An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Overview

Casbin

Go Report Card Build Status Coverage Status Godoc Release Gitter Sourcegraph

News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/

casbin Logo

Casbin is a powerful and efficient open-source access control library for Golang projects. It provides support for enforcing authorization based on various access control models.

All the languages supported by Casbin:

golang java nodejs php
Casbin jCasbin node-Casbin PHP-Casbin
production-ready production-ready production-ready production-ready
python dotnet c++ rust
PyCasbin Casbin.NET Casbin-CPP Casbin-RS
production-ready production-ready beta-test production-ready

Table of contents

Supported models

  1. ACL (Access Control List)
  2. ACL with superuser
  3. ACL without users: especially useful for systems that don't have authentication or user log-ins.
  4. ACL without resources: some scenarios may target for a type of resources instead of an individual resource by using permissions like write-article, read-log. It doesn't control the access to a specific article or log.
  5. RBAC (Role-Based Access Control)
  6. RBAC with resource roles: both users and resources can have roles (or groups) at the same time.
  7. RBAC with domains/tenants: users can have different role sets for different domains/tenants.
  8. ABAC (Attribute-Based Access Control): syntax sugar like resource.Owner can be used to get the attribute for a resource.
  9. RESTful: supports paths like /res/*, /res/:id and HTTP methods like GET, POST, PUT, DELETE.
  10. Deny-override: both allow and deny authorizations are supported, deny overrides the allow.
  11. Priority: the policy rules can be prioritized like firewall rules.

How it works?

In Casbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matchers). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.

The most basic and simplest model in Casbin is ACL. ACL's model CONF is:

# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

An example policy for ACL model is like:

p, alice, data1, read
p, bob, data2, write

It means:

  • alice can read data1
  • bob can write data2

We also support multi-line mode by appending '\' in the end:

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj \
  && r.act == p.act

Further more, if you are using ABAC, you can try operator in like following in Casbin golang edition (jCasbin and Node-Casbin are not supported yet):

# Matchers
[matchers]
m = r.obj == p.obj && r.act == p.act || r.obj in ('data2', 'data3')

But you SHOULD make sure that the length of the array is MORE than 1, otherwise there will cause it to panic.

For more operators, you may take a look at govaluate

Features

What Casbin does:

  1. enforce the policy in the classic {subject, object, action} form or a customized form as you defined, both allow and deny authorizations are supported.
  2. handle the storage of the access control model and its policy.
  3. manage the role-user mappings and role-role mappings (aka role hierarchy in RBAC).
  4. support built-in superuser like root or administrator. A superuser can do anything without explict permissions.
  5. multiple built-in operators to support the rule matching. For example, keyMatch can map a resource key /foo/bar to the pattern /foo*.

What Casbin does NOT do:

  1. authentication (aka verify username and password when a user logs in)
  2. manage the list of users or roles. I believe it's more convenient for the project itself to manage these entities. Users usually have their passwords, and Casbin is not designed as a password container. However, Casbin stores the user-role mapping for the RBAC scenario.

Installation

go get github.com/casbin/casbin/v2

Documentation

https://casbin.org/docs/en/overview

Online editor

You can also use the online editor (https://casbin.org/editor/) to write your Casbin model and policy in your web browser. It provides functionality such as syntax highlighting and code completion, just like an IDE for a programming language.

Tutorials

https://casbin.org/docs/en/tutorials

Get started

  1. New a Casbin enforcer with a model file and a policy file:

    e, _ := casbin.NewEnforcer("path/to/model.conf", "path/to/policy.csv")

Note: you can also initialize an enforcer with policy in DB instead of file, see Policy-persistence section for details.

