Skip to main content

RBAC with Pattern

Quick Start

  • Use pattern in g(_, _).

    e, _ := NewEnforcer("./example.conf", "./example.csv")
    e.AddNamedMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

  • Use pattern with domain.

    e.AddNamedDomainMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

  • Use all patterns.

    Just combine the use of both APIs.

As shown above, after you create the enforcer instance, you need to activate pattern matching via the AddNamedMatchingFunc and AddNamedDomainMatchingFunc APIs, which determine how the pattern matches.

note

If you use the online editor, it specifies the pattern matching function in the lower left corner. editor-tips

Use pattern matching in RBAC

Sometimes, you want certain subjects, objects, or domains/tenants with a specific pattern to be automatically granted a role. Pattern matching functions in RBAC can help you do that. A pattern matching function shares the same parameters and return value as the previous matcher function.

The pattern matching function supports each parameter of g.

We know that normally RBAC is expressed as g(r.sub, p.sub) in a matcher. Then we can use a policy like:

p, alice, book_group, read
g, /book/1, book_group
g, /book/2, book_group

So alice can read all books including book 1 and book 2. But there can be thousands of books, and it's very tedious to add each book to the book role (or group) with one g policy rule.

But with pattern matching functions, you can write the policy with only one line:

g, /book/:id, book_group

Casbin will automatically match /book/1 and /book/2 into the pattern /book/:id for you. You only need to register the function with the enforcer like:

e.AddNamedMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

When using a pattern matching function in domains/tenants, you need to register the function with the enforcer and model.

e.AddNamedDomainMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

If you don't understand what g(r.sub, p.sub, r.dom) means, please read rbac-with-domains. In short, g(r.sub, p.sub, r.dom) will check whether the user r.sub has a role p.sub in the domain r.dom. So this is how the matcher works. You can see the full example here.

Apart from the pattern matching syntax above, we can also use pure domain pattern.

For example, if we want sub to have access in different domains, domain1 and domain2, we can use the pure domain pattern:

p, admin, domain1, data1, read
p, admin, domain1, data1, write
p, admin, domain2, data2, read
p, admin, domain2, data2, write

g, alice, admin, *
g, bob, admin, domain2

In this example, we want alice to read and write data in domain1 and domain2. Pattern matching * in g makes alice have access to two domains.

By using pattern matching, especially in scenarios that are more complicated and have a lot of domains or objects to consider, we can implement the policy_definition in a more elegant and effective way.