├─Han ARO
│ └─Chewie ARO
└─Passengers (乘客) Group(组)
├─Obi-wan ARO
├─Luke ARO
├─R2D2 ARO
└─C3PO ARO
This tree by itself doesn't specify any access policy; it just shows how we're grouping the people who might request access (AROs).
该树自身并不指定任何权限策略;它只是显示我们如何对需要权限的人(即ARO对象)进行分组。
We apply access restrictions by assigning instructions about a particular room (ACO) to Groups or AROs in the tree. Han says: "By default, no-one should be allowed access to any room on the Millennium Falcon. But the Crew should have access to every room. The Passengers should only have access to the Lounge."
我们将对指定房间(ACO对象)的权限限制应用到树中的组或ARO对象上。Han说:"在缺省情况下,千年隼号上没有人有权力进入房间。除了船员可以进入任何房间,而乘客只能进休息室。
phpGACL
Millennium Falcon Passengers(千年隼号乘客)
├─Crew (船员) [ALLOW: ALL(允许:全部)]
│ ├─Han
│ └─Chewie
└─Passengers (乘客) [ALLOW: Lounge(允许:休息室)]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO
To interpret this ARO tree, we start from the top and work our way down.
我们按我们的方式"自顶向下"地来解释这个ARO树。
Firstly, the default policy is always to deny access. Permissions have been overridden for the "Crew", so they have access to everywhere ("ALL" is a synonym for all rooms: "Cockpit, Lounge, Guns, Engines"). The "Passengers" have access only to the Lounge.
首先,缺省的策略总是拒绝任何访问权限的。许可对于船员来说是无效的,因此他们拥有去任何房间的权限("ALL"权限对所有房间都一样,如驾驶室,休息室,武器室和发动机室)。而乘客则只有到休息室的权限。
This way of describing the access policy is much clearer than the access matrix. You can easily see who has access to what, and it's easier to determine why[/u] they've got access (it seems obvious that Han and Chewie would have access to everything, since they're grouped under "Crew").
这种描述权限策略的方式比用权限表更加简明。人们可以很容易地看出谁对什么拥有权限,并且也可以很清楚地说明为什么他们拥有权限(这看上去很显然,Han和Chewie拥有去任何房间的权限,因为他们被分在"船员"组)
To summarize
总结:
Access Control Objects (ACOs) are the things we want to control access to (e.g. web pages, databases, rooms, etc).
权限控制对象(ACO对象)是我们想要控制的事物(如网页,数据库,房间等)
Access Request Objects (AROs) are the things that request access (e.g. people, remote computers, etc)
权限需求对象(ARO对象)是要求权限的事物(如人们,远程计算机等)
ARO trees define a hierarchy of Groups and AROs. Groups can contain other Groups and AROs.
ARO树则定义了ARO对象及组的级别,组可以包含其他组和ARO对象。
The default 'catch-all' policy for the ARO tree is always "DENY ALL".
ARO树缺省的"catch-all"(全部阻止了)策略总是拒绝所有权限的。
To assign access policy, work your way down the tree, explicitly assigning permissions to Groups and AROs for each ACO as the need arises.
为分配权限策略,在ARO树上按照你的想法自顶向下明确地为每一个ACO对象分配所需的权限给组和ARO对象
Fine-grain access control
Oops! What about Chewie? By grouping him in "Crew", Han has indirectly given him access to the Engines! He doesn't want that after what Chewie recently did to the hyperdrive, so he adds a rule to disallow this:
哎呀!Chewie怎么办呢?他被分入了"船员"组,Han已经间接地给了他到发动机室的权限了!但这并不是他所想的,因此他增加了一条规则来禁止这个权限:
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO
This is an example of the way you can control access policy in a fine-grained manner. It is not necessary to move Chewie to another Group; we simply over-ride the access policy at a lower level.
