本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 AWS SDK 在 Rust 中實作 Amazon Verified Permissions
本主題提供使用 AWS SDK 在 Rust 中實作 Amazon Verified Permissions 的實際範例。此範例示範如何開發授權模型,以測試使用者是否可以檢視相片。範例程式碼使用來自 的 [aws-sdk-verifiedpermissions](https://docs.rs/aws-sdk-verifiedpermissions/latest/aws_sdk_verifiedpermissions/) 木箱[適用於 Rust 的 AWS SDK](https://github.com/awslabs/aws-sdk-rust),提供一組強大的工具與 互動 AWS 服務。
## 先決條件
開始之前,請確定您已在系統上設定 [AWS CLI](https://aws.amazon.com/cli/),而且您已熟悉 Rust。
+ 如需安裝 的指示 AWS CLI,請參閱 [AWS CLI 安裝指南](https://docs.aws.amazon.com//cli/latest/userguide/getting-started-install.html)。
+ 如需設定 的指示 AWS CLI,請參閱 中的[設定 AWS CLI](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-quickstart.html)和組態和登入資料檔案設定。 [AWS CLI](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-profiles.html)
+ 如需 Rust 的詳細資訊,請參閱 [rust-lang.org](https://www.rust-lang.org/):// 和[AWS 適用於 Rust 的 SDK 開發人員指南](https://docs.aws.amazon.com//sdk-for-rust/latest/dg/welcome.html)。
準備好您的環境後,讓我們來探索如何在 Rust 中實作已驗證許可。
## 測試範例程式碼
範例程式碼會執行下列動作:
+ 設定要與 通訊的 SDK 用戶端 AWS
+ 建立[政策存放區](policy-stores.md)
+ 透過新增[結構描述](schema.md)來定義政策存放區的結構
+ 新增[政策](policies.md)以檢查授權請求
+ 傳送測試[授權請求](authorization.md),以確認一切設定正確
**測試範本程式碼**
1. 建立 Rust 專案。
1. `main.rs` 使用下列程式碼取代 中的任何現有程式碼:
```
use std::time::Duration;
use std::thread::sleep;
use aws_config::BehaviorVersion;
use aws_sdk_verifiedpermissions::Client;
use aws_sdk_verifiedpermissions::{
operation::{
create_policy::CreatePolicyOutput,
create_policy_store::CreatePolicyStoreOutput,
is_authorized::IsAuthorizedOutput,
put_schema::PutSchemaOutput,
},
types::{
ActionIdentifier, EntityIdentifier, PolicyDefinition, SchemaDefinition, StaticPolicyDefinition, ValidationSettings
},
};
//Function that creates a policy store in the client that's passed
async fn create_policy_store(client: &Client, valid_settings: &ValidationSettings)-> CreatePolicyStoreOutput {
let policy_store = client.create_policy_store().validation_settings(valid_settings.clone()).send().await;
return policy_store.unwrap();
}
//Function that adds a schema to the policy store in the client
async fn put_schema(client: &Client, ps_id: &str, schema: &str) -> PutSchemaOutput {
let schema = client.put_schema().definition(SchemaDefinition::CedarJson(schema.to_string())).policy_store_id(ps_id.to_string()).send().await;
return schema.unwrap();
}
//Function that creates a policy in the policy store in the client
async fn create_policy(client: &Client, ps_id: &str, policy_definition:&PolicyDefinition) -> CreatePolicyOutput {
let create_policy = client.create_policy().definition(policy_definition.clone()).policy_store_id(ps_id).send().await;
return create_policy.unwrap();
}
//Function that tests the authorization request to the policy store in the client
async fn authorize(client: &Client, ps_id: &str, principal: &EntityIdentifier, action: &ActionIdentifier, resource: &EntityIdentifier) -> IsAuthorizedOutput {
let is_auth = client.is_authorized().principal(principal.to_owned()).action(action.to_owned()).resource(resource.to_owned()).policy_store_id(ps_id).send().await;
return is_auth.unwrap();
}
#[::tokio::main]
async fn main() -> Result<(), aws_sdk_verifiedpermissions::Error> {
//Set up SDK client
let config = aws_config::load_defaults(BehaviorVersion::latest()).await;
let client = aws_sdk_verifiedpermissions::Client::new(&config);
//Create a policy store
let valid_settings = ValidationSettings::builder()
.mode({aws_sdk_verifiedpermissions::types::ValidationMode::Strict
})
.build()
.unwrap();
let policy_store = create_policy_store(&client, &valid_settings).await;
println!(
"Created Policy store with ID: {:?}",
policy_store.policy_store_id
);
//Add schema to policy store
let schema= r#"{
"PhotoFlash": {
"actions": {
"ViewPhoto": {
"appliesTo": {
"context": {
"type": "Record",
"attributes": {}
},
"principalTypes": [
"User"
],
"resourceTypes": [
"Photo"
]
},
"memberOf": []
}
},
"entityTypes": {
"Photo": {
"memberOfTypes": [],
"shape": {
"type": "Record",
"attributes": {
"IsPrivate": {
"type": "Boolean"
}
}
}
},
"User": {
"memberOfTypes": [],
"shape": {
"attributes": {},
"type": "Record"
}
}
}
}
}"#;
let put_schema = put_schema(&client, &policy_store.policy_store_id, schema).await;
println!(
"Created Schema with Namespace: {:?}",
put_schema.namespaces
);
//Create policy
let policy_text = r#"
permit (
principal in PhotoFlash::User::"alice",
action == PhotoFlash::Action::"ViewPhoto",
resource == PhotoFlash::Photo::"VacationPhoto94.jpg"
);
"#;
let policy_definition = PolicyDefinition::Static(StaticPolicyDefinition::builder().statement(policy_text).build().unwrap());
let policy = create_policy(&client, &policy_store.policy_store_id, &policy_definition).await;
println!(
"Created Policy with ID: {:?}",
policy.policy_id
);
//Break to make sure the resources are created before testing authorization
sleep(Duration::new(2, 0));
//Test authorization
let principal= EntityIdentifier::builder().entity_id("alice").entity_type("PhotoFlash::User").build().unwrap();
let action = ActionIdentifier::builder().action_type("PhotoFlash::Action").action_id("ViewPhoto").build().unwrap();
let resource = EntityIdentifier::builder().entity_id("VacationPhoto94.jpg").entity_type("PhotoFlash::Photo").build().unwrap();
let auth = authorize(&client, &policy_store.policy_store_id, &principal, &action, &resource).await;
println!(
"Decision: {:?}",
auth.decision
);
println!(
"Policy ID: {:?}",
auth.determining_policies
);
Ok(())
}
```
1. 在終端機`cargo run`中輸入 來執行程式碼。
如果程式碼正確執行,終端機會顯示 ,`Decision: Allow`後面接著決定政策的政策 ID。這表示您已成功建立政策存放區,並使用適用於 Rust 的 AWS SDK 進行測試。
## 清除資源
完成探索政策存放區後,請將其刪除。
**刪除政策存放區**
您可以使用 `delete-policy-store`操作來刪除政策存放區,`PSEXAMPLEabcdefg111111`以您要刪除的政策存放區 ID 取代 。
```
$ aws verifiedpermissions delete-policy-store \
--policy-store-id PSEXAMPLEabcdefg111111
```
如果成功,此命令就不會產生輸出。