주요 콘텐츠로 건너뛰기

RBAC API

RBAC에 대한 더 친숙한 API. 이 API는 Management API의 하위 집합입니다. RBAC 사용자는 이 API를 사용하여 코드를 단순화할 수 있습니다.

참조

전역 변수 e는 Enforcer 인스턴스입니다.

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

GetRolesForUser()

GetRolesForUser는 사용자가 가진 역할을 가져옵니다.

예를 들어:

res := e.GetRolesForUser("alice")

GetUsersForRole()

GetUsersForRole은 역할을 가진 사용자를 가져옵니다.

예를 들어:

res := e.GetUsersForRole("data1_admin")

HasRoleForUser()

HasRoleForUser는 사용자가 역할을 가지고 있는지 확인합니다.

예를 들어:

res := e.HasRoleForUser("alice", "data1_admin")

AddRoleForUser()

AddRoleForUser는 사용자에게 역할을 추가합니다. 사용자가 이미 역할을 가지고 있다면 false를 반환합니다 (즉, 영향을 받지 않음).

예를 들어:

e.AddRoleForUser("alice", "data2_admin")

AddRolesForUser()

AddRolesForUser는 사용자에게 여러 역할을 추가합니다. 사용자가 이미 이러한 역할 중 하나를 가지고 있다면 false를 반환합니다 (즉, 영향을 받지 않음).

예를 들어:

var roles = []string{"data2_admin", "data1_admin"}
e.AddRolesForUser("alice", roles)

DeleteRoleForUser()

DeleteRoleForUser deletes a role for a user. Returns false if the user does not have the role (aka not affected).

For example:

e.DeleteRoleForUser("alice", "data1_admin")

DeleteRolesForUser()

DeleteRolesForUser deletes all roles for a user. Returns false if the user does not have any roles (aka not affected).

For example:

e.DeleteRolesForUser("alice")

DeleteUser()

DeleteUser deletes a user. Returns false if the user does not exist (aka not affected).

For example:

e.DeleteUser("alice")

DeleteRole()

DeleteRole deletes a role.

For example:

e.DeleteRole("data2_admin")

DeletePermission()

DeletePermission deletes a permission. Returns false if the permission does not exist (aka not affected).

For example:

e.DeletePermission("read")

AddPermissionForUser()

AddPermissionForUser adds a permission for a user or role. Returns false if the user or role already has the permission (aka not affected).

For example:

e.AddPermissionForUser("bob", "read")

AddPermissionsForUser()

AddPermissionsForUser adds multiple permissions for a user or role. Returns false if the user or role already has one of the permissions (aka not affected).

For example:

var permissions = [][]string{{"data1", "read"},{"data2","write"}}
for i := 0; i < len(permissions); i++ {
    e.AddPermissionsForUser("alice", permissions[i])
}

DeletePermissionForUser()

DeletePermissionForUser deletes a permission for a user or role. Returns false if the user or role does not have the permission (aka not affected).

For example:

e.DeletePermissionForUser("bob", "read")

DeletePermissionsForUser()

DeletePermissionsForUser deletes permissions for a user or role. Returns false if the user or role does not have any permissions (aka not affected).

For example:

e.DeletePermissionsForUser("bob")

GetPermissionsForUser()

GetPermissionsForUser gets permissions for a user or role.

For example:

e.GetPermissionsForUser("bob")

GetNamedPermissionsForUser()

GetNamedPermissionsForUser gets permissions for a user or role by named policy.

For example:

p, alice, data1, read
p, bob, data2, write
p2, admin, create
g, alice, admin

GetNamedPermissionsForUser("p", "alice") will return [["alice", "data1", "read"]]. GetNamedPermissionsForUser("p2", "alice") will return [["admin", "create"]].

permissions, err := e.GetNamedPermissionsForUser("p", "alice")

HasPermissionForUser()

HasPermissionForUser determines whether a user has a permission.

For example:

e.HasPermissionForUser("alice", []string{"read"})

GetImplicitRolesForUser()

GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.

For example:

g, alice, role:admin  
g, role:admin, role:user

GetRolesForUser("alice") can only get: ["role:admin"].\ But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].

For example:

e.GetImplicitRolesForUser("alice")

GetNamedImplicitRolesForUser()

GetNamedImplicitRolesForUser gets implicit roles that a user has by named policy.