这是一个例子,表明你如何用高精度的方式来进行权限策略的控制。通过这种方式你不需要将Chewie移入另一个组中;我们只需要简单地在较低的层次中覆写权限策略就可以了。
Another example of fine-grain control happens when the Empire attacks; Han needs to let Luke man the guns, and let R2D2 repair the hyperdrive in the Engine room. He can do this by over-riding the general permissions granted by their status as a "Passenger":
另一个高精度控制的例子发生在受到帝国袭击时,Han需要Luke操纵武器,R2D2修理发动机室中的引擎。他可以通过覆写他们作为乘客的通用权限就来实现这一改变:
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─Obi-wan
├─Luke [允许:武器室]
├─R2D2 [允许:发动机室]
└─C3PO phpGACL
Multi-level Groups
Groups can be extended to any level in the ARO tree. For example, you could add a Group "Jedi" to "Passengers". Most passengers would be categorized under "Passengers", but Luke and Obi-wan would be under "Jedi" and therefore might be extended extra privileges (like access to the Cockpit):
组可以扩展到ARO树中的任何一个层次。例如,你可以增加"绝地战士"组到"乘客"组中,大多数乘客将被分到"乘客"组下,但Luke和Obi-wan将被分到"绝地战士"组下,因此他们也就扩展了其他额外的权利(如可以到驾驶室)
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─绝地战士 [允许:驾驶室]
│├─Obi-wan
│└─Luke [允许:武器室]
├─R2D2 [允许:发动机室]
└─C3PO
How does phpGACL determine permissions?
When the ship's computer (running phpGACL of course) checks access, the only question it can ask itself is "Does person X have access to room Y?" In phpGACL terms, this is rephrased as "Does ARO 'X' have access to ACO 'Y'?"
当飞船上的计算机(当然运行是的phpGACL了)检查权限时,它只需要问自己这样一个问题:"X人有权进入Y房间吗?"用phpGACL的说法就是"ARO对象X有权访问ACO对象Y吗?"
phpGACL determines whether a specific person has access to a specific room by working from the top of the ARO tree towards the specified person, noting explicit access controls for that place along the way. When it reaches that person, it uses the last explicit access control it encountered as the result to return. In this way, you can define access controls for groups of people, but over-ride them further down the tree if you need to.
phpGACL通过从ARO树的顶部向下遍历的方式,直到找到那个人,明确其访问控制权限来确定该人是否有权访问指定房间。当它找到那个人时,它将它最终遇到的访问控制权限作为结果返回。通过这种方式,你能够为人们所属的组定义访问控制权限,但也可以在你需要时在树的下一层次覆写它们。
Example 1: We ask: "Does Luke have access to the Lounge?".
例1:我们问"Luke有访问休息室的权限吗?"
Set the default result, "DENY".
设置缺省结果,"拒绝"
Work out a path to Luke:
遍历ARO树以找到Luke
Millennium Falcon Passengers → Passengers → Jedi → Luke
Start at the top of the tree and move towards Luke: The "Millennium Falcon Passengers" node doesn't say anything about any room, so do nothing here.
从ARO树顶开始遍历到Luke:"千年隼号乘客"节点没有定义任何权限,所以这儿不做任何事情。
Move on to "Passengers", which explicitly says that "Passengers" have Lounge access, so change the internal result to "ALLOW".
移动到"乘客"节点,这儿清楚地表示"乘客"有进入休息室的权限,所以改变内部结果为"允许"。
Move to the "Jedi" node, which doesn't mention the Lounge at all.
移动到"绝地战士"节点,这儿根本没有提到任何关于休息室的话。
Finally move to Luke's node, and again there's nothing there about the Lounge.
最后移动到Luke,这儿也没提至休息室
There's nowhere left to go, so the result returned is the current value of the internal result: "ALLOW"
现在已经到达终点了,所以返回结果就是当前的内部结果值:"允许"
Example 2: We ask: "Does Chewie have access to the Engines?"
