moleculer-api
English
English
  • moleculer-api
  • Quick Start
    • Get Started
    • Configurations
    • Quick Examples
      • REST
        • REST Endpoints
        • REST File Upload with streaming
      • GraphQL
        • GraphQL Resolver with DataLoader
        • GraphQL type extension and reference
      • WebSocket
        • WebSocket Video Broadcasting
        • WebSocket Video Server/Client
        • WebSocket Chat Server/Client
      • Authentication
        • Parse OIDC/OAuth2 context
      • Authorization
        • Access Control with Auth token scopes
        • Access Control with Auth token claims
        • Access Control with IP address
  • API Gateway
    • Overview
    • Service Broker
      • Connenctor
      • Delegator
    • Schema Registry
      • Branch, Version, Integration
      • Protocol Plugin
      • Policy Plugin
      • API Handler
      • API Document Generation
      • Health Check
    • API Server
      • Application
        • Component
          • HTTP
          • WebSocket
        • Context Factory
          • Auth
          • Cookie
          • Correlation ID
          • IP Address
          • Locale
          • Request
          • User-Agent
      • Middleware
        • Error
        • Logging
        • Body Parser
        • Helmet
        • CORS
        • Serve Static
      • HTTP
      • HTTPS
  • Service API Schema
    • Overview
    • Branch
    • Protocol Plugin
      • REST
      • GraphQL
      • WebSocket
    • Policy Plugin
      • Scope
      • Filter
  • Development
    • Overview
    • Service Broker Delegator
      • Manipulating HTTP Response
      • Streaming Request/Response
      • Bidirectional Streaming
    • Schema Registry
      • Protocol Plugin
      • Policy Plugin
    • API Server
      • Application Component
      • Application Context Factory
      • Middleware
  • Miscellaneous
    • Project Roadmap
    • CHANGELOG
    • FAQ
    • Contributors
    • Supporters
  • Github
  • moleculer-iam
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Service API Schema
  2. Policy Plugin

Filter

Filter

        filter: `({ action, params, context, util }) => {
          if (action === "player.remove") {
            return context.user.player.isAdmin && context.user.player.id != params.id;
          } else if (action === "player.create") {
            return context.user && (!context.user.player || context.user.player.isAdmin); 
          }
          return true;
        }`,
      },

๋‹ค์Œ์œผ๋กœ filter ์ ‘๊ทผ ์ œ์–ด ํ”Œ๋Ÿฌ๊ทธ์ธ์— ๋”ฐ๋ผ action|event, params, context, util์„ ์ฃผ์ž…ํ•˜์—ฌ ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ํ•˜๋ฉฐ, true ๊ฐ’์ด ๋ฐ˜ํ™˜๋˜๋Š” ๊ฒฝ์šฐ ํ†ต๊ณผํ•ฉ๋‹ˆ๋‹ค. FBAC์€ ACL์ด๋‚˜ RBAC์ฒ˜๋Ÿผ ๋Œ€์ค‘ํ™”๋˜์ง€๋Š” ์•Š์•˜์œผ๋‚˜, ABAC์˜ ํ™•์žฅ ๋ชจ๋ธ๋กœ ์ดํ•ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋งค์šฐ ์œ ์—ฐํ•˜์—ฌ ๋ถ„์‚ฐ ํ™˜๊ฒฝ์— ์ ํ•ฉํ•˜๋ฉฐ ํ”„๋กœ๋•์…˜์—์„œ ๊ฒ€์ฆ๋œ ๋ฐฉ์‹์ž…๋‹ˆ๋‹ค.

filter ์ ‘๊ทผ์ œ์–ด ํ”Œ๋Ÿฌ๊ทธ์ธ ์—ญ์‹œ map ์ปค๋„ฅํ„ฐ์ฒ˜๋Ÿผ Gateway์˜ Node.js VM ์ƒŒ๋“œ๋ฐ•์Šค์—์„œ ์‹คํ–‰๋ฉ๋‹ˆ๋‹ค. filter ํ•จ์ˆ˜๋ฅผ ํ‰๊ฐ€ํ•˜๋Š” ์ค‘์— ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒํ•˜๋Š” ๊ฒฝ์šฐ ๋””๋ฒ„๊ทธ ๋ฉ”์‹œ์ง€๊ฐ€ Gateway์—์„œ ์ถœ์ฒ˜ ๋…ธ๋“œ๋กœ ์ „๋‹ฌ๋˜๋ฉฐ ์ ‘๊ทผ์ด ๊ฑฐ๋ถ€๋ฉ๋‹ˆ๋‹ค.