  1. Add an enforcement hook into your code right before the access happens:

    sub := "alice" // the user that wants to access a resource.
    obj := "data1" // the resource that is going to be accessed.
    act := "read" // the operation that the user performs on the resource.
    
    if res := e.Enforce(sub, obj, act); res {
        // permit alice to read data1
    } else {
        // deny the request, show an error
    }
  2. Besides the static policy file, Casbin also provides API for permission management at run-time. For example, You can get all the roles assigned to a user as below:

    roles, _ := e.GetImplicitRolesForUser(sub)

See Policy management APIs for more usage.

Policy management

Casbin provides two sets of APIs to manage permissions:

  • Management API: the primitive API that provides full support for Casbin policy management.
  • RBAC API: a more friendly API for RBAC. This API is a subset of Management API. The RBAC users could use this API to simplify the code.

We also provide a web-based UI for model management and policy management:

model editor

policy editor

Policy persistence

https://casbin.org/docs/en/adapters

Policy consistence between multiple nodes

https://casbin.org/docs/en/watchers

Role manager

https://casbin.org/docs/en/role-managers

Benchmarks

https://casbin.org/docs/en/benchmark

Examples

Model Model file Policy file
ACL basic_model.conf basic_policy.csv
ACL with superuser basic_model_with_root.conf basic_policy.csv
ACL without users basic_model_without_users.conf basic_policy_without_users.csv
ACL without resources basic_model_without_resources.conf basic_policy_without_resources.csv
RBAC rbac_model.conf rbac_policy.csv
RBAC with resource roles rbac_model_with_resource_roles.conf rbac_policy_with_resource_roles.csv
RBAC with domains/tenants rbac_model_with_domains.conf rbac_policy_with_domains.csv
ABAC abac_model.conf N/A
RESTful keymatch_model.conf keymatch_policy.csv
Deny-override rbac_model_with_deny.conf rbac_policy_with_deny.csv
Priority priority_model.conf priority_policy.csv

Middlewares

Authz middlewares for web frameworks: https://casbin.org/docs/en/middlewares

Our adopters

https://casbin.org/docs/en/adopters

How to Contribute

Please read the contributing guide.

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

License

This project is licensed under the Apache 2.0 license.

Contact

If you have any issues or feature requests, please contact us. PR is welcomed.

Issues
  • When should i call BuildRoleLinks function

    When should i call BuildRoleLinks function

    My App has about 1 millions policies, 800k P policy and 200K G policy. Whenever I add new P policy and assign it to one role, should I call BuildRoleLinks function?

    enhancement help wanted 
    opened by UnderTreeTech 44
  • Added multiple add and remove policies API functions.

    Added multiple add and remove policies API functions.

    Usage of the following functions is as follows :

    rule1 := []interface{} {"jack", "data4", "read"}
    rule2 := []interface{} {"katy", "data4", "write"}
    rule3 := []interface{} {"leyo", "data4", "read"}
    rule4 := []interface{} {"ham", "data4", "write"}
    
    e.AddPolicies(rule1, rule2, rule3, rule4)
    
    e.RemovePolicies(rule1, rule2, rule3, rule4)
    
    

    Have also added tests for these functions, all the tests pass. Please let me know if any changes required, this is open to changes if required any.

    opened by divy9881 31
  • [QUESTION] what's the difference of `Enforcer` and `SyncedEnforcer` if by default we have locks in every struct with map?

    [QUESTION] what's the difference of `Enforcer` and `SyncedEnforcer` if by default we have locks in every struct with map?

    I'm confused while seeing Lock in every struct with `map. I'm wondering if it's correct and ncessary?

    It's not necessary for Enforcer because normal Enforcer is not thread-safe.

    For syncedEnforcer we can have multiple goroutines reading/writing, we already have a top-level mutex, why do we still need other mutex/lock?

    Any idea?

    bug 
    opened by GopherJ 29
  • suggestion: add YAML support for model

    suggestion: add YAML support for model

    YAML is a human friendly data serialization standard for all programming languages.

    It can help users to write and verify the model .

    How to help users to write and verify the model?

    We need to write the YAML schema then IDE can provides hints based upon YAML schema provided to helps user write schema efficiently.

    Please refer to https://dzone.com/articles/two-ways-configuration-documentation-with-springnb to write YAML schema then publish to https://github.com/SchemaStore/schemastore.

    enhancement 
    opened by nodece 27
  • Scaling ABAC Rules

    Scaling ABAC Rules

    I am looking to support ABAC for a CMS-type system, where there could be thousands to potentially even more ABAC rules. Writing one long matcher isn't feasible in this case, nor is having multiple enforcers. Is there any other workaround this?

    An ABAC policy for us is something like If user age is between 24 and 64, then they can "view" some "resource". Any thoughts?

    Also, if this isn't supported, yet, what's the roadmap for something like this?

    enhancement 
    opened by harsimranb 26
  • fix: prevent concurrent map writes in LoadPolicyLine function

    fix: prevent concurrent map writes in LoadPolicyLine function

    I managed to create an environment in which the LoadPolicyLine function regularly causes concurrent map writes panics. Added a global sync.Mutex object that is used exclusively within the LoadPolicyLine function. Have not encountered any locks or concurrent map writes since this addition.

    fatal error: concurrent map writes
    
    goroutine 2247 [running]:
    runtime.throw(0xdd5620, 0x15)
            /usr/local/go/src/runtime/panic.go:1116 +0x72 fp=0xc000175278 sp=0xc000175248 pc=0x43d8d2
    runtime.mapassign_faststr(0xcfd340, 0xc0001db200, 0xc0004d7fa0, 0x19, 0xc0002d1818)
            /usr/local/go/src/runtime/map_faststr.go:291 +0x3d8 fp=0xc0001752e0 sp=0xc000175278 pc=0x41be78
    github.com/casbin/casbin/v2/persist.LoadPolicyLine(0xc0004d7f20, 0x1e, 0xc0002a9ce0)
            /home/example/go/pkg/mod/github.com/casbin/casbin/[email protected]/persist/adapter.go:43 +0x547 fp=0xc000175470 sp=0xc0001752e0 pc=0x9fbcc7
    
    opened by jamesjmurtagh 24
  • I want to combine RBAC and ABAC. I read a lot of documentation and I have a few questions.

    I want to combine RBAC and ABAC. I read a lot of documentation and I have a few questions.

    Hello everyone. I wanna choose casbin for manage authorization. I read a lot of documentation and I have a few questions.

    I want to combine RBAC and ABAC. With RBAC I want to control the general access to the API. With ABAC, I want to control access to certain entities (records in database). For example, I have the entity of orders and the entity of the company. Should I create three enforcers? The first one will be with the RBAC model. The second with the ABAC model to control the entity of orders. The third with the ABAC model to control the entity of companies. Right? (each entity has its own set of fields).

    The procedure will be as follows (request to API):

    Run the RBAC enforcer to determine if the user has access to the entity. Run the ABAC enforcer for a specific entity (orders or companies). In the case of ABAC, should I first select an entity from the database and pass it to the enforcer? What if the user requests a list of orders (pagination = 1000)? How to handle this? For example, I can’t pass 1000 entities to an enforcer (my idea is that there should be a common API point, which, depending on the rule, gives only those records that satisfy the condition of the model matcher)? P.S. Sorry for my english. Thanks.

    question 
    opened by MatthewPattell 24
  • How to synchronize multiple Casbin enforcer instances running with a single pg Gorm adapter?

    How to synchronize multiple Casbin enforcer instances running with a single pg Gorm adapter?