例2:我们问:"Chewie有权访问发动机室吗?"
Set the default result, "DENY".
设置缺省结果,"拒绝"
Work out a path to Chewie:
遍历ARO树以找出Chewie:
Millennium Falcon Passengers → Crew → Chewie
Start at the top of the tree and move towards Chewie. The "Millennium Falcon Passengers" node doesn't say anything about anywhere, so do nothing here.
从ARO树顶开始遍历到Chewie,"千年隼号乘客"节点没有定义任何权限,所以这儿不做任何事情。
Move on to "Crew", which explicitly says that "Crew" have Engine access, so change the internal result to "ALLOW".
移至"船员"节点,该节点明确表明"船员"组拥有访问发动机室的权限,因此改变内部结果为"允许"。
Move to Chewie's node, and there's an explicit rule saying that he doesn't have access to the Engines, so change the internal result to "DENY".
移至Chewie节点,该节点规则表明没有访问发动机室的权限,因此改变内部结果为"拒绝"。
There's nowhere left to go, so the result returned is the current value of the internal result: "DENY"
现在已经到达终点了,所以返回结果就是当前的内部结果值:"拒绝"
As you can see from the examples, if a Group doesn't explicitly specify a permission for a room, then that Group inherits the access restrictions of its parent for that room. If the root node ("Millennium Falcon Passengers") doesn't specify a permission, it inherits it from the default setting ("DENY ALL" in the above examples).
就象你从例子上看到的那样,如果一个组没被明确指定访问某个房间的权限的话,那么该组就会继承其父节点对该房间的权限。如果根节点("千年隼号乘客")也没有被指定权限的知,则它继承它的缺省设置(在上面的例子里是"全部拒绝")
This implies a couple of interesting points about the ARO tree:
从上面的例子我们不难看出ARO树中有意思的几点:
The ARO tree always shows the full list of the AROs. It would not make sense to ask "Does Jabba have access to the Cockpit?" because Jabba has not been defined in this system. However, phpGACL does not check to see if AROs or ACOs exist before performing the check, so if this question was actually asked then the result would be the default "DENY".
ARO树总是列出完整的ARO对象列表。如果问题是"Jabba是否有权进入驾驶室?"那就显得很不合理了,因为Jabba并未在这个系统中提及。然而,phpGACL在进行权限检查之前并不检查ARO对象或ACO对象是否存在,因此如果真被问及上述问题,则返回的结果将是缺省值"拒绝"。
The ARO tree may not display some defined ACOs, and relies on the default setting to define access policy. For example, say Han defined a "Bathroom" ACO. Any question like "Does Luke have access to the Bathroom?" would have the answer "DENY", because the default is "DENY" and nowhere in the ARO tree does it ever explicitly mention the Bathroom. Keep in mind when examining the ARO tree that some ACOs may not be visible.
在ARO树中也许并不显示某些已被定义的ACO对象,而是凭借缺省值来进行权限策略的设定。比如说Han定义了一个"浴室"ACO对象,那么任何诸如"Luke有权进浴室吗?"这样的问题将会得到"拒绝"这样的回答,因为在ARO树中没有任何地方明确地说明了浴室的权限而缺省的值又是"拒绝"。请记住检查ARO树时有些ACO对象也许是看不见的。
Note: When asking phpGACL questions about access to an ACO, it is not possible to use Groups as AROs (even though it might 'seem' right). For example, it is impossible to answer the question "Do Passengers have access to Guns?" The complete answer is not a Boolean "ALLOW" or "DENY", but the more complex "Luke and Obi-wan can but R2D2 and C3PO cannot." phpGACL is not designed to return that kind of answer.
