Bỏ qua đến nội dung chính

RBAC API

The RBAC API is a convenience layer for role-based operations (roles for user, users for role, permissions, etc.). It is a subset of the Management API aimed at RBAC use cases.

Tài liệu tham khảo

The global variable e represents an Enforcer instance.

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

GetRolesForUser()

Retrieves all roles assigned to a user.

Ví dụ:

res := e.GetRolesForUser("alice")

GetUsersForRole()

Retrieves all users assigned to a role.

Ví dụ:

res := e.GetUsersForRole("data1_admin")

HasRoleForUser()

Checks whether a user has a specific role.

Ví dụ:

res := e.HasRoleForUser("alice", "data1_admin")

AddRoleForUser()

Assigns a role to a user. Trả về false nếu người dùng đã có vai trò đó (tức là không bị ảnh hưởng).

Ví dụ:

e.AddRoleForUser("alice", "data2_admin")

AddRolesForUser()

Assigns multiple roles to a user. Trả về false nếu người dùng đã có một trong các vai trò này (tức là không bị ảnh hưởng).

Ví dụ:

var roles = []string{"data2_admin", "data1_admin"}
e.AddRolesForUser("alice", roles)

DeleteRoleForUser()

Removes a role from a user. Returns false if the user does not have the role (aka not affected).

For example:

e.DeleteRoleForUser("alice", "data1_admin")

DeleteRolesForUser()

Removes all roles from a user. Returns false if the user does not have any roles (aka not affected).

For example:

e.DeleteRolesForUser("alice")

DeleteUser()

Removes a user from the system. Returns false if the user does not exist (aka not affected).

For example:

e.DeleteUser("alice")

DeleteRole()

Removes a role from the system.

For example:

e.DeleteRole("data2_admin")

DeletePermission()

Removes a permission from the system. Returns false if the permission does not exist (aka not affected).

For example:

e.DeletePermission("read")

AddPermissionForUser()

Grants a permission to a user or role. Returns false if the user or role already has the permission (aka not affected).

For example:

e.AddPermissionForUser("bob", "read")

AddPermissionsForUser()

Grants multiple permissions to a user or role. Returns false if the user or role already has one of the permissions (aka not affected).

For example:

var permissions = [][]string{{"data1", "read"},{"data2","write"}}
for i := 0; i < len(permissions); i++ {
    e.AddPermissionsForUser("alice", permissions[i])
}

DeletePermissionForUser()

Revokes a permission from a user or role. Returns false if the user or role does not have the permission (aka not affected).

For example:

e.DeletePermissionForUser("bob", "read")

DeletePermissionsForUser()

Revokes all permissions from a user or role. Returns false if the user or role does not have any permissions (aka not affected).

For example:

e.DeletePermissionsForUser("bob")

GetPermissionsForUser()

Retrieves all permissions for a user or role.

For example:

e.GetPermissionsForUser("bob")

GetNamedPermissionsForUser()

GetNamedPermissionsForUser gets permissions for a user or role by named policy.

For example:

p, alice, data1, read
p, bob, data2, write
p2, admin, create
g, alice, admin

GetNamedPermissionsForUser("p", "alice") will return [["alice", "data1", "read"]]. GetNamedPermissionsForUser("p2", "alice") will return [["admin", "create"]].

permissions, err := e.GetNamedPermissionsForUser("p", "alice")

HasPermissionForUser()

HasPermissionForUser determines whether a user has a permission.

For example:

e.HasPermissionForUser("alice", []string{"read"})

GetImplicitRolesForUser()

GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.

For example:

g, alice, role:admin  
g, role:admin, role:user

GetRolesForUser("alice") can only get: ["role:admin"].
But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].

For example:

e.GetImplicitRolesForUser("alice")

GetNamedImplicitRolesForUser()

GetNamedImplicitRolesForUser gets implicit roles that a user has by named policy.

For example:

g, alice, admin
g, admin, super_admin
g2, alice, user
g2, user, guest

GetNamedImplicitRolesForUser("g", "alice") will return ["admin", "super_admin"]. GetNamedImplicitRolesForUser("g2", "alice") will return ["user", "guest"].

roles, err := e.GetNamedImplicitRolesForUser("g", "alice")

GetImplicitUsersForRole()

GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.

