goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

Overview

goRBAC

Build Status GoDoc Coverage Status

goRBAC provides a lightweight role-based access control implementation in Golang.

For the purposes of this package:

* an identity has one or more roles.
* a role requests access to a permission.
* a permission is given to a role.

Thus, RBAC has the following model:

* many to many relationship between identities and roles.
* many to many relationship between roles and permissions.
* roles can have a parent role (inheriting permissions).

Version

Currently, goRBAC has two versions:

Version 1 is the original design which will only be mantained to fix bugs.

Version 2 is the new design which will be continually mantained with a stable API.

The master branch will be under development with a new API and can be changed without notice.

Install

Install the package:

$ go get github.com/mikespook/gorbac

Usage

Although you can adjust the RBAC instance anytime and it's absolutely safe, the library is designed for use with two phases:

  1. Preparing

  2. Checking

Preparing

Import the library:

import "github.com/mikespook/gorbac"

Get a new instance of RBAC:

rbac := gorbac.New()

Get some new roles:

rA := gorbac.NewStdRole("role-a")
rB := gorbac.NewStdRole("role-b")
rC := gorbac.NewStdRole("role-c")
rD := gorbac.NewStdRole("role-d")
rE := gorbac.NewStdRole("role-e")

Get some new permissions:

pA := gorbac.NewStdPermission("permission-a")
pB := gorbac.NewStdPermission("permission-b")
pC := gorbac.NewStdPermission("permission-c")
pD := gorbac.NewStdPermission("permission-d")
pE := gorbac.NewStdPermission("permission-e")

Add the permissions to roles:

rA.Assign(pA)
rB.Assign(pB)
rC.Assign(pC)
rD.Assign(pD)
rE.Assign(pE)

Also, you can implement gorbac.Role and gorbac.Permission for your own data structure.

After initialization, add the roles to the RBAC instance:

rbac.Add(rA)
rbac.Add(rB)
rbac.Add(rC)
rbac.Add(rD)
rbac.Add(rE)

And set the inheritance:

rbac.SetParent("role-a", "role-b")
rbac.SetParents("role-b", []string{"role-c", "role-d"})
rbac.SetParent("role-e", "role-d")

Checking

Checking the permission is easy:

if rbac.IsGranted("role-a", pA, nil) &&
	rbac.IsGranted("role-a", pB, nil) &&
	rbac.IsGranted("role-a", pC, nil) &&
	rbac.IsGranted("role-a", pD, nil) {
	fmt.Println("The role-a has been granted permis-a, b, c and d.")
}

And there are some built-in util-functions: InherCircle, AnyGranted, AllGranted. Please open an issue for the new built-in requirement.

E.g.:

rbac.SetParent("role-c", "role-a")
if err := gorbac.InherCircle(rbac); err != nil {
	fmt.Println("A circle inheratance occurred.")
}

Persistence

The most asked question is how to persist the goRBAC instance. Please check the post HOW TO PERSIST GORBAC INSTANCE for the details.

Patches

2016-03-03

gofmt -w -r 'AssignPermission -> Assign' .
gofmt -w -r 'RevokePermission -> Revoke' .

Authors

Open Source - MIT Software License

See LICENSE.

Issues
  • Support parameterized RBAC

    Support parameterized RBAC

    It would be nice to support parameterized RBAC. This would allow the ability to define fine-grained roles and permissions to support things like object level permissions and roles.

    Here's a django implementation: https://github.com/dimagi/django-prbac

    opened by F21 6
  • Question: multiple roles?

    Question: multiple roles?

    Just wanted to ask if you have any plans of supporting multiple roles in the permission check? For example by sending in a slice of roles. How will that work with the parenting system?

    According to the Wikipedia article on RBAC that seems like a common use case: http://en.wikipedia.org/wiki/Role-based_access_control

    opened by maxekman 6
  • Use casbin as a storage backend

    Use casbin as a storage backend

    Hi mikespook, I'm Yang Luo, the author of casbin. It is an authorization library that supports models like MAC, RBAC, ABAC.