注意:当询问phpGACL系统对某个ACO对象的权限时,它不可能使用组来代替ARO对象的(尽管那看上去可能是合理的)。比如说象回答诸如"乘客是否有权进入武器室?"之类的问题,完整的回答不是一个简单的"允许"或"拒绝",而是更为复杂的"Luke和Obi-wan可以,而R2D2和C3PO不可以。"phpGACL系统没有被设计成能返回这样的回答。
Defining access control with phpGACL
用phpGACL设置权限控制
It seems that for large or complex situations, this 'access matrix' approach is clearly unsuitable. We need a better system that maintains the advantages (fine-grain control and a clear idea of who[/u] has access to what[/u]) but removes the disadvantages (difficult to summarize, and difficult to manage large groups of people at once). One solution is phpGACL.看来对于大型或复杂的情况来说,采用"权限表"方法明显不适用。我们需要一个更好的系统来继承权限表的优点(精细权限控制及谁[/u]能访问什么[/u]的清晰思路)同时摒弃它的不足(总结和大规模权限管理的困难)。phpGACL就是这样的系统之一。
phpGACL doesn't describe access from the 'bottom-up' like the Access Matrix above. Instead, it describes it 'top-down', like the textual description of Han's access policy. This is a very flexible system that allows you to manage access in large groups, it neatly summarizes the access policy, and it's easy to see who [/u]has access to what[/u].
phpGACL并不象上面"权限表"那样采用"自底向上"的方式来描述权限,相反,它采取"由顶向下"来描述权限,象Han所说那段话所表现的权限策略那样。这是一个十分灵活的系统允许你去管理大量的权限,它能简明扼要地总结权限策略而且更容易看清是谁[/u]有权访问什么[/u]。
An ARO tree defines a hierarchy of Groups and AROs (things that request access). This is very similar to a tree view of folders and files. The 'folders' are the Groups and the 'files' are AROs.
ARO树定义ARO对象(要求访问权限的事物)和组的等级关系,它同文件目录树非常相似,其中的组就相当于文件夹而ARO对象则相当于文件。
Let's make an ACL tree for the people on Han's ship. First we define some categories for the people. It's clear that Han and Chewie run the ship, and the rest of them are just passengers:
让我们为Han的船上的人建立一个ACL树。首先我们先把人分成几类,可以很清楚地知道Han和Chewi是开船的,其他人则是乘客:
phpGACL
Millennium Falcon Passengers(千年隼号乘客) Group(组)
├─Crew(船 员) Group(组)
│ ├─Han ARO
│ └─Chewie ARO
└─Passengers (乘客) Group(组)
├─Obi-wan ARO
├─Luke ARO
├─R2D2 ARO
└─C3PO ARO
This tree by itself doesn't specify any access policy; it just shows how we're grouping the people who might request access (AROs).
该树自身并不指定任何权限策略;它只是显示我们如何对需要权限的人(即ARO对象)进行分组。
We apply access restrictions by assigning instructions about a particular room (ACO) to Groups or AROs in the tree. Han says: "By default, no-one should be allowed access to any room on the Millennium Falcon. But the Crew should have access to every room. The Passengers should only have access to the Lounge."
我们将对指定房间(ACO对象)的权限限制应用到树中的组或ARO对象上。Han说:"在缺省情况下,千年隼号上没有人有权力进入房间。除了船员可以进入任何房间,而乘客只能进休息室。
phpGACL
Millennium Falcon Passengers(千年隼号乘客)
├─Crew (船员) [ALLOW: ALL(允许:全部)]
│ ├─Han
│ └─Chewie
└─Passengers (乘客) [ALLOW: Lounge(允许:休息室)]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO
To interpret this ARO tree, we start from the top and work our way down.
我们按我们的方式"自顶向下"地来解释这个ARO树。
Firstly, the default policy is always to deny access. Permissions have been overridden for the "Crew", so they have access to everywhere ("ALL" is a synonym for all rooms: "Cockpit, Lounge, Guns, Engines"). The "Passengers" have access only to the Lounge.