For example:

g, alice, role:admin  
g, role:admin, role:user

GetUsersForRole("role:user") can only get: ["role:admin"].
But GetImplicitUesrsForRole("role:user") will get: ["role:admin", "alice"].

For example:

users := e.GetImplicitUsersForRole("role:user")

GetImplicitPermissionsForUser()

GetImplicitPermissionsForUser gets implicit permissions for a user or role.
Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.

For example:

p, admin, data1, read  
p, alice, data2, read  
g, alice, admin

GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].
But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].

For example:

e.GetImplicitPermissionsForUser("alice")

GetNamedImplicitPermissionsForUser()

GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy Compared to GetImplicitPermissionsForUser(), this function allow you to specify the policy name.

For example:

p, admin, data1, read
p2, admin, create
g, alice, admin

GetImplicitPermissionsForUser("alice") only get: [["admin", "data1", "read"]], whose policy is default "p"

But you can specify the policy as "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice")

Ví dụ:

e.GetNamedImplicitPermissionsForUser("p2","alice")

GetDomainsForUser()

GetDomainsForUser gets all domains which a user has.

For example:

p, admin, domain1, data1, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, alice, admin, domain2

GetDomainsForUser("alice") could get ["domain1", "domain2"]

For example:

result, err := e.GetDomainsForUser("alice")

GetImplicitResourcesForUser()

Returns all policies that apply to a user, including those inherited through roles.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

GetImplicitResourcesForUser("alice") will return [[alice data1 read] [alice data2 read] [alice data2 write]]

resources, err := e.GetImplicitResourcesForUser("alice")

GetImplicitUsersForPermission()

Retrieves all users with a specific permission, including those with implicit permissions through roles.

For example:

p, admin, data1, read
p, bob, data1, read
g, alice, admin

GetImplicitUsersForPermission("data1", "read") will return: ["alice", "bob"].

Note: only users will be returned, roles (2nd arg in "g") will be excluded.

users, err := e.GetImplicitUsersForPermission("data1", "read")

GetImplicitObjectPatternsForUser()

Returns all object patterns (including wildcards) that a user can access for a given domain and action.

For example:

p, admin, chronicle/123, location/*, read
p, user, chronicle/456, location/789, read
g, alice, admin
g, bob, user

GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read") will return ["location/*"]. GetImplicitObjectPatternsForUser("bob", "chronicle/456", "read") will return ["location/789"].

patterns, err := e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read")

GetAllowedObjectConditions()

Returns object conditions that a user can access.

For example:

p, alice, r.obj.price < 25, read
p, admin, r.obj.category_id = 2, read
p, bob, r.obj.author = bob, write

g, alice, admin

e.GetAllowedObjectConditions("alice", "read", "r.obj.") will return ["price < 25", "category_id = 2"], nil

Note:

  1. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix. After removing the prefix, the remaining part is the condition of the object. If there is an obj policy that does not meet the prefix requirement, an errors.ERR_OBJ_CONDITION will be returned.

  2. If the 'objectConditions' array is empty, return errors.ERR_EMPTY_CONDITION This error is returned because some data adapters' ORM return full table data by default when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM) If you are using an adapter that does not behave like this, you can choose to ignore this error.

conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")

GetImplicitUsersForResource()

Returns all users with access to a resource, including those with implicit permissions through roles.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

GetImplicitUsersForResource("data2") will return [["bob", "data2", "write"], ["alice", "data2", "read"] ["alice", "data2", "write"]], nil.

GetImplicitUsersForResource("data1") will return [["alice", "data1", "read"]], nil.

ImplicitUsers, err := e.GetImplicitUsersForResource("data2")
ghi chú

Only users will be returned, roles (2nd arg in "g") will be excluded.

GetNamedImplicitUsersForResource()

Returns all users with access to a resource through a named policy, including those with implicit permissions through roles. This function handles resource role relationships through named policies (e.g., g2, g3, etc.).

For example:

p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data

GetNamedImplicitUsersForResource("g2", "app") will return users who have access to admin_data through g2 relationship.

ImplicitUsers, err := e.GetNamedImplicitUsersForResource("g2", "app")