goRBAC provides a lightweight role-based access control implementation in Golang.
For the purposes of this package:
* an identity has one or more roles.
* a role requests access to a permission.
* a permission is given to a role.
Thus, RBAC has the following model:
* many to many relationship between identities and roles.
* many to many relationship between roles and permissions.
* roles can have a parent role (inheriting permissions).
Currently, goRBAC has two versions:
Version 1 is the original design which will only be mantained to fix bugs.
Version 2 is the new design which will be continually mantained with a stable API.
The master branch will be under development with a new API and can be changed without notice.
Install the package:
$ go get github.com/mikespook/gorbac
Although you can adjust the RBAC instance anytime and it's absolutely safe, the library is designed for use with two phases:
-
Preparing
-
Checking
Import the library:
import "github.com/mikespook/gorbac"
Get a new instance of RBAC:
rbac := gorbac.New()
Get some new roles:
rA := gorbac.NewStdRole("role-a")
rB := gorbac.NewStdRole("role-b")
rC := gorbac.NewStdRole("role-c")
rD := gorbac.NewStdRole("role-d")
rE := gorbac.NewStdRole("role-e")
Get some new permissions:
pA := gorbac.NewStdPermission("permission-a")
pB := gorbac.NewStdPermission("permission-b")
pC := gorbac.NewStdPermission("permission-c")
pD := gorbac.NewStdPermission("permission-d")
pE := gorbac.NewStdPermission("permission-e")
Add the permissions to roles:
rA.Assign(pA)
rB.Assign(pB)
rC.Assign(pC)
rD.Assign(pD)
rE.Assign(pE)
Also, you can implement gorbac.Role
and gorbac.Permission
for your own data structure.
After initialization, add the roles to the RBAC instance:
rbac.Add(rA)
rbac.Add(rB)
rbac.Add(rC)
rbac.Add(rD)
rbac.Add(rE)
And set the inheritance:
rbac.SetParent("role-a", "role-b")
rbac.SetParents("role-b", []string{"role-c", "role-d"})
rbac.SetParent("role-e", "role-d")
Checking the permission is easy:
if rbac.IsGranted("role-a", pA, nil) &&
rbac.IsGranted("role-a", pB, nil) &&
rbac.IsGranted("role-a", pC, nil) &&
rbac.IsGranted("role-a", pD, nil) {
fmt.Println("The role-a has been granted permis-a, b, c and d.")
}
And there are some built-in util-functions: InherCircle, AnyGranted, AllGranted. Please open an issue for the new built-in requirement.
E.g.:
rbac.SetParent("role-c", "role-a")
if err := gorbac.InherCircle(rbac); err != nil {
fmt.Println("A circle inheratance occurred.")
}
The most asked question is how to persist the goRBAC instance. Please check the post HOW TO PERSIST GORBAC INSTANCE for the details.
2016-03-03
gofmt -w -r 'AssignPermission -> Assign' .
gofmt -w -r 'RevokePermission -> Revoke' .
- Xing Xing mikespook@gmail.com Blog @Twitter
See LICENSE.