[翻译]PhpGACL手册（二）

不知不觉已经开始写了&＃xff0c;看来只要下定决心&＃xff0c;速度还是不赖的嘛。这样看来本人的行动力还行&＃xff0c;就是翻译的水平差了点&＃xff0c;大家也就将就将就吧&＃xff0c;反正大致意思是 不会错的&＃xff01;呵呵&＃xff01;&＃xff01;E文好的牛人们呢&＃xff0c;有心的你就直接看原文&＃xff0c;有心的你就帮忙改改&＃xff08;有点象走江湖的口吻&＃xff0c;有钱的捧个钱场&＃xff0c;无钱的捧个人场&＃xff0c;^-^&＃xff09;如果您 老实在看不下来&＃xff0c;那就自己再译一个&＃xff0c;我这也算是间接为文档中文化做出了点贡献&＃xff0c;呵呵&＃xff01;

Defining access control with phpGACL
用phpGACL设置权限控制

It seems that for large or complex situations, this &＃39;access matrix&＃39; approach is clearly unsuitable. We need a better system that maintains the advantages (fine-grain control and a clear idea of who has access to what) but removes the disadvantages (difficult to summarize, and difficult to manage large groups of people at once). One solution is phpGACL.
看来对于大型或复杂的情况来说&＃xff0c;采用"权限表"方法明显不适用。我们需要一个更好的系统来继承权限表的优点&＃xff08;精细权限控制及谁能访问什么的清晰思路&＃xff09;同时摒弃它的不足&＃xff08;总结和大规模权限管理的困难&＃xff09;。phpGACL就是这样的系统之一。

phpGACL doesn&＃39;t describe access from the &＃39;bottom-up&＃39; like the Access Matrix above. Instead, it describes it &＃39;top-down&＃39;, like the textual description of Han&＃39;s access policy. This is a very flexible system that allows you to manage access in large groups, it neatly summarizes the access policy, and it&＃39;s easy to see who has access to what.
phpGACL并不象上面"权限表"那样采用"自底向上"的方式来描述权限&＃xff0c;相反&＃xff0c;它采取"由顶向下"来描述权限&＃xff0c;象Han所说那段话所表现的权限策略那样。这是一个十分灵活的系统允许你去管理大量的权限&＃xff0c;它能简明扼要地总结权限策略而且更容易看清是谁有权访问什么。

An ARO tree defines a hierarchy of Groups and AROs (things that request access). This is very similar to a tree view of folders and files. The &＃39;folders&＃39; are the Groups and the &＃39;files&＃39; are AROs.
ARO树定义ARO对象&＃xff08;要求访问权限的事物&＃xff09;和组的等级关系&＃xff0c;它同文件目录树非常相似&＃xff0c;其中的组就相当于文件夹而ARO对象则相当于文件。

Let&＃39;s make an ACL tree for the people on Han&＃39;s ship. First we define some categories for the people. It&＃39;s clear that Han and Chewie run the ship, and the rest of them are just passengers:
让我们为Han的船上的人建立一个ACL树。首先我们先把人分成几类&＃xff0c;可以很清楚地知道Han和Chewi是开船的&＃xff0c;其他人则是乘客&＃xff1a;

phpGACL

Millennium Falcon Passengers&＃xff08;千年隼号乘客&＃xff09;  Group&＃xff08;组&＃xff09;
├─Crew&＃xff08;船 员&＃xff09; Group&＃xff08;组&＃xff09;
│ ├─Han ARO
│ └─Chewie ARO
└─Passengers &＃xff08;乘客&＃xff09; Group&＃xff08;组&＃xff09;
├─Obi-wan ARO
├─Luke ARO
├─R2D2 ARO
└─C3PO ARO

Millennium Falcon Passengers&＃xff08;千年隼号乘客&＃xff09;
├─Crew &＃xff08;船员&＃xff09; [ALLOW: ALL&＃xff08;允许&＃xff1a;全部&＃xff09;]
│ ├─Han
│ └─Chewie
└─Passengers &＃xff08;乘客&＃xff09; [ALLOW: Lounge&＃xff08;允许&＃xff1a;休息室&＃xff09;]
├─Obi-wan
├─Luke
├─R2D2
└─C3PO

Firstly, the default policy is always to deny access. Permissions have been overridden for the "Crew", so they have access to everywhere ("ALL" is a synonym for all rooms: "Cockpit, Lounge, Guns, Engines"). The "Passengers" have access only to the Lounge.
首先&＃xff0c;缺省的策略总是拒绝任何访问权限的。许可对于船员来说是无效的&＃xff0c;因此他们拥有去任何房间的权限&＃xff08;"ALL"权限对所有房间都一样&＃xff0c;如驾驶室&＃xff0c;休息室&＃xff0c;武器室和发动机室&＃xff09;。而乘客则只有到休息室的权限。

