RBAC API

一个更友好的RBAC API。 此API是管理API的一个子集。 RBAC用户可以使用此API简化代码。

参考

全局变量e是Enforcer实例。

Go

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

Node.js

const e = await newEnforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv')

PHP

$e = new Enforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv');

Python

e = casbin.Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

.NET

var e = new Enforcer("path/to/model.conf", "path/to/policy.csv");

Rust

let mut e = Enforcer::new("examples/rbac_model.conf", "examples/rbac_policy.csv").await?;

Java

Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv");

GetRolesForUser()

GetRolesForUser获取用户拥有的角色。

例如：

Go

res := e.GetRolesForUser("alice")

Node.js

const res = await e.getRolesForUser('alice')

PHP

$res = $e->getRolesForUser("alice");

Python

roles = e.get_roles_for_user("alice")

.NET

var res = e.GetRolesForUser("alice");

Rust

let roles = e.get_roles_for_user("alice", None); // No domain

Java

List<String> res = e.getRolesForUser("alice");

GetUsersForRole()

GetUsersForRole获取拥有某个角色的用户。

例如：

Go

res := e.GetUsersForRole("data1_admin")

Node.js

const res = await e.getUsersForRole('data1_admin')

PHP

$res = $e->getUsersForRole("data1_admin");

Python

users = e.get_users_for_role("data1_admin")

.NET

var res = e.GetUsersForRole("data1_admin");

Rust

let users = e.get_users_for_role("data1_admin", None); // No domain

Java

List<String> res = e.getUsersForRole("data1_admin");

HasRoleForUser()

HasRoleForUser确定用户是否拥有某个角色。

例如：

Go

res := e.HasRoleForUser("alice", "data1_admin")

Node.js

const res = await e.hasRoleForUser('alice', 'data1_admin')

PHP

$res = $e->hasRoleForUser("alice", "data1_admin");

Python

has = e.has_role_for_user("alice", "data1_admin")

.NET

var res = e.HasRoleForUser("alice", "data1_admin");

Rust

let has = e.has_role_for_user("alice", "data1_admin", None); // No domain

Java

boolean res = e.hasRoleForUser("alice", "data1_admin");

AddRoleForUser()

AddRoleForUser为用户添加一个角色。 如果用户已经拥有该角色（即没有影响），则返回false。

例如：

Go

e.AddRoleForUser("alice", "data2_admin")

Node.js

await e.addRoleForUser('alice', 'data2_admin')

PHP

$e->addRoleForUser("alice", "data2_admin");

Python

e.add_role_for_user("alice", "data2_admin")

.NET

var added = e.AddRoleForUser("alice", "data2_admin");
or
var added = await e.AddRoleForUserAsync("alice", "data2_admin");

Rust

let added = e.add_role_for_user("alice", "data2_admin", None).await?; // No domain

Java

boolean added = e.addRoleForUser("alice", "data2_admin");

AddRolesForUser()

AddRolesForUser为用户添加多个角色。 如果用户已经拥有这些角色中的一个（即没有影响），则返回false。

例如：

Go

var roles = []string{"data2_admin", "data1_admin"}
e.AddRolesForUser("alice", roles)

Node.js

const roles = ["data1_admin", "data2_admin"];
roles.map((role) => e.addRoleForUser("alice", role));

.NET

var roles = new List<string> { "data1_admin", "data2_admin" };
var allAdded = e.AddRolesForUser("alice", roles);
// or async
var allAdded = await e.AddRolesForUserAsync("alice", roles);

Rust

let roles = vec!["data1_admin".to_owned(), "data2_admin".to_owned()];
let all_added = e.add_roles_for_user("alice", roles, None).await?; // No domain

DeleteRoleForUser()

DeleteRoleForUser deletes a role for a user. Returns false if the user does not have the role (aka not affected).

For example:

Go

e.DeleteRoleForUser("alice", "data1_admin")

Node.js

await e.deleteRoleForUser('alice', 'data1_admin')

PHP

$e->deleteRoleForUser("alice", "data1_admin");

Python

e.delete_role_for_user("alice", "data1_admin")

.NET

var deleted = e.DeleteRoleForUser("alice", "data1_admin");
or
var deleted = await e.DeleteRoleForUser("alice", "data1_admin");

Rust

let deleted = e.delete_role_for_user("alice", "data1_admin", None).await?; // No domain

Java

boolean deleted = e.deleteRoleForUser("alice", "data1_admin");

DeleteRolesForUser()

DeleteRolesForUser deletes all roles for a user. Returns false if the user does not have any roles (aka not affected).

