Langkau ke kandungan utama

RBAC with Conditions

Pengurus Peranan Bersyarat

The ConditionalRoleManager allows you to apply custom condition functions at the policy level.

When you need role policies that are valid only under certain conditions—such as time-based temporary roles—you can configure this as shown below:

model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _, (_, _)

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

The syntax g = _, _, (_, _) defines a role relationship with additional parameters. The underscores _ serve as placeholders, while the parentheses (_, _) specify the list of arguments that will be passed to the condition function.

policy.csv

p, alice, data1, read
p, data2_admin, data2, write
p, data3_admin, data3, read
p, data4_admin, data4, write
p, data5_admin, data5, read
p, data6_admin, data6, write
p, data7_admin, data7, read
p, data8_admin, data8, write

g, alice, data2_admin, 0000-01-01 00:00:00, 0000-01-02 00:00:00
g, alice, data3_admin, 0000-01-01 00:00:00, 9999-12-30 00:00:00
g, alice, data4_admin, _, _
g, alice, data5_admin, _, 9999-12-30 00:00:00
g, alice, data6_admin, _, 0000-01-02 00:00:00
g, alice, data7_admin, 0000-01-01 00:00:00, _
g, alice, data8_admin, 9999-12-30 00:00:00, _

Penggunaan Asas

Use AddNamedLinkConditionFunc to attach a condition function to a role policy (of type g). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true.

e.AddNamedLinkConditionFunc("g", "alice", "data2_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data3_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data4_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data5_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data6_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data7_admin", util.TimeMatchFunc)
e.AddNamedLinkConditionFunc("g", "alice", "data8_admin", util.TimeMatchFunc)


e.enforce("alice", "data1", "read")     // expect: true
e.enforce("alice", "data2", "write")    // expect: false
e.enforce("alice", "data3", "read")     // expect: true
e.enforce("alice", "data4", "write")    // expect: true
e.enforce("alice", "data5", "read")     // expect: true
e.enforce("alice", "data6", "write")    // expect: false
e.enforce("alice", "data7", "read")     // expect: true
e.enforce("alice", "data8", "write")    // expect: false

Fungsi syarat tersuai

Condition functions must follow this signature:

type LinkConditionFunc = func(args ...string) (bool, error)

Example implementation:

// TimeMatchFunc is the wrapper for TimeMatch.
func TimeMatchFunc(args ...string) (bool, error) {
    if err := validateVariadicStringArgs(2, args...); err != nil {
        return false, fmt.Errorf("%s: %s", "TimeMatch", err)
    }
    return TimeMatch(args[0], args[1])
}

// TimeMatch determines whether the current time is between startTime and endTime.
// You can use "_" to indicate that the parameter is ignored
func TimeMatch(startTime, endTime string) (bool, error) {
    now := time.Now()
    if startTime != "_" {
        if start, err := time.Parse("2006-01-02 15:04:05", startTime); err != nil {
            return false, err
        } else if !now.After(start) {
            return false, nil
        }
    }

    if endTime != "_" {
        if end, err := time.Parse("2006-01-02 15:04:05", endTime); err != nil {
            return false, err
        } else if !now.Before(end) {
            return false, nil
        }
    }

    return true, nil
}

Pengurus Peranan Bersyarat dengan domain

model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _, (_, _)

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

policy.csv

p, alice, domain1, data1, read
p, data2_admin, domain2, data2, write
p, data3_admin, domain3, data3, read
p, data4_admin, domain4, data4, write
p, data5_admin, domain5, data5, read
p, data6_admin, domain6, data6, write
p, data7_admin, domain7, data7, read
p, data8_admin, domain8, data8, write

g, alice, data2_admin, domain2, 0000-01-01 00:00:00, 0000-01-02 00:00:00
g, alice, data3_admin, domain3, 0000-01-01 00:00:00, 9999-12-30 00:00:00
g, alice, data4_admin, domain4, _, _
g, alice, data5_admin, domain5, _, 9999-12-30 00:00:00
g, alice, data6_admin, domain6, _, 0000-01-02 00:00:00
g, alice, data7_admin, domain7, 0000-01-01 00:00:00, _
g, alice, data8_admin, domain8, 9999-12-30 00:00:00, _

Penggunaan Asas

Use AddNamedDomainLinkConditionFunc to attach a condition function to a domain-specific role policy (of type g). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true.

e.AddNamedDomainLinkConditionFunc("g", "alice", "data2_admin", "domain2", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data3_admin", "domain3", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data4_admin", "domain4", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data5_admin", "domain5", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data6_admin", "domain6", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data7_admin", "domain7", util.TimeMatchFunc)
e.AddNamedDomainLinkConditionFunc("g", "alice", "data8_admin", "domain8", util.TimeMatchFunc)


e.enforce("alice", "domain1", "data1", "read")              // expect: true
e.enforce("alice", "domain2", "data2", "write")             // expect: false
e.enforce("alice", "domain3", "data3", "read")              // expect: true
e.enforce("alice", "domain4", "data4", "write")             // expect: true
e.enforce("alice", "domain5", "data5", "read")              // expect: true
e.enforce("alice", "domain6", "data6", "write")             // expect: false
e.enforce("alice", "domain7", "data7", "read")              // expect: true
e.enforce("alice", "domain8", "data8", "write")             // expect: false
e.enforce("alice", "domain_not_exist", "data1", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data2", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data3", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data4", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data5", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data6", "read")     // expect: false
e.enforce("alice", "domain_not_exist", "data7", "write")    // expect: false
e.enforce("alice", "domain_not_exist", "data8", "read")     // expect: false

Fungsi bersyarat tersuai

Custom condition functions work the same way as in the basic Conditional RoleManager.

Keep in mind that DomainMatchingFunc, MatchingFunc, and LinkConditionFunc operate at different levels and serve distinct purposes.

conditional_rolemanager_with_domains