    I'm lucky to find the gorbac project when searching authorization in Go:) Compared to gorbac, casbin is more low-level and doesn't provide a friendly RBAC interface as gorbac. But it provides permission storage via file, DB. And I found that currently gorbac's persistence is still not perfect. So what do you think of using casbin as a storage backend for gorbac? Of course it's better if you want to use it as the enforcement engine too. Looking forward to your reply.

    opened by hsluoyz 2
  • Support returning error to AddPermission

    Support returning error to AddPermission

    I have a particular use case where errors may be introduced when performing an AddPermission. I would like to propose a list change to the interface from AddPermission(string) to AddPermission(string) error. Any thoughts?

    opened by euforia 2
  • Add

    Add "rank" and "description" fields for roles

    Hi!, For my project, i need two fields: rank and description. Rank is used for sort the roles in map without alter the name field of role (for example, show all roles sorted by rank to other administrators of a website). And "description" is used for info about of role (for example, for other administrators of a website know that makes each role.)

    opened by emilgpa 2
  • Error handling now done correctly

    Error handling now done correctly

    https://github.com/mikespook/gorbac/blob/a989d0e80a235460ebe9e8f2e7971e9ed948db88/permission.go#L32

    api:runtime error: invalid memory address or nil pointer dereference github.com/mikespook/gorbac/permission.go:33 github.com/mikespook/gorbac/role.go:53 github.com/mikespook/gorbac/rbac.go:199 github.com/mikespook/gorbac/rbac.go:194 github.com/mikespook/gorbac/helper.go:78

    opened by virajindasrao 1
  • Role Interface is way outdated

    Role Interface is way outdated

    type Role interface {
    	ID() string
    	Permit(Permission) bool
    }
    

    This Interface should list all the methods StdRole struct has, otherwise we have to keep on doing typecasting. For example https://godoc.org/github.com/mikespook/gorbac#RBAC.Get method returns object of type Role. If you want to assign a permission to it, you have to first typecast to StdRole, as func Assign(...) is not listed in the above mentioned interface

    I feel this related issue was wrong closed https://github.com/mikespook/gorbac/issues/12

    opened by low-on-mana 1
  • compile error

    compile error

    here are the error info

    go get github.com/mikespook/gorbac
    
    # github.com/mikespook/gorbac
    dev/golang/3rdLibs/src/github.com/mikespook/gorbac/role.go:107: p.Name undefined (type Permission has no field or method Name)
    dev/golang/3rdLibs/src/github.com/mikespook/gorbac/role.go:120: p.Name undefined (type Permission has no field or method Name)
    dev/golang/3rdLibs/src/github.com/mikespook/gorbac/role.go:126: rp.Has undefined (type Permission has no field or method Has)
    dev/golang/3rdLibs/src/github.com/mikespook/gorbac/role.go:144: p.Name undefined (type Permission has no field or method Name)
    
    opened by ziyouchutuwenwu 1
  • Multilevel permissions

    Multilevel permissions

    I am working on a API that involves interacting with models in a database. Users have either guest owner or admin roles on the data and have create, read, update and delete permissions on the data. Each of those is different for each model and each model only allows access to specific fields.

    Example: user model has full CRUD but only certain fields can be directly manipulated by owners and there are only read permissions on some minimal values for guest. How would I go about using gorbac for my use case?

    opened by abrykajlo 1
  • SQL backed RBAC

    SQL backed RBAC

    Maybe this is possible and I am just not clear on how I would implement it. Is it possible for me to save/load my role and permission data out of a mysql database (or another type of DB)?

    opened by swill 1
  • go test fails in windows

    go test fails in windows

    Error - c:\Data\Project\Go_workspace\src\github.com\mikespook\gorbac>go test

    github.com/mikespook/gorbac

    C:\Data\Project\Go_workspace\src\github.com\mikespook\gorbac\rbac_test.go:5: import "github.com/mike spook/gorbac" while compiling that package (import cycle) FAIL github.com/mikespook/gorbac [build failed]

    opened by echaz 1
  • Deadlock when calling IsGranted from within Walk

    Deadlock when calling IsGranted from within Walk

    Hi,

    I wrote a simple function to test my use of the package and discovered that if one calls IsGranted from within the Walk handler function, the code hangs. Looking into the code it looks like a deadlock. Would it be possible to expose a non locking version of IsGranted (basically the existing private isGranted).