      {
        description: "player can get associated team, admin can get all the teams",
        actions: ["team.get"],
        scopes: ["player", "player.admin"],
        filter: (({ action, params, context, util }) => {
          if (context.user.player.isAdmin || params.id === context.user.player.teamId) {
            return true;
          }
          return false;
        }).toString(),
      },
    ],

์œ„์ฒ˜๋Ÿผ player ์„œ๋น„์Šค์˜ API ์Šคํ‚ค๋งˆ๋Š” ๊ผญ player ์„œ๋น„์Šค์˜ ์•ก์…˜๋งŒ ํ˜ธ์ถœํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ player API์—์„œ ๋…ธ์ถœํ•˜๋Š” team ์„œ๋น„์Šค์˜ ์•ก์…˜์— ๋Œ€ํ•œ ์ ‘๊ทผ ์ œ์–ด ์—ญ์‹œ player ์Šคํ‚ค๋งˆ์—์„œ ์ •์˜ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

    publish: [
      {
        description: "Only admins can publish player events",
        events: ["player.**"],
        scopes: ["player"],
        filter: (({ event, params, context, util }) => {
          return context.user.player.isAdmin;
        }).toString(),
      },
    ],

publish, subscribe ์ปค๋„ฅํ„ฐ์˜ ์ •์ฑ…์—๋Š” actions ๋Œ€์‹  events ํ•„๋“œ๊ฐ€ ์ž‘์„ฑ๋ฉ๋‹ˆ๋‹ค.

    subscribe: [
      {
        events: ["player.**"],
        description: "Any user can receive player events",
        scopes: ["openid"],
      },
    ],
  },
}

์œ„์ฒ˜๋Ÿผ filter๊ฐ€ ์ƒ๋žต๋œ ๊ฒฝ์šฐ scopes๋งŒ ์ ์šฉ๋˜๋ฉฐ filter๋Š” ํ†ต๊ณผํ•œ ๊ฒƒ์ฒ˜๋Ÿผ ํ‰๊ฐ€๋ฉ๋‹ˆ๋‹ค.

{
  actions: ["**"],
  scopes: ["**"],
  filter: `() => true`,
}

์ ‘๊ทผ์ œ์–ด ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ๋น„ํ™œ์„ฑํ™”ํ•˜๋Š” ๊ฒƒ์€ ์œ„ ์ •์ฑ…์„ ์ž‘์„ฑํ•˜๋Š” ๊ฒƒ๊ณผ ๋™์ผํ•ฉ๋‹ˆ๋‹ค.

{
  actions: ["**"],
  scopes: ["**"],
  filter: `(action, params, context) => {
    console.log("policy filter", action, params, context);
  }`,
}

๋””๋ฒ„๊น… ์ค‘์— Inline JavaScript Function String์—์„œ console ๊ฐ์ฒด๋ฅผ ์‚ฌ์šฉํ•ด ๋ฉ”์„ธ์ง€๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ๊ฒฝ์šฐ, ๊ทธ ๋ฉ”์„ธ์ง€๋Š” Gateway์˜ VM ์•ˆ์—์„œ ์ถœ๋ ฅ๋˜์ง€ ์•Š๊ณ  Gateway๊ฐ€ ์ถœ์ฒ˜ ๋…ธ๋“œ๋กœ ์ „๋‹ฌํ•ฉ๋‹ˆ๋‹ค.

PreviousScopeNextOverview

Last updated 4 years ago

Was this helpful?