Creating fast, dynamic ACLs in Zend Framework

1. Creating fast, dynamic ACLs in Zend Framework Wim Godden Cu.be Solutions

2. Who am I ? Wim Godden (@wimgtr)

3. Owner of Cu.be Solutions (http://cu.be)

4. PHP developer since 1997

5. Developer of OpenX

6. Zend Certified Engineer

7. Zend Framework Certified Engineer

8. MySQL Certified Developer

9. Talking about... Authentication -> Zend_Auth Auditing -> Zend_Log Authorization -> Zend_Acl

10. Authorization Wikipedia : "the function of specifying access rights to resources"

11. What's a resource ? Object (Article, Invoice, Document, …)

12. Webpage

13. Database / table / row

14. ...

15. Standard ACL Access to resources is defined in privileges

16. Privileges are grouped together in roles

17. 2 types of roles : Anonymous / Unknown

18. Registered / Known

19. Zend_Acl : the good Flexible

20. Uses standard role / resource principles Recognizable -> easy to get started No link to specific backend

21. Allow + deny

22. Proven, tested

23. Zend_Acl : the bad & ugly Complexity of rules rises quickly

24. Performance issues

25. All rules are in-code

26. -> maintainability becomes an issue

27. Evolution of a portal $acl = new Zend_Acl(); $acl->addRole( new Zend_Acl_Role( 'guest' )); $acl->addRole( new Zend_Acl_Role( 'member' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'admin' ), 'member' ); $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->addResource( new Zend_Acl_Resource( 'report' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); $acl->deny( 'guest' , 'report' ); $acl->allow( 'member' , 'report' );

28. Evolution of a portal $acl = new Zend_Acl(); $acl->addRole( new Zend_Acl_Role( 'guest' )); $acl->addRole( new Zend_Acl_Role( 'departmentA' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentB' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'admin' ), 'member' ); $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->addResource( new Zend_Acl_Resource( 'report' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); $acl->deny( 'guest' , 'report' ); $acl->allow( 'departmentA' , 'report' );

29. Evolution of a portal $acl = new Zend_Acl(); $acl->addRole( new Zend_Acl_Role( 'guest' )); $acl->addRole( new Zend_Acl_Role( 'departmentA' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentB' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_senior_staff' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_marketing' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'admin' ), 'member' ); $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->addResource( new Zend_Acl_Resource( 'report' )); $acl->addResource( new Zend_Acl_Resource( 'newsletter' )); $acl->addResource( new Zend_Acl_Resource( 'photo' )); $acl->addResource( new Zend_Acl_Resource( 'faq' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); $acl->deny( 'guest' , 'report' ); $acl->allow( 'departmentA' , 'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit');

30. Evolution of a portal $acl = new Zend_Acl(); $acl->addRole( new Zend_Acl_Role( 'guest' )); $acl->addRole( new Zend_Acl_Role( 'departmentA' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentB' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_senior_staff' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_marketing' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'cook' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'admin' ), 'member' ); $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->addResource( new Zend_Acl_Resource( 'report' )); $acl->addResource( new Zend_Acl_Resource( 'newsletter' )); $acl->addResource( new Zend_Acl_Resource( 'photo' )); $acl->addResource( new Zend_Acl_Resource( 'faq' )); $acl->addResource( new Zend_Acl_Resource( 'invoicing' )); $acl->addResource( new Zend_Acl_Resource( 'stats' )); $acl->addResource( new Zend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); $acl->deny( 'guest' , 'report' ); $acl->allow( 'departmentA' , 'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report');