For example:

Go

e.DeleteRolesForUser("alice")

Node.js

await e.deleteRolesForUser('alice')

PHP

$e->deleteRolesForUser("alice");

Python

e.delete_roles_for_user("alice")

.NET

var deletedAtLeastOne = e.DeleteRolesForUser("alice");
or
var deletedAtLeastOne = await e.DeleteRolesForUserAsync("alice");

Rust

let deleted_at_least_one = e.delete_roles_for_user("alice", None).await?; // No domain

Java

boolean deletedAtLeastOne = e.deleteRolesForUser("alice");

DeleteUser()

DeleteUser deletes a user. Returns false if the user does not exist (aka not affected).

For example:

Go

e.DeleteUser("alice")

Node.js

await e.deleteUser('alice')

PHP

$e->deleteUser("alice");

Python

e.delete_user("alice")

.NET

var deleted = e.DeleteUser("alice");
or
var deleted = await e.DeleteUserAsync("alice");

Rust

let deleted = e.delete_user("alice").await?;

Java

boolean deleted = e.deleteUser("alice");

DeleteRole()

DeleteRole deletes a role.

For example:

Go

e.DeleteRole("data2_admin")

Node.js

await e.deleteRole("data2_admin")

PHP

$e->deleteRole("data2_admin");

Python

e.delete_role("data2_admin")

.NET

var deleted = e.DeleteRole("data2_admin");
or
var deleted = await e.DeleteRoleAsync("data2_admin");

Rust

let deleted = e.delete_role("data2_admin").await?;

Java

e.deleteRole("data2_admin");

DeletePermission()

DeletePermission deletes a permission. Returns false if the permission does not exist (aka not affected).

For example:

Go

e.DeletePermission("read")

Node.js

await e.deletePermission('read')

PHP

$e->deletePermission("read");

Python

e.delete_permission("read")

.NET

var deleted = e.DeletePermission("read");
or
var deleted = await e.DeletePermissionAsync("read");

Rust

let deleted = e.delete_permission(vec!["read".to_owned()]).await?;

Java

boolean deleted = e.deletePermission("read");

AddPermissionForUser()

AddPermissionForUser adds a permission for a user or role. Returns false if the user or role already has the permission (aka not affected).

For example:

Go

e.AddPermissionForUser("bob", "read")

Node.js

await e.addPermissionForUser('bob', 'read')

PHP

$e->addPermissionForUser("bob", "read");

Python

e.add_permission_for_user("bob", "read")

.NET

var added = e.AddPermissionForUser("bob", "read");
or
var added = await e.AddPermissionForUserAsync("bob", "read");

Rust

let added = e.add_permission_for_user("bob", vec!["read".to_owned()]).await?;

Java

boolean added = e.addPermissionForUser("bob", "read");

AddPermissionsForUser()

AddPermissionsForUser adds multiple permissions for a user or role. Returns false if the user or role already has one of the permissions (aka not affected).

For example:

Go

var permissions = [][]string{{"data1", "read"},{"data2","write"}}
for i := 0; i < len(permissions); i++ {
    e.AddPermissionsForUser("alice", permissions[i])
}

Node.js

const permissions = [
    ["data1", "read"],
    ["data2", "write"],
];

permissions.map((permission) => e.addPermissionForUser("bob", ...permission));

.NET

var permissions = new List<List<string>>
{
    new List<string> { "data1", "read" },
    new List<string> { "data2", "write" }
};

foreach (var permission in permissions)
{
    var added = e.AddPermissionForUser("bob", permission.ToArray());
    // or async
    var added = await e.AddPermissionForUserAsync("bob", permission.ToArray());
}

Rust

let permissions = vec![
    vec!["data1".to_owned(), "read".to_owned()],
    vec!["data2".to_owned(), "write".to_owned()],
];

let all_added = e.add_permissions_for_user("bob", permissions).await?;

DeletePermissionForUser()

DeletePermissionForUser deletes a permission for a user or role. Returns false if the user or role does not have the permission (aka not affected).

For example:

Go

e.DeletePermissionForUser("bob", "read")

Node.js

await e.deletePermissionForUser("bob", "read")

PHP

$e->deletePermissionForUser("bob", "read");

Python

e.delete_permission_for_user("bob", "read")

.NET

var deleted = e.DeletePermissionForUser("bob", "read");
or
var deleted = await e.DeletePermissionForUserAsync("bob", "read");

Rust

let deleted = e.delete_permission_for_user("bob", vec!["read".to_owned()]).await?;

Java

boolean deleted = e.deletePermissionForUser("bob", "read");

DeletePermissionsForUser()

DeletePermissionsForUser deletes permissions for a user or role. Returns false if the user or role does not have any permissions (aka not affected).

