问题
I've recently been looking at using apigee's baas, as an alternative to something like parse, for a mobile application. Now Parse obviously allows you to create ACLs etc. to define who can read/write to particular objects. I know baas has the concept of roles but there's a few issues I'm struggling with. I understand the concept of using access tokens to do this via edge. I'm just not sure how I actually set the roles/ACL on each object and any relations.
1) I know I can use Edge to create api endpoints and then use these proxies to hit my baas and I can secure these proxies with access tokens, but how can I protect someone just finding out my baas url and calling /users for example to expose the user collection and everyone's email?
2) I did notice in the docs that when you set permissions you can use the special ${user} placeholder to represent only allowing access to the current user. However when I try and add PUT permission on /users/${user} via the web interface it complains about invalid characters. Can you only set this via an api call? How would you go about securing resources to specific users? So if every user had a 'todo list' how could I ensure users can only access there own items? Would I need to set-up relations? How would you go about this?
** Edit ** I've managed to get most of this working by creating a proxy on edge to my BAAS endpoint. When a user is created, the proxy then makes a service callout during the response, using the newly returned uuid and an organization access_token to update the permissions so that the newly created user can edit themselves. However this still seems like a rather convoluted process to me and I feel like it should be easier. My main concern is that if users are taking these actions on a mobile device then, according to the docs, I should only use a users access token. However a user access token won't let me update permissions for a user! I feel like I'm stuck in a bit of a catch 22 situation. To make my app more secure I need to use credentials that will make it overall less secure!
Thanks
回答1:
One thing to consider is using the Apigee a127 product. You could put all of the logic that requires more extensive credentials into a Node.js app running anywhere - even hosted within Apigee. This would allow you to do any housekeeping you need to do on the server instead of on the device. You can read more about Apigee a127 at http://apigee.com/docs/api-services/content/apigee-127
来源:https://stackoverflow.com/questions/26073998/securing-apigee-baas