Перейти к основному контенту

RBAC с доменами

Role Definition with Domain Tenants

Роли RBAC в Касбине могут быть глобальными или специфичными для домена. Domain-specific roles mean that the roles for a user can be different when the user is in different domains/tenants. This is very useful for large systems like a cloud, as users are usually in different tenants.

The role definition with domains/tenants should look like this:

g = _, _, _

The third _ represents the name of the domain/tenant, and this part should not be changed. Тогда политика может быть:

p, admin, tenant1, data1, read
p, admin, tenant2, data2, read

g, alice, admin, tenant1
g, alice, user, tenant2

This means that the admin role in tenant1 can read data1. And alice has the admin role in tenant1 and the user role in tenant2. Therefore, she can read data1. Однако, поскольку alice не является администратором в tenant2, она не может прочитать данные2.

Then, in a matcher, you should check the role as follows:

m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

Please refer to the rbac_with_domains_model.conf for examples.

Token Name Convention

Note: Conventionally, the domain token name in policy definition is dom and is placed as the second token (sub, dom, obj, act). Now, Golang Casbin supports customized token names and placement. If the domain token name is dom, the domain token can be placed at an arbitrary position without any additional action. If the domain token name is not dom, e.SetFieldIndex() for constant.DomainIndex should be called after the enforcer is initialized, regardless of its position.

# `domain` here for `dom`
p = sub, obj, act, domain
e.SetFieldIndex("p", constant.DomainIndex, 3) // index starts from 0
users := e.GetAllUsersByDomain("domain1") // without SetFieldIndex, it will raise an error