权限模型

¥Permission Model

Node.js 权限模型是一种在执行期间限制对特定资源的访问的机制。API 存在于标志 --experimental-permission 之后，启用后将限制对所有可用权限的访问。

¥The Node.js Permission Model is a mechanism for restricting access to specific resources during execution. The API exists behind a flag --experimental-permission which when enabled, will restrict access to all available permissions.

可用权限由 --experimental-permission 标志记录。

¥The available permissions are documented by the --experimental-permission flag.

使用 --experimental-permission 启动 Node.js 时，通过 fs 模块访问文件系统、生成进程、使用 node:worker_threads、使用原生插件、使用 WASI 和启用运行时检查器的能力将受到限制。

¥When starting Node.js with --experimental-permission, the ability to access the file system through the fs module, spawn processes, use node:worker_threads, use native addons, use WASI, and enable the runtime inspector will be restricted.

$ node --experimental-permission index.js
node:internal/modules/cjs/loader:171
  const result = internalModuleStat(filename);
                 ^

Error: Access to this API has been restricted
    at stat (node:internal/modules/cjs/loader:171:18)
    at Module._findPath (node:internal/modules/cjs/loader:627:16)
    at resolveMainPath (node:internal/modules/run_main:19:25)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:76:24)
    at node:internal/main/run_main_module:23:47 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '/home/user/index.js'
} 拷贝

允许访问生成进程和创建工作线程可以分别使用 --allow-child-process 和 --allow-worker 来完成。

¥Allowing access to spawning a process and creating worker threads can be done using the --allow-child-process and --allow-worker respectively.

要在使用权限模型时允许原生插件，请使用 --allow-addons 标志。对于 WASI，请使用 --allow-wasi 标志。

¥To allow native addons when using permission model, use the --allow-addons flag. For WASI, use the --allow-wasi flag.