    Cheers, Shmul

    opened by shmul 5
  • why not return error when setting parents if there is a circle error

    why not return error when setting parents if there is a circle error

    Several advices:

    • SetParent, if you set 1 to a, then a == 1, but SetParent is more like AddParent
    • If there are some potential circle errors, they should be thrown immediately rather than at runtime
    enhancement 
    opened by nullne 2
Releases(2.2.0)
Owner
Xing
Xing
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 13, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 11, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

HAHWUL 255 May 13, 2022
A practical RBAC implementation

RBAC This project contains a practical RBAC implementation by Golang. It's actually a demo now. With in-memory storage, no database or file storage ye

Max Xu 0 Dec 1, 2021
RBAC scaffolding based on Gin + Gorm+ Casbin + Wire

Gin Admin 基于 GIN + GORM + CASBIN + WIRE 实现的RBAC权限管理脚手架,目的是提供一套轻量的中后台开发框架,方便、快速的完成业务需求的开发。 特性 遵循 RESTful API 设计规范 & 基于接口的编程规范 基于 GIN 框架,提供了丰富的中间件支持(JWT

Lyric 2k May 16, 2022
Generate K8s RBAC policies based on e2e test runs

rbac-audit Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more! This repo contains

Jason Hall 28 Aug 2, 2021
Minimalistic RBAC package for Go applications

RBAC Overview RBAC is a package that makes it easy to implement Role Based Access Control (RBAC) models in Go applications. Download To download this

Zack Patrick 95 Apr 22, 2022
Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发

go-web-mini Go + Vue开发的管理系统脚手架, 前后端分离, 仅包含项目开发的必需部分, 基于角色的访问控制(RBAC), 分包合理, 精简易于扩展。 后端Go包含了gin、 gorm、 jwt和casbin等的使用, 前端Vue基于vue-element-admin开发: http

gnimli 41 May 10, 2022
YSHOP-GO基于当前流行技术组合的前后端RBAC管理系统:Go1.15.x+Beego2.x+Jwt+Redis+Mysql8+Vue 的前后端分离系统,权限控制采用 RBAC,支持数据字典与数据权限管理,支持动态路由等

YSHOP-GO 后台管理系统 项目简介 YSHOP-GO基于当前流行技术组合的前后端RBAC管理系统:Go1.15.x+Beego2.x+Jwt+Redis+Mysql8+Vue 的前后端分离系统,权限控制采用 RBAC,支持数据字典与数据权限管理,支持动态路由等 体验地址: https://go

null 94 May 10, 2022
基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。

Echo-Admin 基于 Echo + Gorm + Casbin + Uber-FX 实现的 RBAC 权限管理脚手架,致力于提供一套尽可能轻量且优雅的中后台解决方案。 English | 简体中文 特性 遵循 RESTful API 设计规范 基于 Echo API 框架,提供了丰富的中间件支

LiuSha 68 May 11, 2022
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Casbin 3 Nov 5, 2021
Incomplete CRUD/RBAC service meant to be a practice for Go

Incomplete CRUD / RBAC Service in Go The repository name means nothing. But your task is to complete this repository on your own to be a functional CR

Teknologi Umum 5 Nov 9, 2021
Authentication service that keeps you in control without forcing you to be an expert in web security.

Authentication service that keeps you in control without forcing you to be an expert in web security.

Keratin 1.1k Apr 30, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 30 Apr 29, 2022
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

Teleport 11.7k May 12, 2022
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 184 May 11, 2022
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymus API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent un

Tobias Meinhardt 1 Nov 28, 2021
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymous API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent u

Tobias Meinhardt 1 Nov 28, 2021
Microservice generates pair of access and refresh JSON web tokens signed by user identifier.

go-jwt-issuer Microservice generates pair access and refresh JSON web tokens signed by user identifier. ?? Deployed on Heroku Run tests: export SECRET

Oleksii Velychko 27 Apr 14, 2022