首先,缺省的策略总是拒绝任何访问权限的。许可对于船员来说是无效的,因此他们拥有去任何房间的权限("ALL"权限对所有房间都一样,如驾驶室,休息室,武器室和发动机室)。而乘客则只有到休息室的权限。
This way of describing the access policy is much clearer than the access matrix. You can easily see who has access to what, and it's easier to determine why[/u] they've got access (it seems obvious that Han and Chewie would have access to everything, since they're grouped under "Crew").
这种描述权限策略的方式比用权限表更加简明。人们可以很容易地看出谁对什么拥有权限,并且也可以很清楚地说明为什么他们拥有权限(这看上去很显然,Han和Chewie拥有去任何房间的权限,因为他们被分在"船员"组)
To summarize
总结:
Access Control Objects (ACOs) are the things we want to control access to (e.g. web pages, databases, rooms, etc).
权限控制对象(ACO对象)是我们想要控制的事物(如网页,数据库,房间等)
Access Request Objects (AROs) are the things that request access (e.g. people, remote computers, etc)
权限需求对象(ARO对象)是要求权限的事物(如人们,远程计算机等)
ARO trees define a hierarchy of Groups and AROs. Groups can contain other Groups and AROs.
ARO树则定义了ARO对象及组的级别,组可以包含其他组和ARO对象。
The default 'catch-all' policy for the ARO tree is always "DENY ALL".
ARO树缺省的"catch-all"(全部阻止了)策略总是拒绝所有权限的。
To assign access policy, work your way down the tree, explicitly assigning permissions to Groups and AROs for each ACO as the need arises.
为分配权限策略,在ARO树上按照你的想法自顶向下明确地为每一个ACO对象分配所需的权限给组和ARO对象
Fine-grain access control
高精度权限控制
Oops! What about Chewie? By grouping him in "Crew", Han has indirectly given him access to the Engines! He doesn't want that after what Chewie recently did to the hyperdrive, so he adds a rule to disallow this:哎呀!Chewie怎么办呢?他被分入了"船员"组,Han已经间接地给了他到发动机室的权限了!但这并不是他所想的,因此他增加了一条规则来禁止这个权限:
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO
This is an example of the way you can control access policy in a fine-grained manner. It is not necessary to move Chewie to another Group; we simply over-ride the access policy at a lower level.
这是一个例子,表明你如何用高精度的方式来进行权限策略的控制。通过这种方式你不需要将Chewie移入另一个组中;我们只需要简单地在较低的层次中覆写权限策略就可以了。
Another example of fine-grain control happens when the Empire attacks; Han needs to let Luke man the guns, and let R2D2 repair the hyperdrive in the Engine room. He can do this by over-riding the general permissions granted by their status as a "Passenger":
另一个高精度控制的例子发生在受到帝国袭击时,Han需要Luke操纵武器,R2D2修理发动机室中的引擎。他可以通过覆写他们作为乘客的通用权限就来实现这一改变:
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─Obi-wan
├─Luke [允许:武器室]
├─R2D2 [允许:发动机室]
└─C3PO phpGACL
Multi-level Groups
多层次组
Groups can be extended to any level in the ARO tree. For example, you could add a Group "Jedi" to "Passengers". Most passengers would be categorized under "Passengers", but Luke and Obi-wan would be under "Jedi" and therefore might be extended extra privileges (like access to the Cockpit):组可以扩展到ARO树中的任何一个层次。例如,你可以增加"绝地战士"组到"乘客"组中,大多数乘客将被分到"乘客"组下,但Luke和Obi-wan将被分到"绝地战士"组下,因此他们也就扩展了其他额外的权利(如可以到驾驶室)
千年隼号乘客
├─船员 [允许:全部]
│├─Han
│└─Chewie [拒绝:发动机室]
└─乘客 [允许:休息室 ]
├─绝地战士 [允许:驾驶室]
│├─Obi-wan
│└─Luke [允许:武器室]
├─R2D2 [允许:发动机室]
└─C3PO
How does phpGACL determine permissions?
phpGACL怎样确定权限呢?
