rbac

package module

v0.4.1 Latest Latest Go to latest Published: Jul 9, 2021 License: Unlicense Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/supremind/rbac

Links

Open Source Insights

README ¶

RBAC Access Control Library in Golang

The rbac package provides RBAC (Robe-Based Access Control) in Golang. It is

fast, even used with persisted data store, all reads are done in memory
concurrent safe;
coordinated in real-time among replicas;
exported as very simple interfaces;
designed to use any persisted storage as backend;
limited to minimal external dependencies

This project is still in developing, and is not considered production ready.

How it works

Groupings and Permission

Exported interfaces

`Grouping`: Role assignment

Join(user, role) assign a role to a subject: the subject can exercise a permission assigned to the role
Join(sub, role) assign a higher-level role to a sub-role: roles can be combined in a hierarchy
it also could be used to group objects together: article-category assignment
subject-role, article-category groupings are both optional
when neither of the two is used, RBAC works as ACL(Access Control List)

`Permission`: Permission assignment and authorization

Permit(subject, object, action) assign a permission: a subject or subjects of a role can perform some action to an article or a category of articles
Shall(subject, object, action) authorization: tell if a subject can perform an action to an article

`Action`: Operations could be done to an object

preset actions: read, write, execute
custom actions could be registered through types.ResetActions()

`Persister`s: Persist and coordinate rules among replica set

store grouping and permission rules to a persisted storage to survive application restarts
coordinate multiple replicas of the application works together: changes made by any replica will be send to others, and they will behave same as one

Persisters

The Persister (adapter) does basically two things:

Write (grouping/permission) changes to the storage: Insert/Update/Remove
Watch the storage for changes made by other replicas

Changes made by current replica (and then be watched) will be ignored, implementations need not to care about them. All replicas will keep same rules in memory.

Persister workflow

Available persister implementations

Available persister implementations are listed as follow. PR for other implementations or references to other projects are welcome.

package name	backend	driver	go doc
`github.com/supremind/rbac/persist/mgo`	MongoDB (3.6)	`github.com/globalsign/mgo`
`github.com/supremind/rbac/persist/fake`	-	-	-

Documentation ¶

Index ¶

func New(ctx context.Context, opts ...AuthorizerOption) (types.Authorizer, error)
func PublicShared(obj types.Object, act types.Action) types.PresetPolicy
func SuperUser(su types.Subject) types.PresetPolicy
type AuthorizerConfig
type AuthorizerOption

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func New ¶

func New(ctx context.Context, opts ...AuthorizerOption) (types.Authorizer, error)

New creates a RBAC Authorizer

func PublicShared ¶

func PublicShared(obj types.Object, act types.Action) types.PresetPolicy

PublicShared specify that everbody could do act on obj

func SuperUser ¶

func SuperUser(su types.Subject) types.PresetPolicy

SuperUser can do any action on anything

Types ¶

type AuthorizerConfig ¶

type AuthorizerConfig struct {
	// contains filtered or unexported fields
}

AuthorizerConfig works together with AuthorizerOption to control the initialization of authorizer

type AuthorizerOption ¶

type AuthorizerOption func(*AuthorizerConfig)

AuthorizerOption controls how to init an authorizer

func WithLogger ¶

func WithLogger(l logr.Logger) AuthorizerOption

WithLogger sets logger for rbac components

func WithObjectPersister ¶

func WithObjectPersister(p types.GroupingPersister) AuthorizerOption

WithObjectPersister sets Persister for object could be omitted if object grouping is not used: no rules on categories

func WithPermissionPersister ¶

func WithPermissionPersister(p types.PermissionPersister) AuthorizerOption

WithPermissionPersister sets Persister for Permission manager all permission polices will be lost after restart if not set

func WithPresetPolices ¶

func WithPresetPolices(presets ...types.PresetPolicy) AuthorizerOption

WithPresetPolices add preset polices to authorizer

func WithSubjectPersister ¶

func WithSubjectPersister(p types.GroupingPersister) AuthorizerOption

WithSubjectPersister sets Persister for subject could be omitted if subject grouping is not used: no roles, only users

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
authorizer
grouping
permission
persist/filter
persist
fake
test
mgo Module
types

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL