Role Based Access Control (RBAC) with database persistence

Overview

Authority

Build Status Go Report Card GoDoc

Role Based Access Control (RBAC) Go package with database persistence

Install

First get authority

go get github.com/harranali/authority

Next get the database driver for gorm that you will be using

# mysql 
go get gorm.io/driver/mysql 
# or postgres
go get gorm.io/driver/postgres
# or sqlite
go get gorm.io/driver/sqlite
# or sqlserver
go get gorm.io/driver/sqlserver
# or clickhouse
go get gorm.io/driver/clickhouse

Usage

To initiate authority you need to pass two variables the first one is the the database table names prefix, the second is an instance of gorm

// initiate the database (using mysql)
dsn := "dbuser:[email protected](127.0.0.1:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local"
db, _ := gorm.Open(mysql.Open(dsn), &gorm.Config{})

// initiate authority
auth := authority.New(authority.Options{
    TablesPrefix: "authority_",
    DB:           db,
})

// create role
err := auth.CreateRole("role-1")

// create permissions
err := auth.CreatePermission("permission-1")
err = auth.CreatePermission("permission-2")
err = auth.CreatePermission("permission-3")

// assign the permissions to the role
err := auth.AssignPermissions("role-1", []string{
    "permission-1",
    "permission-2",
    "permission-3",
})

// assign a role to user (user id) 
err = auth.AssignRole(1, "role-a")

// check if the user have a given role
ok, err := auth.CheckRole(1, "role-a")

// check if a user have a given permission 
ok, err := auth.CheckPermission(1, "permission-d")

// check if a role have a given permission
ok, err := auth.CheckRolePermission("role-a", "permission-a")

Docs

func New(opts Options) *Authority

New initiates authority

dsn := "dbuser:[email protected](127.0.0.1:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local"
db, _ := gorm.Open(mysql.Open(dsn), &gorm.Config{})

auth := authority.New(authority.Options{
    TablesPrefix: "authority_",
    DB:           db,
})

func Resolve() *Authority

Resolve returns the initiated instance

auth := authority.Resolve()

func (a *Authority) CreateRole(roleName string) error

CreateRole stores a role in the database it accepts the role name. it returns an error incase of any

// create role
err := auth.CreateRole("role-1")

func (a *Authority) CreatePermission(permName string) error

CreatePermission stores a permission in the database it accepts the permission name. it returns an error in case of any

// create permissions
err := auth.CreatePermission("permission-1")
err = auth.CreatePermission("permission-2")
err = auth.CreatePermission("permission-3")

func (a *Authority) AssignPermissions(roleName string, permNames []string) error

AssignPermissions assigns a group of permissions to a given role it accepts in the first parameter the role name, it returns an error if there is not matching record of the role name in the database. the second parameter is a slice of strings which represents a group of permissions to be assigned to the role. if any of these permissions doesn't have a matching record in the database, the operations stops, changes reverted and an error is returned. in case of success nothing is returned

// assign the permissions to the role
err := auth.AssignPermissions("role-1", []string{
    "permission-1",
    "permission-2",
    "permission-3",
})

func (a *Authority) AssignRole(userID uint, roleName string) error

AssignRole assigns a given role to a user. the first parameter is the user id, the second parameter is the role name. if the role name doesn't have a matching record in the data base an error is returned. if the user have already a role assigned to him an error is returned.

// assign a role to user (user id) 
err = auth.AssignRole(1, "role-a")

func (a *Authority) CheckRole(userID uint, roleName string) (bool, error)

CheckRole checks if a role is assigned to a user. it accepts the user id as the first parameter. the role as the second parameter. it returns an error if the role is not present in database

// check if the user have a given role
ok, err := auth.CheckRole(1, "role-a")

func (a *Authority) CheckPermission(userID uint, permName string) (bool, error)

CheckPermission checks if a permission is assigned to a user. it accepts the user id as the first parameter. the permission as the second parameter. it returns an error if the user donesn't have a rols assigned. it returns an error if the user's role doesn't have the permission assigned. it returns an error if the permission is not present in the database

// check if a user have a given permission 
ok, err := auth.CheckPermission(1, "permission-d")

func (a *Authority) CheckRolePermission(roleName string, permName string) (bool, error)

CheckRolePermission checks if a role has the permission assigned. it accepts the role as the first parameter. it accepts the permission as the second parameter. it returns an error if the role is not present in database. it returns an error if the permission is not present in database

// check if a role have a given permission
ok, err := auth.CheckRolePermission("role-a", "permission-a")

func (a *Authority) RevokeRole(userID uint, roleName string) error

RevokeRole revokes a user's role. it returns a error in case of any

err = auth.RevokeRolePermission("role-a", "permission-a")

func (a *Authority) RevokePermission(userID uint, permName string) error

RevokePermission revokes a permission from the user's assigned role. it returns an error in case of any

err = auth.RevokePermission(1, "permission-a")

func (a *Authority) RevokeRolePermission(roleName string, permName string) error

RevokeRolePermission revokes a permission from a given role it returns an error in case of any

err = auth.RevokeRolePermission("role-a", "permission-a")

func (a *Authority) GetRoles() ([]string, error)

