Ir al contenido principal

RBAC with Pattern

Inicio Rápido

  • Use pattern matching in g(_, _):

    e, _ := NewEnforcer("./example.conf", "./example.csv")
    e.AddNamedMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

  • Use pattern matching with domains:

    e.AddNamedDomainMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

  • Use both patterns together:

    Simply combine both API calls.

After creating the enforcer instance, activate pattern matching using the AddNamedMatchingFunc and AddNamedDomainMatchingFunc APIs. These determine how the pattern matching is performed.

nota

If using the online editor, add a pattern matching function by clicking the "Add Role Matching" button in the lower left corner. editor-tips

Usa coincidencia de patrones en RBAC

Sometimes you want subjects, objects, or domains with a specific pattern to automatically inherit a role. Pattern matching functions in RBAC enable this behavior. These functions share the same parameters and return values as the matcher functions.

Pattern matching functions work with each parameter of g.

Normally, RBAC is expressed as g(r.sub, p.sub) in a matcher. You can then use policies like:

p, alice, book_group, read
g, /book/1, book_group
g, /book/2, book_group

In this case, alice can read all books, including book 1 and book 2. However, with thousands of books, adding each one individually to the book role or group with a separate g policy becomes tedious.

With pattern matching functions, you can write the policy in a single line:

g, /book/:id, book_group

Casbin automatically matches /book/1 and /book/2 to the pattern /book/:id. You just need to register the function with the enforcer:

e.AddNamedMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

When using pattern matching with domains, register the function with both the enforcer and the model:

e.AddNamedDomainMatchingFunc("g", "KeyMatch2", util.KeyMatch2)

If you're unclear about the meaning of g(r.sub, p.sub, r.dom), refer to rbac-with-domains. In brief, g(r.sub, p.sub, r.dom) checks whether user r.sub has role p.sub in domain r.dom. For a complete example, see here.

nota

Pattern matching with domains supports custom domain token names. Instead of dom, you can use any identifier like tenant or workspace. Casbin automatically detects the domain token name from your model definition when using pattern matching functions like keyMatch.

You can also use pure domain patterns in addition to the pattern matching syntax shown above.

For example, to grant sub access across different domains like domain1 and domain2, use pure domain patterns:

p, admin, domain1, data1, read
p, admin, domain1, data1, write
p, admin, domain2, data2, read
p, admin, domain2, data2, write

g, alice, admin, *
g, bob, admin, domain2

Here, alice can read and write data in both domain1 and domain2. The wildcard * in g grants alice access across both domains.

Pattern matching is particularly useful in complex scenarios with many domains or objects, enabling more elegant and effective policy_definition implementations.