• Access Control Objects (ACOs) are the things we want to control access to (e.g. web pages, databases, rooms, etc).
  权限控制对象&＃xff08;ACO对象&＃xff09;是我们想要控制的事物&＃xff08;如网页&＃xff0c;数据库&＃xff0c;房间等&＃xff09;
• Access Request Objects (AROs) are the things that request access (e.g. people, remote computers, etc)
  权限需求对象&＃xff08;ARO对象&＃xff09;是要求权限的事物&＃xff08;如人们&＃xff0c;远程计算机等&＃xff09;
• ARO trees define a hierarchy of Groups and AROs. Groups can contain other Groups and AROs.
  ARO树则定义了ARO对象及组的级别&＃xff0c;组可以包含其他组和ARO对象。
• The default &＃39;catch-all&＃39; policy for the ARO tree is always "DENY ALL".
  ARO树缺省的"catch-all"&＃xff08;全部阻止了&＃xff09;策略总是拒绝所有权限的。

• To assign access policy, work your way down the tree, explicitly assigning permissions to Groups and AROs for each ACO as the need arises.
  为分配权限策略&＃xff0c;在ARO树上按照你的想法自顶向下明确地为每一个ACO对象分配所需的权限给组和ARO对象

Fine-grain access control 
高精度权限控制

Oops! What about Chewie? By grouping him in "Crew", Han has indirectly given him access to the Engines! He doesn&＃39;t want that after what Chewie recently did to the hyperdrive, so he adds a rule to disallow this:
哎呀&＃xff01;Chewie怎么办呢&＃xff1f;他被分入了"船员"组&＃xff0c;Han已经间接地给了他到发动机室的权限了&＃xff01;但这并不是他所想的&＃xff0c;因此他增加了一条规则来禁止这个权限&＃xff1a;

Multi-level Groups
多层次组

Groups can be extended to any level in the ARO tree. For example, you could add a Group "Jedi" to "Passengers". Most passengers would be categorized under "Passengers", but Luke and Obi-wan would be under "Jedi" and therefore might be extended extra privileges (like access to the Cockpit):
组可以扩展到ARO树中的任何一个层次。例如&＃xff0c;你可以增加"绝地战士"组到"乘客"组中&＃xff0c;大多数乘客将被分到"乘客"组下&＃xff0c;但Luke和Obi-wan将被分到"绝地战士"组下&＃xff0c;因此他们也就扩展了其他额外的权利&＃xff08;如可以到驾驶室&＃xff09;

How does phpGACL determine permissions?
phpGACL怎样确定权限呢&＃xff1f;

When the ship&＃39;s computer (running phpGACL of course) checks access, the only question it can ask itself is "Does person X have access to room Y?" In phpGACL terms, this is rephrased as "Does ARO &＃39;X&＃39; have access to ACO &＃39;Y&＃39;?"
当飞船上的计算机&＃xff08;当然运行是的phpGACL了&＃xff09;检查权限时&＃xff0c;它只需要问自己这样一个问题&＃xff1a;"X人有权进入Y房间吗&＃xff1f;"用phpGACL的说法就是"ARO对象X有权访问ACO对象Y吗&＃xff1f;"

phpGACL determines whether a specific person has access to a specific room by working from the top of the ARO tree towards the specified person, noting explicit access controls for that place along the way. When it reaches that person, it uses the last explicit access control it encountered as the result to return. In this way, you can define access controls for groups of people, but over-ride them further down the tree if you need to.
phpGACL通过从ARO树的顶部向下遍历的方式&＃xff0c;直到找到那个人&＃xff0c;明确其访问控制权限来确定该人是否有权访问指定房间。当它找到那个人时&＃xff0c;它将它最终遇到的访问控制权限作为结果返回。通过这种方式&＃xff0c;你能够为人们所属的组定义访问控制权限&＃xff0c;但也可以在你需要时在树的下一层次覆写它们。

• Set the default result, "DENY".
  设置缺省结果&＃xff0c;"拒绝"

• Work out a path to Luke:
  遍历ARO树以找到Luke

Millennium Falcon Passengers → Passengers → Jedi → Luke
千年隼号乘客→ 乘客→ 绝地战士→ Luke

• Start at the top of the tree and move towards Luke: The "Millennium Falcon Passengers" node doesn&＃39;t say anything about any room, so do nothing here.
  从ARO树顶开始遍历到Luke&＃xff1a;"千年隼号乘客"节点没有定义任何权限&＃xff0c;所以这儿不做任何事情。

