1e41f4b71Sopenharmony_ci# DataAbility权限控制 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci 4e41f4b71Sopenharmony_ciDataAbility提供数据服务,并不是所有的Ability都有权限读写它,DataAbility有一套权限控制机制来保证数据安全。分为静态权限控制和动态权限控制两部分。 5e41f4b71Sopenharmony_ci 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci## 静态权限控制 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ciDataAbility作为服务端,在被拉起的时候,会根据config.json里面配置的权限来进行校验,有"readPermission"、"writePermission"和"Permission"三个配置项,可以不配或者为空。示例如下: 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ci 12e41f4b71Sopenharmony_ci```json 13e41f4b71Sopenharmony_ci"abilities": [ 14e41f4b71Sopenharmony_ci ... 15e41f4b71Sopenharmony_ci { 16e41f4b71Sopenharmony_ci "name": ".DataAbility", 17e41f4b71Sopenharmony_ci "srcLanguage": "ets", 18e41f4b71Sopenharmony_ci "srcPath": "DataAbility", 19e41f4b71Sopenharmony_ci "icon": "$media:icon", 20e41f4b71Sopenharmony_ci "description": "$string:DataAbility_desc", 21e41f4b71Sopenharmony_ci "type": "data", 22e41f4b71Sopenharmony_ci "visible": true, 23e41f4b71Sopenharmony_ci "uri": "dataability://com.samples.famodelabilitydevelop.DataAbility", 24e41f4b71Sopenharmony_ci "readPermission": "ohos.permission.READ_CONTACTS", 25e41f4b71Sopenharmony_ci "writePermission": "ohos.permission.WRITE_CONTACTS" 26e41f4b71Sopenharmony_ci }, 27e41f4b71Sopenharmony_ci ... 28e41f4b71Sopenharmony_ci] 29e41f4b71Sopenharmony_ci``` 30e41f4b71Sopenharmony_ci 31e41f4b71Sopenharmony_ci客户端在拉起DataAbility的时候,需要校验客户端是否有权限拉起该DataAbility。客户端的权限配置在config.json配置文件的"module"对象的"reqPermissions"对象中,示例如下: 32e41f4b71Sopenharmony_ci 33e41f4b71Sopenharmony_ci 34e41f4b71Sopenharmony_ci```json 35e41f4b71Sopenharmony_ci{ 36e41f4b71Sopenharmony_ci ... 37e41f4b71Sopenharmony_ci "module": { 38e41f4b71Sopenharmony_ci ... 39e41f4b71Sopenharmony_ci "reqPermissions": [ 40e41f4b71Sopenharmony_ci { 41e41f4b71Sopenharmony_ci "name": "ohos.permission.READ_CONTACTS" 42e41f4b71Sopenharmony_ci }, 43e41f4b71Sopenharmony_ci { 44e41f4b71Sopenharmony_ci "name": "ohos.permission.WRITE_CONTACTS" 45e41f4b71Sopenharmony_ci }, 46e41f4b71Sopenharmony_ci ... 47e41f4b71Sopenharmony_ci ], 48e41f4b71Sopenharmony_ci ... 49e41f4b71Sopenharmony_ci } 50e41f4b71Sopenharmony_ci} 51e41f4b71Sopenharmony_ci``` 52e41f4b71Sopenharmony_ci 53e41f4b71Sopenharmony_ci 54e41f4b71Sopenharmony_ci## 动态权限控制 55e41f4b71Sopenharmony_ci 56e41f4b71Sopenharmony_ci静态权限校验只能控制某个DataAbility是否能被另一个Ability或应用拉起,无法精确校验每个读写接口的权限,因为拉起DataAbility的时候,还不知道应用是否需要读写它的数据。 57e41f4b71Sopenharmony_ci 58e41f4b71Sopenharmony_ci动态权限控制是校验每个数据操作的接口是否有对应的权限。客户端调用数据操作接口所需的权限如下表所示。 59e41f4b71Sopenharmony_ci 60e41f4b71Sopenharmony_ci **表1** 接口对应的读写权限配置 61e41f4b71Sopenharmony_ci 62e41f4b71Sopenharmony_ci| 需要配置读权限的接口 | 需要配置写权限的接口 | 据实际操作配置读写权限的接口 | 63e41f4b71Sopenharmony_ci| -------- | -------- | -------- | 64e41f4b71Sopenharmony_ci| query、normalizeUri、denormalizeUri、openfile(传入mode有'r') | insert、batchInsert、delete、update、openfile(传入mode有'w') | executeBatch | 65e41f4b71Sopenharmony_ci 66e41f4b71Sopenharmony_ci对于需要配置读权限的接口,服务端需要配置readPermission,客户端必须申请相应的读权限才能调用相关的接口。 67e41f4b71Sopenharmony_ci 68e41f4b71Sopenharmony_ci对于需要配置写权限的接口,服务端需要配置writePermission,客户端必须申请相应的写权限才能调用相关的接口。 69