    I'm using Casbin library with pg Gorm adapter in one of my services. I wonder how I can keep Casbin enforcers synched if I'm running multiple instances of that services? Since Casbin policies are loaded once at startup and stored in memory, if one of the instances updates policies later, other enforcers wouldn't be notified. I looked at Casbin server but not sure if that would be helpful in this case, if so how I can achieve the synchronization by using Casbin server? or what are the other options?

    enhancement 
    opened by rrasulzade 24
  • feat: Support pattern function in 3rd args of g

    feat: Support pattern function in 3rd args of g

    This commit not only supports pattern function in 3rd args of g, but also can be used in policy, such as

    p, data1_admin, *, data1, read
    p, data1_admin, *, data1, write
    
    g, alice, data1_admin, domain1
    
    released 
    opened by dovics 22
  • Fix:  adding policy to adapter before trying to add into model

    Fix: adding policy to adapter before trying to add into model

    Recently I'm having issue with the following code in internal_api.go

    func (e *Enforcer) addPolicy(sec string, ptype string, rule []string) (bool, error) {
    	ruleAdded := e.model.AddPolicy(sec, ptype, rule)
    	if !ruleAdded {
    		return ruleAdded, nil
    	}
    
    	if e.adapter != nil && e.autoSave {
    		if err := e.adapter.AddPolicy(sec, ptype, rule); err != nil {
    			if err.Error() != notImplemented {
    				return ruleAdded, err
    			}
    		}
    	}
    
    	if e.watcher !=nil && e.autoNotifyWatcher {
    		err := e.watcher.Update()
    		if err != nil {
    			return ruleAdded, err
    		}
    	}
    
    	return ruleAdded, nil
    }
    

    It seems logic, but it may cause bugs while having network or io issues. For example it fails to add policy into adapter for some reason but it succeeds to add policy into model. Then it return an error to say that we don't succeed to add policy but actually we already added policies into model and it will influence the enforce result.

    To solve this, shall we add policy into adapter first? I mean when auto save has been enabled.

    help wanted question released 
    opened by GopherJ 22
  • [Question] What's the best way to limit/filter roles by resource? ABAC?

    [Question] What's the best way to limit/filter roles by resource? ABAC?

    What's your scenario? What do you want to achieve? I've read through all the docs and I'm having a hard time conceptualizing how to set up roles that are filtered based on a resource ID -- for example, a user creates a room and becomes a "host" of the room -- but only the room that user has created. The concept of "host" is only really a role in the context that it's a relationship between a User and a Room -- it doesn't apply to all Rooms. I'm muddled between using keymatch, ABAC, and how everything interacts with the Enforcer() and my database.

    Say I have these API endpoints:

    POST /rooms
    GET /rooms/:id
    POST /rooms/:id/open
    POST /rooms/:id/close
    

    and say i have two "roles" that are specific to a room

    host      # user-room relationship
    attendee  # user-room relationship
    

    For the purposes of the example, I want to express these access rules:

    • A user can POST to /rooms to create a new room and become the host of that room
    • A host can POST to /rooms/:id/open and /rooms/:id/closed, but only for the specific rooms they are the host for
    • An attendee can GET /rooms/:id, but only for the specific rooms they are attendees for

    Assume for this example that user alice is a host of rooms 1 and 2, and bob is an attendee of room 2.

    From what I've read, I don't think I should create a separate policy for each resource, e.g.

    p, alice, /rooms/1, POST
    p, alice, /rooms/1/open, POST
    p, alice, /rooms/1/close, POST   
    p, alice, /rooms/2, POST
    p, alice, /rooms/2/open, POST
    p, alice, /rooms/2/close, POST
    p, bob, /rooms/2, GET
    

    So, would I express the fact that alice is a host for rooms 1 & 2 using a db-stored policy somehow?

    p, host, /rooms/:id/open, POST
    p, host, /rooms/:id/close, POST
    p, attendee, /rooms/:id, GET
    
    g, alice, host, /rooms/1  # <-- somehow express that alice is the host of room with id 1, not all rooms
    g, alice, host, /rooms/2
    g, bob, attendee, /rooms/2
    

    Or would I try and match up the ID in the policy (I think i'm not understanding this)?

    p, r.sub.id == r.obj.id, /rooms/:id/open, POST 
    p, r.sub.id == r.obj.id, /rooms/:id/close, POST
    

