Uber的基于属性的访问控制

Uber relies on microservices to support its operations. Microservices necessitate a flexible authorization policy model to satisfy their unique authorization requirements. Attribute-based access control (ABAC) offers a dynamic, context-aware, and risk-intelligent approach to access control. By leveraging ABAC, access control policies can be crafted based on specific attributes obtained from diverse information systems. This enables Uber to establish a sophisticated access policy management system that facilitates access in a manner that promotes least privilege, enhances efficiency and effectiveness, and, most importantly, maintains consistency across dissimilar information systems when managing access.

Uber依靠微服务来支持其运营。微服务需要一个灵活的授权策略模型来满足其独特的授权要求。基于属性的访问控制（ABAC）提供了一种动态、上下文感知和风险智能的访问控制方法。通过利用ABAC，可以基于从各种信息系统获取的特定属性来制定访问控制策略。这使得Uber能够建立一个复杂的访问策略管理系统，以促进最小特权原则、提高效率和效果，并在管理访问时在不同的信息系统之间保持一致性。

Context

上下文

Uber implements policy-based access control using a centralized service known as “Charter” to manage all access control policies. This is similar to AWS’ or Google Cloud’s IAM policies. These policies are then distributed to the various microservices. The microservices evaluate and enforce the distributed authorization policies using a local library called “authfx“.

Uber使用一个名为'Charter'的集中式服务来实现基于策略的访问控制，以管理所有访问控制策略。这类似于AWS或Google Cloud的IAM策略。然后将这些策略分发给各个微服务。微服务使用名为'authfx'的本地库来评估和执行分布式授权策略。

The authorization request can be abstracted as:
An Actor is performing an Action on a Resource in a given Context.

授权请求可以抽象为：
在给定的上下文中，演员正在对资源执行操作。

A generic term for an entity which is the subject of an authorization decision. Authentication verifies the actor’s identity and enforces access. 

一个授权决策的主体实体的通用术语。身份验证验证actor的身份并强制访问。

At Uber, the actor is represented in SPIFFE format. A few examples of actors:

在Uber中，actor以SPIFFE格式表示。以下是一些actor的示例：