RBAC with Conditions

条件付きRoleManager

The ConditionalRoleManager allows you to apply custom condition functions at the policy level.

When you need role policies that are valid only under certain conditions—such as time-based temporary roles—you can configure this as shown below:

model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _, (_, _)

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

The syntax g = _, _, (_, _) defines a role relationship with additional parameters. The underscores _ serve as placeholders, while the parentheses (_, _) specify the list of arguments that will be passed to the condition function.

policy.csv

p, alice, data1, read
p, data2_admin, data2, write
p, data3_admin, data3, read
p, data4_admin, data4, write
p, data5_admin, data5, read
p, data6_admin, data6, write
p, data7_admin, data7, read
p, data8_admin, data8, write

g, alice, data2_admin, 0000-01-01 00:00:00, 0000-01-02 00:00:00
g, alice, data3_admin, 0000-01-01 00:00:00, 9999-12-30 00:00:00
g, alice, data4_admin, _, _
g, alice, data5_admin, _, 9999-12-30 00:00:00
g, alice, data6_admin, _, 0000-01-02 00:00:00
g, alice, data7_admin, 0000-01-01 00:00:00, _
g, alice, data8_admin, 9999-12-30 00:00:00, _

基本的な使用法

Use AddNamedLinkConditionFunc to attach a condition function to a role policy (of type g). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true.

e.AddNamedLinkConditionFunc("g", "alice", "data2_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data3_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data4_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data5_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data6_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data7_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data8_admin", util.TimeMatchFunc)


e.enforce("alice", "data1", "read")     // expect: true
e.enforce("alice", "data2", "write")    // expect: false
e.enforce("alice", "data3", "read")     // expect: true
e.enforce("alice", "data4", "write")    // expect: true
e.enforce("alice", "data5", "read")     // expect: true
e.enforce("alice", "data6", "write")    // expect: false
e.enforce("alice", "data7", "read")     // expect: true
e.enforce("alice", "data8", "write")    // expect: false

カスタム条件関数

Condition functions must follow this signature:

type LinkConditionFunc = func(args ...string) (bool, error)

Example implementation:

// TimeMatchFunc is the wrapper for TimeMatch.
func TimeMatchFunc(args ...string) (bool, error) {
    if err := validateVariadicStringArgs(2, args...); err != nil {
        return false, fmt.Errorf("%s: %s", "TimeMatch", err)
    }
    return TimeMatch(args[0], args[1])
}

// TimeMatch determines whether the current time is between startTime and endTime.
// You can use "_" to indicate that the parameter is ignored
func TimeMatch(startTime, endTime string) (bool, error) {
    now := time.Now()
    if startTime != "_" {
        if start, err := time.Parse("2006-01-02 15:04:05", startTime); err != nil {
            return false, err
        } else if !now.After(start) {
            return false, nil
        }
    }

    if endTime != "_" {
        if end, err := time.Parse("2006-01-02 15:04:05", endTime); err != nil {
            return false, err
        } else if !now.Before(end) {
            return false, nil
        }
    }

    return true, nil
}

ドメイン付きの条件付きRoleManager

model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _, (_, _)

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

policy.csv

p, alice, domain1, data1, read
p, data2_admin, domain2, data2, write
p, data3_admin, domain3, data3, read
p, data4_admin, domain4, data4, write
p, data5_admin, domain5, data5, read
p, data6_admin, domain6, data6, write
p, data7_admin, domain7, data7, read
p, data8_admin, domain8, data8, write

g, alice, data2_admin, domain2, 0000-01-01 00:00:00, 0000-01-02 00:00:00
g, alice, data3_admin, domain3, 0000-01-01 00:00:00, 9999-12-30 00:00:00
g, alice, data4_admin, domain4, _, _
g, alice, data5_admin, domain5, _, 9999-12-30 00:00:00
g, alice, data6_admin, domain6, _, 0000-01-02 00:00:00
g, alice, data7_admin, domain7, 0000-01-01 00:00:00, _
g, alice, data8_admin, domain8, 9999-12-30 00:00:00, _

基本的な使用法

Use AddNamedDomainLinkConditionFunc to attach a condition function to a domain-specific role policy (of type g). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true.

e.AddNamedDomainLinkConditionFunc("g", "alice", "data2_admin", "domain2", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data3_admin", "domain3", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data4_admin", "domain4", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data5_admin", "domain5", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data6_admin", "domain6", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data7_admin", "domain7", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data8_admin", "domain8", util.TimeMatchFunc)


e.enforce("alice", "domain1", "data1", "read")              // expect: true
e.enforce("alice", "domain2", "data2", "write")             // expect: false
e.enforce("alice", "domain3", "data3", "read")              // expect: true
e.enforce("alice", "domain4", "data4", "write")             // expect: true
e.enforce("alice", "domain5", "data5", "read")              // expect: true
e.enforce("alice", "domain6", "data6", "write")             // expect: false
e.enforce("alice", "domain7", "data7", "read")              // expect: true
e.enforce("alice", "domain8", "data8", "write")             // expect: false
e.enforce("alice", "domain_not_exist", "data1", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data2", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data3", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data4", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data5", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data6", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data7", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data8", "read")     // expect: false

カスタム条件関数

Custom condition functions work the same way as in the basic Conditional RoleManager.

Keep in mind that DomainMatchingFunc, MatchingFunc, and LinkConditionFunc operate at different levels and serve distinct purposes.