For example:

g, alice, admin
g, admin, super_admin
g2, alice, user
g2, user, guest

GetNamedImplicitRolesForUser("g", "alice") will return ["admin", "super_admin"]. GetNamedImplicitRolesForUser("g2", "alice") will return ["user", "guest"].

roles, err := e.GetNamedImplicitRolesForUser("g", "alice")

GetImplicitUsersForRole()

GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.

For example:

g, alice, role:admin  
g, role:admin, role:user

GetUsersForRole("role:user") can only get: ["role:admin"].\ But GetImplicitUesrsForRole("role:user") will get: ["role:admin", "alice"].

For example:

users := e.GetImplicitUsersForRole("role:user")

GetImplicitPermissionsForUser()

GetImplicitPermissionsForUser gets implicit permissions for a user or role.\ Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.

For example:

p, admin, data1, read  
p, alice, data2, read  
g, alice, admin

GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].\ But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].

For example:

e.GetImplicitPermissionsForUser("alice")

GetNamedImplicitPermissionsForUser()

GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy Compared to GetImplicitPermissionsForUser(), this function allow you to specify the policy name.

For example:

p, admin, data1, read
p2, admin, create
g, alice, admin

GetImplicitPermissionsForUser("alice") only get: [["admin", "data1", "read"]], whose policy is default "p"

But you can specify the policy as "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice")

예를 들어:

e.GetNamedImplicitPermissionsForUser("p2","alice")

GetDomainsForUser()

GetDomainsForUser gets all domains which a user has.

For example:

p, admin, domain1, data1, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, alice, admin, domain2

GetDomainsForUser("alice") could get ["domain1", "domain2"]

For example:

result, err := e.GetDomainsForUser("alice")

GetImplicitResourcesForUser()

GetImplicitResourcesForUser returns all policies that should be true for user.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

GetImplicitResourcesForUser("alice") will return [[alice data1 read] [alice data2 read] [alice data2 write]]

resources, err := e.GetImplicitResourcesForUser("alice")

GetImplicitUsersForPermission()

GetImplicitUsersForPermission gets implicit users for a permission.

For example:

p, admin, data1, read
p, bob, data1, read
g, alice, admin

GetImplicitUsersForPermission("data1", "read") will return: ["alice", "bob"].

Note: only users will be returned, roles (2nd arg in "g") will be excluded.

users, err := e.GetImplicitUsersForPermission("data1", "read")

GetImplicitObjectPatternsForUser()

GetImplicitObjectPatternsForUser returns all object patterns (with wildcards) that a user has for a given domain and action.

For example:

p, admin, chronicle/123, location/*, read
p, user, chronicle/456, location/789, read
g, alice, admin
g, bob, user

GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read") will return ["location/*"]. GetImplicitObjectPatternsForUser("bob", "chronicle/456", "read") will return ["location/789"].

patterns, err := e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read")

GetAllowedObjectConditions()

GetAllowedObjectConditions returns a string array of object conditions that the user can access.

For example:

p, alice, r.obj.price < 25, read
p, admin, r.obj.category_id = 2, read
p, bob, r.obj.author = bob, write

g, alice, admin

e.GetAllowedObjectConditions("alice", "read", "r.obj.") will return ["price < 25", "category_id = 2"], nil

Note:

  1. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix. After removing the prefix, the remaining part is the condition of the object. If there is an obj policy that does not meet the prefix requirement, an errors.ERR_OBJ_CONDITION will be returned.

  2. If the 'objectConditions' array is empty, return errors.ERR_EMPTY_CONDITION This error is returned because some data adapters' ORM return full table data by default when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM) If you are using an adapter that does not behave like this, you can choose to ignore this error.

conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")

GetImplicitUsersForResource()

GetImplicitUsersForResource return implicit user based on resource.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

GetImplicitUsersForResource("data2") will return [["bob", "data2", "write"], ["alice", "data2", "read"] ["alice", "data2", "write"]], nil.

GetImplicitUsersForResource("data1") will return [["alice", "data1", "read"]], nil.

ImplicitUsers, err := e.GetImplicitUsersForResource("data2")
노트

Only users will be returned, roles (2nd arg in "g") will be excluded.

GetNamedImplicitUsersForResource()

GetNamedImplicitUsersForResource return implicit user based on resource with named policy support. This function handles resource role relationships through named policies (e.g., g2, g3, etc.).

For example:

p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data

GetNamedImplicitUsersForResource("g2", "app") will return users who have access to admin_data through g2 relationship.

ImplicitUsers, err := e.GetNamedImplicitUsersForResource("g2", "app")