    Or would I use a custom function in my policy somehow and express the host relationship as a lookup on a join table between User and Room?

    p, isHost(userID, roomID), /rooms/:id/open, POST
    p, isHost(userID, roomID), /rooms/:id/close, POST
    
    question 
    opened by awmcclain 3
  • [Feature] Union the effect of different roles

    [Feature] Union the effect of different roles

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    Is your feature request related to a problem? Please describe. I cannot find the available built-in policy effects when a user has more then one roles with "deny override" policy

    Your model:

    [request_definition]
    r = sub, obj, act
    
    [policy_definition]
    p = sub, obj, act, eft
    
    [role_definition]
    g = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
    
    [matchers]
    m = g(r.sub, p.sub) && r.obj == p.obj && keyMatch(r.act, p.act)
    

    Your policy:

    p, writer, data1, write, allow
    p, reader, data1, *, allow
    p, reader, data1, write, deny
    
    g, alice, writer
    g, alice, reader
    g, bob, reader
    

    Your request(s):

    alice, data1, write ---> false (expected: true)
    bob, data1, write ---> false (expected: false)
    

    As the example above, user alice has both of writer and reader role. The usually expected result is: alice is allowed to write data1

    Describe alternatives you've considered Add two arguments to the function MergeEffects in Effector interface, one is the rmMap and the other one contains the matches information like this:

    {
        effector.Allow: {
           subSet: { "writer", "reader" }
        },
        effector.Deny: {
           subSet: { "reader" }
        },
        effector.Indeterminate: {
           subSet: { }
        }
    }
    

    Then, I will be able to implement the MergeEffects by myself.

    enhancement question 
    opened by GYWang1983 7
  • feat: add cross domain support

    feat: add cross domain support

    opened by tangyang9464 0
  • [Question] Hierarchical domains with (hierarchical) roles

    [Question] Hierarchical domains with (hierarchical) roles

    What's your scenario? What do you want to achieve?

    Pretty much a follow-up from https://github.com/casbin/casbin/issues/718#issuecomment-889785940

    So, do you think this problem is solvable by Casbin? I think this is pretty typical use case of hierarchical RBAC where you do not want to define global role hierarchy into each domain.

    General idea would be pretty similar to the original question:

    • global domain
      • subdomain1
        • lowersubdomain1
      • subdomain2
    1. So if alice is an admin in global domain, she should be an admin in all domains below it (subdomain1, lowersubdomain1, subdomain2).
      1. This should happen without any additional policy lines. g, alice, admin, global domain should be sufficient
      2. Defining what permissions admin has in each domain is still required.
    2. If bob is an admin in subdomain1, he should have admin access to lowersubdomain1
      1. But no access to any other domain

    Your model:

    [request_definition]
    r = sub, dom, obj, act
    
    [policy_definition]
    p = sub, dom, obj, act
    
    [role_definition]
    g = _, _, _
    g2 = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow))
    
    [matchers]
    m = g(r.sub, p.sub, r.dom) && g2(r.dom, p.dom) && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
    

    Your policy:

    p, admin, global_domain, data1, (read|write)
    p, admin, sub_domain, data2, (read|write)
    
    g, alice, admin, global_domain
    g, bob, admin, sub_domain
    g2, sub_domain, global_domain
    

    Your request(s):

    alice, global_domain, data1, read --> true, correct
    alice, sub_domain, data2, read --> false, incorrect
    bob, sub_domain, data2, read --> true, correct
    
    question 
    opened by Sefriol 3
  • Is there a way to use RBAC with multiple domains?

    Is there a way to use RBAC with multiple domains?

    What's your scenario? What do you want to achieve?

    Is there a way to define not one but multiple domains for the RBAC with domains model? I managed to use either a wildcard or a single domain, but I did not manage to get a multi-domain model set up properly.