When the ship's computer (running phpGACL of course) checks access, the only question it can ask itself is "Does person X have access to room Y?" In phpGACL terms, this is rephrased as "Does ARO 'X' have access to ACO 'Y'?"当飞船上的计算机(当然运行是的phpGACL了)检查权限时,它只需要问自己这样一个问题:"X人有权进入Y房间吗?"用phpGACL的说法就是"ARO对象X有权访问ACO对象Y吗?"
phpGACL determines whether a specific person has access to a specific room by working from the top of the ARO tree towards the specified person, noting explicit access controls for that place along the way. When it reaches that person, it uses the last explicit access control it encountered as the result to return. In this way, you can define access controls for groups of people, but over-ride them further down the tree if you need to.
phpGACL通过从ARO树的顶部向下遍历的方式,直到找到那个人,明确其访问控制权限来确定该人是否有权访问指定房间。当它找到那个人时,它将它最终遇到的访问控制权限作为结果返回。通过这种方式,你能够为人们所属的组定义访问控制权限,但也可以在你需要时在树的下一层次覆写它们。
Example 1: We ask: "Does Luke have access to the Lounge?".
例1:我们问"Luke有访问休息室的权限吗?"
Set the default result, "DENY".
设置缺省结果,"拒绝"
Work out a path to Luke:
遍历ARO树以找到Luke
Millennium Falcon Passengers → Passengers → Jedi → Luke
千年隼号乘客→ 乘客→ 绝地战士→ Luke
Start at the top of the tree and move towards Luke: The "Millennium Falcon Passengers" node doesn't say anything about any room, so do nothing here.从ARO树顶开始遍历到Luke:"千年隼号乘客"节点没有定义任何权限,所以这儿不做任何事情。
Move on to "Passengers", which explicitly says that "Passengers" have Lounge access, so change the internal result to "ALLOW".
移动到"乘客"节点,这儿清楚地表示"乘客"有进入休息室的权限,所以改变内部结果为"允许"。
Move to the "Jedi" node, which doesn't mention the Lounge at all.
移动到"绝地战士"节点,这儿根本没有提到任何关于休息室的话。
Finally move to Luke's node, and again there's nothing there about the Lounge.
最后移动到Luke,这儿也没提至休息室
There's nowhere left to go, so the result returned is the current value of the internal result: "ALLOW"
现在已经到达终点了,所以返回结果就是当前的内部结果值:"允许"
Example 2: We ask: "Does Chewie have access to the Engines?"
例2:我们问:"Chewie有权访问发动机室吗?"
Set the default result, "DENY".
设置缺省结果,"拒绝"
Work out a path to Chewie:
遍历ARO树以找出Chewie:
Millennium Falcon Passengers → Crew → Chewie
千年隼号乘客→ 船员→ Chewie
Start at the top of the tree and move towards Chewie. The "Millennium Falcon Passengers" node doesn't say anything about anywhere, so do nothing here.从ARO树顶开始遍历到Chewie,"千年隼号乘客"节点没有定义任何权限,所以这儿不做任何事情。
Move on to "Crew", which explicitly says that "Crew" have Engine access, so change the internal result to "ALLOW".
移至"船员"节点,该节点明确表明"船员"组拥有访问发动机室的权限,因此改变内部结果为"允许"。
Move to Chewie's node, and there's an explicit rule saying that he doesn't have access to the Engines, so change the internal result to "DENY".
移至Chewie节点,该节点规则表明没有访问发动机室的权限,因此改变内部结果为"拒绝"。
There's nowhere left to go, so the result returned is the current value of the internal result: "DENY"
现在已经到达终点了,所以返回结果就是当前的内部结果值:"拒绝"
As you can see from the examples, if a Group doesn't explicitly specify a permission for a room, then that Group inherits the access restrictions of its parent for that room. If the root node ("Millennium Falcon Passengers") doesn't specify a permission, it inherits it from the default setting ("DENY ALL" in the above examples).