• Move on to "Passengers", which explicitly says that "Passengers" have Lounge access, so change the internal result to "ALLOW".
  移动到"乘客"节点&＃xff0c;这儿清楚地表示"乘客"有进入休息室的权限&＃xff0c;所以改变内部结果为"允许"。

• Move to the "Jedi" node, which doesn&＃39;t mention the Lounge at all.
  移动到"绝地战士"节点&＃xff0c;这儿根本没有提到任何关于休息室的话。

• Finally move to Luke&＃39;s node, and again there&＃39;s nothing there about the Lounge.
  最后移动到Luke&＃xff0c;这儿也没提至休息室

• There&＃39;s nowhere left to go, so the result returned is the current value of the internal result: "ALLOW"
  现在已经到达终点了&＃xff0c;所以返回结果就是当前的内部结果值&＃xff1a;"允许"

• Set the default result, "DENY".
  设置缺省结果&＃xff0c;"拒绝"

• Work out a path to Chewie:
  遍历ARO树以找出Chewie&＃xff1a;

Millennium Falcon Passengers → Crew → Chewie
千年隼号乘客→ 船员→ Chewie

• Start at the top of the tree and move towards Chewie. The "Millennium Falcon Passengers" node doesn&＃39;t say anything about anywhere, so do nothing here.
  从ARO树顶开始遍历到Chewie&＃xff0c;"千年隼号乘客"节点没有定义任何权限&＃xff0c;所以这儿不做任何事情。

• Move on to "Crew", which explicitly says that "Crew" have Engine access, so change the internal result to "ALLOW".
  移至"船员"节点&＃xff0c;该节点明确表明"船员"组拥有访问发动机室的权限&＃xff0c;因此改变内部结果为"允许"。

• Move to Chewie&＃39;s node, and there&＃39;s an explicit rule saying that he doesn&＃39;t have access to the Engines, so change the internal result to "DENY".
  移至Chewie节点&＃xff0c;该节点规则表明没有访问发动机室的权限&＃xff0c;因此改变内部结果为"拒绝"。

• There&＃39;s nowhere left to go, so the result returned is the current value of the internal result: "DENY"
  现在已经到达终点了&＃xff0c;所以返回结果就是当前的内部结果值&＃xff1a;"拒绝"

As you can see from the examples, if a Group doesn&＃39;t explicitly specify a permission for a room, then that Group inherits the access restrictions of its parent for that room. If the root node ("Millennium Falcon Passengers") doesn&＃39;t specify a permission, it inherits it from the default setting ("DENY ALL" in the above examples).
就象你从例子上看到的那样&＃xff0c;如果一个组没被明确指定访问某个房间的权限的话&＃xff0c;那么该组就会继承其父节点对该房间的权限。如果根节点&＃xff08;"千年隼号乘客"&＃xff09;也没有被指定权限的知&＃xff0c;则它继承它的缺省设置&＃xff08;在上面的例子里是"全部拒绝"&＃xff09;

This implies a couple of interesting points about the ARO tree:
从上面的例子我们不难看出ARO树中有意思的几点&＃xff1a;

• The ARO tree always shows the full list of the AROs. It would not make sense to ask "Does Jabba have access to the Cockpit?" because Jabba has not been defined in this system. However, phpGACL does not check to see if AROs or ACOs exist before performing the check, so if this question was actually asked then the result would be the default "DENY".
  ARO树总是列出完整的ARO对象列表。如果问题是"Jabba是否有权进入驾驶室&＃xff1f;"那就显得很不合理了&＃xff0c;因为Jabba并未在这个系统中提及。然而&＃xff0c;phpGACL在进行权限检查之前并不检查ARO对象或ACO对象是否存在&＃xff0c;因此如果真被问及上述问题&＃xff0c;则返回的结果将是缺省值"拒绝"。

• The ARO tree may not display some defined ACOs, and relies on the default setting to define access policy. For example, say Han defined a "Bathroom" ACO. Any question like "Does Luke have access to the Bathroom?" would have the answer "DENY", because the default is "DENY" and nowhere in the ARO tree does it ever explicitly mention the Bathroom. Keep in mind when examining the ARO tree that some ACOs may not be visible.
  在ARO树中也许并不显示某些已被定义的ACO对象&＃xff0c;而是凭借缺省值来进行权限策略的设定。比如说Han定义了一个"浴室"ACO对象&＃xff0c;那么任何诸如"Luke有权进浴室吗&＃xff1f;"这样的问题将会得到"拒绝"这样的回答&＃xff0c;因为在ARO树中没有任何地方明确地说明了浴室的权限而缺省的值又是"拒绝"。请记住检查ARO树时有些ACO对象也许是看不见的。