    [request_definition]
    r = sub, dom, obj, act
    
    [policy_definition]
    p = sub, obj, act
    
    [role_definition]
    g = _, _, _
    
    [policy_effect]
    e = some(where (p.eft == allow))
    
    [matchers]
    m = (g(r.sub, p.sub, "*") && r.obj == p.obj && r.act == p.act) \
      || (g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act)
    
    p, alice, data1, read
    p, bob, data2, write
    p, data2_admin, data2, read
    p, data2_admin, data2, write
    
    g, alice, data2_admin
    
    p, super, entity, create
    p, super, entity, read
    p, super, entity, update
    p, super, entity, delete
    
    g, user_wildcard, data, *
    g, user_tenant_1, data, 6ec54488-05ac-11ec-8671-9cb6d0dc265f
    g, user_tenant_2, data, 7b5aa454-05ac-11ec-8671-9cb6d0dc265f
    g, user_both_tenants, data, 6ec54488-05ac-11ec-8671-9cb6d0dc265f
    g, user_both_tenants, data, 7b5aa454-05ac-11ec-8671-9cb6d0dc265f
    
    

    user_wildcard is allowed to access all domains. user_tenant_1 and user_tenant_2 can access their corresponding tenant. But user_both_tenants is not allowed for both tenants.

    I assume I have to change my model, instead of my policy?

    Thanks for an answer.

    enhancement question 
    opened by resingm 4
  • [Question] Policy Group

    [Question] Policy Group

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    What's your scenario? What do you want to achieve? Is there a config or a way to use multi-policy like methods?

    Your model:

    [request_definition]
    r = sub, obj, act
    
    [policy_definition]
    p = sub, obj, act, eft
    
    [role_definition]
    g = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
    
    [matchers]
    m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)
    

    Your policy:

    p, alice1, /alice_data, (GET)|(POST), allow
    p, alice2, /alice_data/:id, (GET)|(PUT)|(DELETE), allow
    p, bob1, /bob_data, (GET)|(POST), allow
    p, bob2, /bob_data/:id, (GET)|(PUT)|(DELETE), allow
    
    g, alice, (alice1)|(alice2)
    g, other, bob1
    

    Your request(s):

    alice, /alice_data, GET ---> false (expected: true)
    other, /bob_data, POST ---> true (ok)
    
    question 
    opened by itgelo 22
  • [Question] What is the best model for policy Inheritance

    [Question] What is the best model for policy Inheritance

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    What's your scenario? What do you want to achieve? We are trying to build an authorization system for an SaaS platform. On that platform, there will be hierarchy organizational structure which is looks like this

    image or can be this image

    The Admin of parent org can have the same policy on the children organization data.

    I have tried to follow some examples in this https://github.com/casbin/casbin/issues/99 But it seems having an issue regarding policy inheritance. There are so many unnecessary policy need to be created. So do you guys have any suggestion for such business model? Thank you so much.

    question 
    opened by nguyenpc 2
  • Optimize the performance when listing permissions

    Optimize the performance when listing permissions

    We need to analyze the user scenario and see how to optimize the performance.

    1. https://github.com/devtron-labs/devtron/issues/596
    2. https://github.com/devtron-labs/devtron/pull/598
    enhancement 
    opened by hsluoyz 3
  • Support Casbin as a new policy engine for CoreDNS policy plugin

    Support Casbin as a new policy engine for CoreDNS policy plugin

    We need to add a Casbin policy engine to: https://github.com/coredns/policy#policy-engine-plugins by making a PR to their repo.

    image

    enhancement 
    opened by hsluoyz 5
  • fix: ptype chosing for GetImplicitRolesForUser

    fix: ptype chosing for GetImplicitRolesForUser

    opened by closetool 0
Releases(v2.37.2)
Owner
Casbin
Casbin authorization library and the official middlewares
Casbin
Minimalistic RBAC package for Go applications

RBAC Overview RBAC is a package that makes it easy to implement Role Based Access Control (RBAC) models in Go applications. Download To download this

Zack Patrick 83 Sep 12, 2021
A standalone, specification-compliant, OAuth2 server written in Golang.