31. Evolution of a portal $acl = new Zend_Acl(); $acl->addRole( new Zend_Acl_Role( 'guest' )); $acl->addRole( new Zend_Acl_Role( 'departmentA' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentB' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_senior_staff' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'departmentC_marketing' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'cook' ), 'guest' ); $acl->addRole( new Zend_Acl_Role( 'admin' ), 'member' ); $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->addResource( new Zend_Acl_Resource( 'report' )); $acl->addResource( new Zend_Acl_Resource( 'newsletter' )); $acl->addResource( new Zend_Acl_Resource( 'photo' )); $acl->addResource( new Zend_Acl_Resource( 'faq' )); $acl->addResource( new Zend_Acl_Resource( 'invoicing' )); $acl->addResource( new Zend_Acl_Resource( 'stats' )); $acl->addResource( new Zend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); $acl->deny( 'guest' , 'report' ); $acl->allow( 'departmentA' , 'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report');

32. Hard to ... maintain all rules

33. keep track of the rules

34. debug the rules

35. Possible solution : database Extend Zend_Acl to database driven design

36. Good : no code changes required

37. Bad : more load on DB

38. A different approach Not THE solution, merely A solution

39. Uses database, but...

40. Additional caching layer

41. ZF Conventional Modular Directory Structure

42. Backend interface for easy management with a twist !

43. Different resources Zend_ACL : $acl->addResource( new Zend_Acl_Resource( 'cms' )); $acl->allow( 'guest' , 'cms' , 'view' ); $acl->allow( 'admin' , 'cms' , 'edit' ); Access to : Controller : cms

44. Action : view / edit Why not integrate with the request itself ?

45. Controller plugins

46. Zend_Acl as a controller plugin <?php class My_Plugin_Acl extends Zend_Controller_Plugin_Abstract { private $_acl = null; public function __construct(Zend_Acl $acl ) { $this ->_acl = $acl ; } public function preDispatch(Zend_Controller_Request_Abstract $request ) { $role = (Zend_Auth::getInstance()->hasIdentity()) ? 'user' : 'guest' ; //For this example, we will use the controller as the resource: $resource = $request ->getControllerName(); if (! $this ->_acl->isAllowed( $role , $resource , 'view' )) { //If the user has no access we send him elsewhere by changing the request and resetting the dispatch $request ->setModuleName( 'auth' ) ->setControllerName( 'auth' ) ->setActionName( 'login' ) ->setDispatched(false); return false; } } }

47. Initializing the ACL Let's have a look

48. Zend_Acl manual rules <?php class My_Acl extends Zend_Acl { public function __construct() { //Add a new role called "guest" $this ->addRole( new Zend_Acl_Role( 'guest' )); //Add a role called user, which inherits from guest $this ->addRole( new Zend_Acl_Role( 'user' ), 'guest' ); //Add a resource called page $this ->add( new Zend_Acl_Resource( 'page' )); //Add a resource called news, which inherits page $this ->add( new Zend_Acl_Resource( 'news' ), 'page' ); //Finally, we want to allow guests to view pages $this ->allow( 'guest' , 'page' , 'view' ); //and users can comment news $this ->allow( 'user' , 'news' , 'comment' ); } }

49. Our ACL id role_id module controller action 1 2 newsletter send index 2 1 cms article edit 3 3 % % % id name email pw 1 Chris [email_address] ******* 2 Jake [email_address] ******* 3 Jeniffer [email_address] ******* id name 1 webmaster 2 marketeer 3 admin user_id role_id 1 2 2 3 3 1

50. Application_Acl class Application_Acl { public function isAllowed($user = null , $request = null ) { if (is_null($user) === false && $user !== false && $user instanceof User) { $userId = $user-> id ; } else { $userId = 0; } $db = Zend_Db_Table:: getDefaultAdapter (); $stmt = $db->query( ' select module_name, controller_name, action_name from privilege join role on role.id = privilege.role_id join userRole on userRole.role_id = role.role_id where userRole.user_id = ? and ( module_name = "%" or ( module_name = ? and ( controller_name = "%" or ( controller_name = ? and ( action_name = "%" or action_name = ? ) ) ) ) ) ' , array ( $userId, $request->getModuleName(), $request->getControllerName(), $request->getActionName() ) ); $stmt->execute(); $row = $stmt->fetch(); // Returns a row or false if ($row !== false ) { return true ; } else { return false ; } } }

51. To cache or not to cache - Option 1 (no cache) 1 query per ACL request

52. = 1 query per pageview / ajax request

53. 99.99% will be identical

54. -> "Just rely on MySQL query cache !"