GetRoles returns all stored roles

roles, err := auth.GetRoles()

func (a *Authority) GetPermissions() ([]string, error)

GetPermissions retuns all stored permissions

permissions, err := auth.GetPermissions()

func (a *Authority) DeleteRole(roleName string) error

DeleteRole deletes a given role. if the role is assigned to a user it returns an error

err := auth.DeleteRole("role-b")

func (a *Authority) DeletePermission(permName string) error

DeletePermission deletes a given permission. if the permission is assigned to a role it returns an error

err := auth.DeletePermission("permission-c")
Issues
  • multi-role support

    multi-role support

    Hello,

    I've started using this project and it's very helpful, thank you.

    How do you feel about support for multiple roles per user? I think this is generally how RBAC works (for example these descriptions: https://auth0.com/docs/authorization/rbac#overlapping-role-assignments, https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC).

    If a user can only have a single role the permissions for that role will need to be customized for that user which removes some of the benefit of RBAC (vs. just using user based access).

    Are there plans to add support for this or would you be open to a PR that adds it?

    Thanks!

    opened by bhainesva 3
  • Change go.mod package to use new major version

    Change go.mod package to use new major version

    Currently we can't just run go get github.com/harranali/authority and get the latest version. We should update the package to include the new major version: https://golang.cafe/blog/how-to-upgrade-to-a-major-version-in-go.html

    opened by asafalima 1
Releases(v2.0.1)
Owner
A Full Stack Developer who likes to solve people's problems with code
null
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 12.5k Aug 4, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 12.5k Aug 5, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

HAHWUL 288 Jul 16, 2022
RBAC scaffolding based on Gin + Gorm+ Casbin + Wire

Gin Admin 基于 GIN + GORM + CASBIN + WIRE 实现的RBAC权限管理脚手架,目的是提供一套轻量的中后台开发框架,方便、快速的完成业务需求的开发。 特性 遵循 RESTful API 设计规范 & 基于接口的编程规范 基于 GIN 框架,提供了丰富的中间件支持(JWT

Lyric 2k Aug 4, 2022
Generate K8s RBAC policies based on e2e test runs

rbac-audit Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more! This repo contains

Jason Hall 28 Aug 2, 2021
Minimalistic RBAC package for Go applications

RBAC Overview RBAC is a package that makes it easy to implement Role Based Access Control (RBAC) models in Go applications. Download To download this

Zack Patrick 98 Jul 5, 2022
Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发

go-web-mini Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发: http

gnimli 80 Aug 3, 2022
YSHOP-GO基于当前流行技术组合的前后端RBAC管理系统:Go1.15.x+Beego2.x+Jwt+Redis+Mysql8+Vue 的前后端分离系统,权限控制采用 RBAC,支持数据字典与数据权限管理,支持动态路由等

YSHOP-GO 后台管理系统 项目简介 YSHOP-GO基于当前流行技术组合的前后端RBAC管理系统:Go1.15.x+Beego2.x+Jwt+Redis+Mysql8+Vue 的前后端分离系统,权限控制采用 RBAC,支持数据字典与数据权限管理,支持动态路由等 体验地址: https://go

null 111 Aug 1, 2022
基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。

Echo-Admin 基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。 English | 简体中文 特性 遵循 RESTful API 设计规范 基于 Echo API 框架,提供了丰富的中间件支

LiuSha 72 Jul 19, 2022
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Casbin 4 Jun 9, 2022
Incomplete CRUD/RBAC service meant to be a practice for Go

Incomplete CRUD / RBAC Service in Go The repository name means nothing. But your task is to complete this repository on your own to be a functional CR

Teknologi Umum 5 Nov 9, 2021
A practical RBAC implementation

RBAC This project contains a practical RBAC implementation by Golang. It's actually a demo now. With in-memory storage, no database or file storage ye

Max Xu 0 Dec 1, 2021
Open source RBAC library. Associate users with roles and permissions.

ℹ️ This package is completely open source and works independently from Permify. Associate users with roles and permissions This package allows you to

Permify 109 Aug 4, 2022
Authentication service that keeps you in control without forcing you to be an expert in web security.

Authentication service that keeps you in control without forcing you to be an expert in web security.

Keratin 1.1k Jul 30, 2022
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

Teleport 12.3k Aug 3, 2022
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 190 Jul 20, 2022
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymus API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent un

Tobias Meinhardt 1 Nov 28, 2021
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymous API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent u

Tobias Meinhardt 1 Nov 28, 2021
Microservice generates pair of access and refresh JSON web tokens signed by user identifier.

go-jwt-issuer Microservice generates pair access and refresh JSON web tokens signed by user identifier. ?? Deployed on Heroku Run tests: export SECRET

Oleksii Velychko 28 Aug 2, 2022