Go OAuth2 Server This service implements OAuth 2.0 specification. Excerpts from the specification are included in this README file to describe differe

Richard Knop 1.8k Sep 16, 2021
goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

goRBAC goRBAC provides a lightweight role-based access control implementation in Golang. For the purposes of this package: * an identity has one or mo

Xing 1.2k Sep 23, 2021
Generate K8s RBAC policies based on e2e test runs

rbac-audit Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more! This repo contains

Jason Hall 28 Aug 2, 2021
OAuth 2.0 middleware service for chi (ported from gin by community member)

oauth middleware OAuth 2.0 Authorization Server & Authorization Middleware for go-chi This library was ported to go-chi from https://github.com/maxzer

go-chi 9 Sep 23, 2021
The easiest JWT library to GO

JWT Go The easiest JWT Library that could be a starting point for your project. Installation go get github.com/supanadit/jwt-go Quick Start package ma

Supan Adit Pratama 16 Apr 21, 2021
RBAC scaffolding based on Gin + Gorm+ Casbin + Wire

Gin Admin 基于 GIN + GORM + CASBIN + WIRE 实现的RBAC权限管理脚手架,目的是提供一套轻量的中后台开发框架,方便、快速的完成业务需求的开发。 特性 遵循 RESTful API 设计规范 & 基于接口的编程规范 基于 GIN 框架,提供了丰富的中间件支持(JWT

Lyric 1.7k Sep 25, 2021
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Casbin 3 Sep 8, 2021
BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

(English Documents Available) Overview 蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。 架构设计 代码目录 Features 蓝鲸权限中心是基于 ABAC 强

腾讯蓝鲸 16 Sep 17, 2021
Authentication server for Docker Registry 2

The original Docker Registry server (v1) did not provide any support for authentication or authorization. Access control had to be performed externally, typically by deploying Nginx in the reverse proxy mode with Basic or other type of authentication. While performing simple user authentication is pretty straightforward, performing more fine-grained access control was cumbersome.

Cesanta Software 1k Sep 24, 2021
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.5k Sep 21, 2021
The boss of http auth.

Authboss Authboss is a modular authentication system for the web. It has several modules that represent authentication and authorization features that

Volatile Technologies Inc. 2.8k Sep 14, 2021
基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。

Echo-Admin 基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。 English | 简体中文 特性 遵循 RESTful API 设计规范 基于 Echo API 框架,提供了丰富的中间件支

LiuSha 140 Sep 17, 2021
beego 与 Ant Design Pro Vue 基础权限系统

beego Ant Design Pro Vue RBAC beego 与 Ant Design Pro Vue 基础权限系统 后端: http://beego.me ORM: gorm https://gorm.io/zh_CN/docs/ Ant Design Pro Vue文档: https:

null 38 Jul 2, 2021
Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发

go-web-mini Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发: http

gnimli 17 Sep 9, 2021
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

Teleport 10k Sep 15, 2021
A proxy that authorizes and enforces a given label in a given PromQL query

prom-authzed-proxy prom-authzed-proxy is a proxy for Prometheus that authorizes the request's Bearer Token with Authzed and enforces a label in a Prom

authzed 20 Aug 30, 2021
⛩️ Go library for protecting HTTP handlers with authorization bearer token.

G8, pronounced Gate, is a simple Go library for protecting HTTP handlers with tokens. Tired of constantly re-implementing a security layer for each

Chris C. 28 Aug 6, 2021
Golang Skeleton With Fully Managed Versions For Kick Start GoLang Project Development

Golang Skeleton With Fully Managed Versions For Kick Start GoLang Project Development There is no doubt that Golang’s good documentation and intellige

MindInventory 261 Sep 21, 2021