Role-based security with Google App Engine and Pyt

2019-05-01 11:15发布

问题:

I would like to ask what is the common way for handling role-based security with Google App Engine, Python?

In the app.yaml, there is the "login" section, but available values are only "admin" and "required".

How do you normally handle role-based security?

  • Create the model with two tables: Roles and UserRoles
  • Import values for Roles table
  • Manually add User to UserRoles
  • Check if user is in the right Roles group

Any other idea or any other method for role-based security, please let us know!

回答1:

I would do this by adding a ListProperty for roles to the model representing users. The list contains any roles a given user belongs to. This way if you want to know whether a given user belongs to a given role (I expect, the most common operation), it is a fast membership test.

You could put the role names directly into the lists as strings or add a layer of indirection to another entity specifying the details about the role so it is easy to change the details later. But, this has a runtime cost of an additional RPC to fetch the details about the role.

The downside to this method comes if you want to remove all users from a given role, or perform any other kind of global operation. I suppose you could mark a role 'deleted', but then you still have data cluttering up all your user models until you clean them up manually. So I am curious to hear what others suggest.