A RBAC
1.RBAC: full name (Role-Based Access Control); refers to authenticate the user based on access control.
2.Django framework uses RBAC certification rules, RBAC certification rules are usually divided into: three tables rule, five meter rule; Django uses a six-meter rule.
# Three tables: a user table, role table, authority table
# five tables: a user table, role table, authority table, user roles table, role permissions table
# six tables: a user table, role table, authority table, user roles relations table, table role permissions, user rights table
3. In the table is between Django Six are many relationships, you can visit the following fields across tables
# User table: Role groups, permissions user_permissions
(user table view associated with the role by groups, view the permissions user_permission)
# role table: User user_set, rights the Permissions
# permissions table: user user_set, role group_set
example: automated test scripts
# django脚本话启动
import os, django
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "dg_proj.settings")
django.setup()
# 开始测试
from api import models
user = models.User.objects.first() # type: models.User
# print(user.username)
# print(user.groups.first().name)
# print(user.user_permissions.first().name)
from django.contrib.auth.models import Group
group = Group.objects.first()
# print(group.name)
# print(group.user_set.first().username)
# print(group.permissions.first().name)
from django.contrib.auth.models import Permission
p_16 = Permission.objects.filter(pk=16).first()
# print(p_16.user_set.first().username)
# p_17 = Permission.objects.filter(pk=17).first()
# print(p_17.group_set.first().name)
Two custom tables and Precautions auth_user
Custom auth_user learning djangode table in front of cookie and session have said the emphasis here
The first step: writing code in the modles.py
# Important: If you customize the User table after yet another project using native User table, complete database migration, may fail
# 1) uninstall Django Replace
# 2) The following django.contrib admin, auth under the database migration recording folder (migration) empty, note (__init__.py not empty)
# import modules
from django.contrib.auth.models import AbstractUser
# custom User table with an example:
class User (AbstractUser):
Mobile = models.CharField ( =. 11 MAX_LENGTH, UNIQUE = True)
class Meta -:
named db_table, = ' api_user '
the verbose_name = ' user table '
verbose_name_plural = the verbose_name
def __str__(self):
return self.username
Step Two: Configure in the settings.py
# Configure a custom user table: AUTH_USER_MODEL = 'custom application name class name.'
AUTH_USER_MODEL = ' api.User '
The third step: perform a database migration command
python3 manage.py makemigrations
python3 manage.py migrate
Three certification authority component assembly source code analysis
"""
1)APIView的dispath(self, request, *args, **kwargs)
2)dispath方法内 self.initial(request, *args, **kwargs) 进入三大认证
# 认证组件:校验用户 - 游客、合法用户、非法用户
# 游客:代表校验通过,直接进入下一步校验(权限校验)
# 合法用户:代表校验通过,将用户存储在request.user中,再进入下一步校验(权限校验)
# 非法用户:代表校验失败,抛出异常,返回403权限异常结果
self.perform_authentication(request)
# 权限组件:校验用户权限 - 必须登录、所有用户、登录读写游客只读、自定义用户角色
# 认证通过:可以进入下一步校验(频率认证)
# 认证失败:抛出异常,返回403权限异常结果
self.check_permissions(request)
# 频率组件:限制视图接口被访问的频率次数 - 限制的条件(IP、id、唯一键)、频率周期时间(s、m、h)、频率的次数(3/s)
# 没有达到限次:正常访问接口
# 达到限次:限制时间内不能访问,限制时间达到后,可以重新访问
self.check_throttles(request)
3) 认证组件
Request类的 方法属性 user 的get方法 => self._authenticate() 完成认证
认证的细则:
# 做认证
def _authenticate(self):
# 遍历拿到一个个认证器,进行认证
# self.authenticators配置的一堆认证类产生的认证类对象组成的 list
for authenticator in self.authenticators:
try:
# 认证器(对象)调用认证方法authenticate(认证类对象self, request请求对象)
# 返回值:登陆的用户与认证的信息组成的 tuple
# 该方法被try包裹,代表该方法会抛异常,抛异常就代表认证失败
user_auth_tuple = authenticator.authenticate(self)
except exceptions.APIException:
self._not_authenticated()
raise
# 返回值的处理
if user_auth_tuple is not None:
self._authenticator = authenticator
# 如何有返回值,就将 登陆用户 与 登陆认证 分别保存到 request.user、request.auth
self.user, self.auth = user_auth_tuple
return
# 如果返回值user_auth_tuple为空,代表认证通过,但是没有 登陆用户 与 登陆认证信息,代表游客
self._not_authenticated()
4) 权限组件
self.check_permissions(request)
认证细则:
def check_permissions(self, request):
# 遍历权限对象列表得到一个个权限对象(权限器),进行权限认证
for permission in self.get_permissions():
# 权限类一定有一个has_permission权限方法,用来做权限认证的
# 参数:权限对象self、请求对象request、视图类对象
# 返回值:有权限返回True,无权限返回False
if not permission.has_permission(request, self):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
"""
四 认证组件
"""
1) 创建继承BaseAuthentication的认证类
2) 实现authenticate方法
3) 实现体根据认证规则 确定游客、非法用户、合法用户
4) 进行全局或局部配置
认证规则
i.没有认证信息返回None(游客)
ii.有认证信息认证失败抛异常(非法用户)
iii.有认证信息认证成功返回用户与认证信息元组(合法用户)
"""
authentications.py文件(也可以在其他文件夹下建立如utils文件夹);编写代码
# 自定义认证类
# 1)继承BaseAuthentication类
# 2)重新authenticate(self, request)方法,自定义认证规则
# 3)认证规则基于的条件:
# 没有认证信息返回None(游客)
# 有认证信息认证失败抛异常(非法用户)
# 有认证信息认证成功返回用户与认证信息元组(合法用户)
# 4)完全视图类的全局(settings文件中)或局部(确切的视图类)配置
from rest_framework.authentication import BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed
from . import models
class MyAuthentication(BaseAuthentication):
def authenticate(self, request):
# 前台在请求头携带认证信息,
# 且默认规范用 Authorization 字段携带认证信息,
# 后台固定在请求对象的META字段中 HTTP_AUTHORIZATION 获取
auth = request.META.get('HTTP_AUTHORIZATION', None)
# 处理游客
if auth is None:
return None
# 设置一下认证字段小规则(两段式):"auth 认证字符串"
auth_list = auth.split()
# 校验合法还是非法用户
if not (len(auth_list) == 2 and auth_list[0].lower() == 'auth'):
raise AuthenticationFailed('认证信息有误,非法用户')
# 合法的用户还需要从auth_list[1]中解析出来
# 注:假设一种情况,信息为abc.123.xyz,就可以解析出admin用户;实际开发,该逻辑一定是校验用户的正常逻辑
if auth_list[1] != 'abc.123.xyz': # 校验失败
raise AuthenticationFailed('用户校验失败,非法用户')
user = models.User.objects.filter(username='admin').first()
if not user:
raise AuthenticationFailed('用户数据有误,非法用户')
return (user, None)
# 登录:账号密码 => token(账号密码对应的用户)
# 访问需要登录的接口:携带token发送请求 => 校验token,得到用户
第二步:settings.py全局配置
# drf配置
REST_FRAMEWORK = {
# 认证类配置
'DEFAULT_AUTHENTICATION_CLASSES': [
# 'rest_framework.authentication.SessionAuthentication',
# 'rest_framework.authentication.BasicAuthentication',
# 全局使用自定义认证类注意路径拼写:应用名.文件名.自定义类名
'api.authentications.MyAuthentication',
],
}