就象你从例子上看到的那样,如果一个组没被明确指定访问某个房间的权限的话,那么该组就会继承其父节点对该房间的权限。如果根节点("千年隼号乘客")也没有被指定权限的知,则它继承它的缺省设置(在上面的例子里是"全部拒绝")
This implies a couple of interesting points about the ARO tree:
从上面的例子我们不难看出ARO树中有意思的几点:
The ARO tree always shows the full list of the AROs. It would not make sense to ask "Does Jabba have access to the Cockpit?" because Jabba has not been defined in this system. However, phpGACL does not check to see if AROs or ACOs exist before performing the check, so if this question was actually asked then the result would be the default "DENY".
ARO树总是列出完整的ARO对象列表。如果问题是"Jabba是否有权进入驾驶室?"那就显得很不合理了,因为Jabba并未在这个系统中提及。然而,phpGACL在进行权限检查之前并不检查ARO对象或ACO对象是否存在,因此如果真被问及上述问题,则返回的结果将是缺省值"拒绝"。
The ARO tree may not display some defined ACOs, and relies on the default setting to define access policy. For example, say Han defined a "Bathroom" ACO. Any question like "Does Luke have access to the Bathroom?" would have the answer "DENY", because the default is "DENY" and nowhere in the ARO tree does it ever explicitly mention the Bathroom. Keep in mind when examining the ARO tree that some ACOs may not be visible.
在ARO树中也许并不显示某些已被定义的ACO对象,而是凭借缺省值来进行权限策略的设定。比如说Han定义了一个"浴室"ACO对象,那么任何诸如"Luke有权进浴室吗?"这样的问题将会得到"拒绝"这样的回答,因为在ARO树中没有任何地方明确地说明了浴室的权限而缺省的值又是"拒绝"。请记住检查ARO树时有些ACO对象也许是看不见的。
Note: When asking phpGACL questions about access to an ACO, it is not possible to use Groups as AROs (even though it might 'seem' right). For example, it is impossible to answer the question "Do Passengers have access to Guns?" The complete answer is not a Boolean "ALLOW" or "DENY", but the more complex "Luke and Obi-wan can but R2D2 and C3PO cannot." phpGACL is not designed to return that kind of answer.
注意:当询问phpGACL系统对某个ACO对象的权限时,它不可能使用组来代替ARO对象的(尽管那看上去可能是合理的)。比如说象回答诸如"乘客是否有权进入武器室?"之类的问题,完整的回答不是一个简单的"允许"或"拒绝",而是更为复杂的"Luke和Obi-wan可以,而R2D2和C3PO不可以。"phpGACL系统没有被设计成能返回这样的回答。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- [翻译]PhpGACL手册(三)
- [翻译]PhpGACL手册(五)
- [翻译]PhpGACL手册(四)
- PHP ADODB 1.99版手册中文翻译
- PHP手册翻译日记[5] chm 手册(附下载地址)
- PHP - Smarty模板引擎 - 翻译 - Manual手册 - Chapter 3. Basic Syntax第3章 基础语法 - Comments注释
- PhpGACL手册(一)
- PHP手册翻译日记[4]
- PHPExcel中文开发手册翻译版(2-1)
- PHP OPENSSL 函数手册翻译备查 -- openssl_pkey_get_public
- phpGACL中文手册(九)
- PHP手册翻译日记[3]
- [翻译]SQL Relay中PHP API参考手册
- PHP官方手册翻译-MongoDB教程
- PHP OPENSSL 函数手册翻译备查 -- openssl_cipher_iv_length
- phpGACL中文手册(三)
- phpGACL中文手册(十)
- PHP手册翻译日记[2]
- PHP ADODB 1.99版手册中文翻译
- PHP-Smarty模板引擎-翻译-手册-第15章高级特性-输出过滤器