OrmAuth - はじめに
Ormauth is a set of authentication and authorisation drivers that provide a similar functionality as Simpleauth, but stores it's data in the database instead of in a configuration file. The data is accessed through ORM models.
Besides this, it also comes with additional functionality. Unlike Simpleauth, Ormauth supports roles assigned directly to users, and permissions assigned to both users and groups, allowing for a much more fine-grained permission system. It stores the user's metadata not in a serialized array, but in a separate metadata table, using the ORM's EAV functionality, allowing you to access metadata like any other property of the user. It also keeps track of the previous login time, which can be displayed to the user at login time as an additional security measure.
Auth のセットアップ
Configuration starts with telling the Auth package that you are going to use the Ormauth driver. This is done through the auth.php configuration file. A default file is provided in the Auth package. You should copy this file to your app/config folder before making any changes. The default file is configured for the Simpleauth drivers, so you need to change that. You will find an explaination of this config file here.
上記の後に、パッケージをオートロードするかどうかを app/config/config.php の always_load セクションで指定します。
As OrmAuth uses the ORM to access the database, make sure you have added the 'orm' package to the always_load section too!
ACL's
OrmAuth has a much more fine-grained ACL system then SimpleAuth. It has the following structure:
- Every user is a member of one, and exactly one, group
- Every user has zero or more roles assigned to it
- Every group has zero or more roles assigned to it
- Every user can have zero or more permissions assigned to it
- Every group can have zero or more permissions assigned to it
- Every role can have zero or more permissions assigned to it
- Every permission belongs to a permission area
- Every permission can have zero or more associated actions
All the permissions are aggregated per user. A role can have special permission flags, that may alter the assigned aggregated permissions. These are:
- "All access". Users with this role have all access. This is typically used for a 'super-admin' role. It overrules all permissions set.
- "No access". Users with this role have no access. This is typically used for a 'banned' role. It overrules all permissions set.
- "Revoke permissions". Permissions set on this role will be removed from the aggregated permissions set.
Note that "revoked" permissions are checked before all others. This allows you to create permission constructs like "all access for this super-admin, except to the top-secret area of the application"...
When checking for access, you specify the required access as either area.permission (when you want to check for
a single right, area.[permission,permission,...] when you want to check for multiple permissions at once, or if you
want to check for associated actions, you can use area.permission[action,action,...]. This is an AND check,
so when you specify multiple rights, the user must have ALL of them assigned to be granted access.
This will allow you to construct checks like blog.comments[read,create,write,write-own,delete,delete-own].
Actions are stored as an indexed array of strings, serialized and unserialized automatically by the ORM. You can define as many actions as you want, and chose any strings you like. If needed this allows you to set a permission on each and every action on a form, more fine-grained then you would probably ever need!
キャッシュ
To reduce database I/O, the OrmAuth drivers make heavy use of caching, to avoid having to retrieve the entire permission set for the logged-in user on every page request. Make sure your cache configuration is setup before you start using OrmAuth.
All cache entries are created with the prefix defined in the OrmAuth configuration file. They are created without expiration timestamp, so when you design your admin backend, make sure do delete the required cache entries after an update, so the cache can be refreshed.
The following cache keys are used by OrmAuth:
- <prefix>.groups - complete list of all defined groups
- <prefix>.roles - complete list of all defined roles
- <prefix>.permissions.user_<id> - effective permissions for user <id>
After an update to the permissions system, make sure to flush the cached permissions, and, if you have changed either role or group definitions, flush them too.
// flush all the cached permissions
\Cache::delete(\Config::get('ormauth.cache_prefix', 'auth').'.permissions');
// キャッシュされたすべてのグループをフラッシュ
\Cache::delete(\Config::get('ormauth.cache_prefix', 'auth').'.groups');
// キャッシュされたすべてのロールをフラッシュ
\Cache::delete(\Config::get('ormauth.cache_prefix', 'auth').'.roles');
// flush the permissions of a single user (with id 12211)
\Cache::delete(\Config::get('ormauth.cache_prefix', 'auth').'.permissions.user_12211');設定
The Ormauth authentication system is configured through a configuration file, not suprisingly called 'ormauth.php'. A default file is provided in the Auth package. You should copy this file to your app/config folder before making any changes.
下記の設定値が定義されています:
| パラメータ | 型 | デフォルト | 説明 |
|---|---|---|---|
| db_connection | string | |
利用するデータベース接続の名前。 db.php の config ファイルでの名称と一致させる必要があります。 null でデフォルトの DB インスタンスを使います。 |
| table_name | string | |
利用するユーザ情報を定義したテーブル名。 |
| table_columns | array | |
ユーザ情報のテーブルのうち、 select するカラムのリスト。 '*' で全カラムを select 。少なくとも、 'username', 'password', 'email', 'last_login', 'login_hash', 'group', 'profile_fields' を含んでいる必要があります。 |
| cache_prefix | string | |
Prefix used for cache keys when caching ORM data. |
| guest_login | boolean | |
true の場合には誰もログインしていない場合にダミーの 'guest' ユーザーが作成されます。 誰もログインしていない場合でさえグループと ACL のドライバを使用することが可能となります。 |
| remember_me | array | |
Configuration for the Ormauth 'remember_me' functionality |
| multiple_logins | boolean | |
If true multiple concurrent logins of the same user are allowed. If false, when a user logs in, any previous login will be cancelled. Note that enabling this will disable some login session hijacking measures! |
| login_hash_salt | string | |
To make the passwords used by the OrmAuth drivers extra secure, a salt value is used when hashing the passwords to store them into the database. Make sure you change this default to a very random string! To hash passwords, OrmAuth uses PBKDF2, a very secure hashing mechanism. |
| username_post_key | string | |
Name of the input field on the login form that contains the username. |
| password_post_key | string | |
Name of the input field on the login form that contains the password. |
If you want to use the 'remember-me' functionality, make sure you have a valid Crypt configuration, as it uses an encrypted cookie to store the user information to be remembered.
データベーステーブル
OrmAuth はすべての情報を格納するためにかなりの数のテーブルに依存しています。 Auth パッケージにはこれらのテーブルを作成するために必要なマイグレーションファイルが含まれています。
oil refine migrate --packages=auth を実行すればあなたのために作成されたテーブルを持つことができます。
例
これはログイン処理のサンプルです:
public function action_login()
{
$data = array();
// もし、あなたが送信ボタンを押下したならば、ステップを超えてへ行こう。
if (Input::post())
{
// 資格を確認。これは前述のテーブルが作成され、
// 上記のようにテーブルの定義および設定を使用していることが前提となります。
if (Auth::login())
{
// 認証情報は OK 、ただちに下記へ
Response::redirect('success_page');
}
else
{
// おっと!あなたにはあげれません。 再度ログインしてみてください。 username フィールドを再設定し、
// ビューに戻っていくつかのエラーテキストを与えるためにいくつかの値を設定します。
$data['username'] = Input::post('username');
$data['login_error'] = 'Wrong username/password combo. Try again';
}
}
// ログインフォームを表示
echo View::forge('auth/login',$data);
}