55. FAIL !

56. Even for cached queries, MySQL connections use memory, I/O, CPU, ...

57. Caching - Option 2 (cache the main query) 1 DB query per user for each unique ACL request

58. User with 20 privileges -> 20 possible requests

59. All subsequent pageviews : 1 cache request

60. What's in the cache ? Entry Data acl_user_3_%_%_% 1 acl_user_1_cms_article_edit 1 acl_user_1_admin_destroy_planet 0 Problem : what if we add a privilege to a role ? -> All cached entries for all users should be refreshed (ouch !)

61. Caching - Option 3 - denormalize in cache

62. What's in the cache ? Entry Data acl_user_3 3, 1, 4 acl_user_1 3, 1, 2 acl_role_1 a:3:{i:0;s:45:"a:2:{i:0;s:5:"%_%_%";}";i:1;i:1308106740;i:2;s:6:"604800";} User's roles Privileges listed in a role

63. Caching - Option 3 - denormalize in cache 1 DB query per user at login (retrieve user's roles)

64. User with 20 privileges -> just 1 DB query

65. Per pageview : 1 cache query + 1 cache query per role

66. Good : Less queries on DB

67. Less data in the cache (only roles, not full privileges of each user)

68. Add a privilege to a role -> update the role only Bad : More queries on cache Choice : depends on where your highest load is (but memory is cheap and Memcache is fast !)

69. Caching - let's have a look

70. Managing the roles / privileges Zend_Acl : manual typ(o)ing

71. Goals : automation

72. easy management -> Reflection

73. Reflection ? Used to inspect objects during run-time

74. Available since PHP 5.0

75. Can be applied to : Classes

76. Objects

77. Methods

78. Functions

79. Properties

80. Extensions

81. Reflection - example <?php class Test { static public function testMe ($reason) { echo 'I have a reason : ' . $reason; } } $reflector = new ReflectionClass( 'Test' ); echo 'Class name : ' . $reflector->getName() . "\n" ; echo "Methods : \n" ; var_dump($reflector->getMethods()); Outputs : Class name : Test Methods : array(1) { [0]=> &object(ReflectionMethod)#2 (2) { ["name"]=> string(6) "testMe" ["class"]=> string(4) "Test" } }

82. Backend interface with reflection

83. Version 1 -> 2 ZF2 compatible Maybe : adding a multiGet() for the roles -> fewer cache queries Resources isAllowed() gets a new parameter

84. can be combined with module/controller/action Negative privileges and negative roles (!)

85. Hide controllers and actions from the interface (docblock)

86. New UI Drag-n-drop

87. Apply roles to usergroup

88. Setting it up library/Application/Acl.php -> main ACL class

89. library/Application/Controllers/Plugin/Acl.php -> controller plugin

90. modules/um/controllers/ IndexController.php

91. RoleController.php

92. LoginController.php -> Login screen (usually placed somewhere else) modules/um/views/scripts/ index

93. role Few lines in application.ini

94. Where to get it Site : http://www.opensource.be/zfacl/ (Oct 25)

95. Code : Github (see site)

96. Questions ?

97. Questions ?

98. Contact Web http://techblog.wimgodden.be

99. Slides http://www.slideshare.net/wimg

100. Twitter @wimgtr

101. E-mail [email_address]

102. Please... Rate my talk : http://joind.in/4009

103. Thanks !

Creating fast, dynamic ACLs in Zend Framework

More Related Content

What's hot (20)

Similar to Creating fast, dynamic ACLs in Zend Framework (18)

More from Wim Godden (20)

Recently uploaded (20)

Creating fast, dynamic ACLs in Zend Framework