For example:

Go

e.DeletePermissionsForUser("bob")

Node.js

await e.deletePermissionsForUser('bob')

PHP

$e->deletePermissionsForUser("bob");

Python

e.delete_permissions_for_user("bob")

.NET

var deletedAtLeastOne = e.DeletePermissionsForUser("bob");
or
var deletedAtLeastOne = await e.DeletePermissionsForUserAsync("bob");

Rust

let deleted_at_least_one = e.delete_permissions_for_user("bob").await?;

Java

boolean deletedAtLeastOne = e.deletePermissionForUser("bob");

GetPermissionsForUser()

GetPermissionsForUser gets permissions for a user or role.

For example:

Go

e.GetPermissionsForUser("bob")

Node.js

await e.getPermissionsForUser('bob')

PHP

$e->getPermissionsForUser("bob");

Python

e.get_permissions_for_user("bob")

.NET

var permissions = e.GetPermissionsForUser("bob");

Java

List<List<String>> permissions = e.getPermissionsForUser("bob");

GetNamedPermissionsForUser()

GetNamedPermissionsForUser gets permissions for a user or role by named policy.

For example:

p, alice, data1, read
p, bob, data2, write
p2, admin, create
g, alice, admin

GetNamedPermissionsForUser("p", "alice") will return [["alice", "data1", "read"]]. GetNamedPermissionsForUser("p2", "alice") will return [["admin", "create"]].

Go

permissions, err := e.GetNamedPermissionsForUser("p", "alice")

.NET

var permissions = e.GetNamedPermissionsForUser("p", "alice");

Python

permissions = e.get_named_permissions_for_user("p", "alice")

HasPermissionForUser()

HasPermissionForUser determines whether a user has a permission.

For example:

Go

e.HasPermissionForUser("alice", []string{"read"})

Node.js

await e.hasPermissionForUser('alice', 'read')

PHP

$e->hasPermissionForUser("alice", []string{"read"});

Python

has = e.has_permission_for_user("alice", "read")

.NET

var has = e.HasPermissionForUser("bob", "read");

Rust

let has = e.has_permission_for_user("alice", vec!["data1".to_owned(), "read".to_owned()]);

Java

boolean has = e.hasPermissionForUser("alice", "read");

GetImplicitRolesForUser()

GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.

For example:

g, alice, role:admin  
g, role:admin, role:user  

GetRolesForUser("alice") can only get: ["role:admin"].\ But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].

For example:

Go

e.GetImplicitRolesForUser("alice")

Node.js

await e.getImplicitRolesForUser("alice")

PHP

$e->getImplicitRolesForUser("alice");

Python

e.get_implicit_roles_for_user("alice")

.NET

var implicitRoles = e.GetImplicitRolesForUser("alice");

Rust

e.get_implicit_roles_for_user("alice", None); // No domain

Java

List<String> implicitRoles = e.getImplicitRolesForUser("alice");

GetNamedImplicitRolesForUser()

GetNamedImplicitRolesForUser gets implicit roles that a user has by named policy.

For example:

g, alice, admin
g, admin, super_admin
g2, alice, user
g2, user, guest

GetNamedImplicitRolesForUser("g", "alice") will return ["admin", "super_admin"]. GetNamedImplicitRolesForUser("g2", "alice") will return ["user", "guest"].

Go

roles, err := e.GetNamedImplicitRolesForUser("g", "alice")

.NET

var roles = e.GetNamedImplicitRolesForUser("g", "alice");

Python

roles = e.get_named_implicit_roles_for_user("g", "alice")

GetImplicitUsersForRole()

GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.

For example:

g, alice, role:admin  
g, role:admin, role:user  

GetUsersForRole("role:user") can only get: ["role:admin"].\ But GetImplicitUesrsForRole("role:user") will get: ["role:admin", "alice"].

For example:

Go

users := e.GetImplicitUsersForRole("role:user")

Node.js

const users = e.getImplicitUsersForRole("role:user");

Java

List<String> users = e.getImplicitUsersForRole("role:user");

GetImplicitPermissionsForUser()

GetImplicitPermissionsForUser gets implicit permissions for a user or role.\ Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.

For example:

p, admin, data1, read  
p, alice, data2, read  
g, alice, admin 

GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].\ But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].

For example:

Go

e.GetImplicitPermissionsForUser("alice")

Node.js

await e.getImplicitPermissionsForUser("alice")

PHP

$e->getImplicitPermissionsForUser("alice");

Python

e.get_implicit_permissions_for_user("alice")

.NET

var implicitPermissions = e.GetImplicitPermissionsForUser("alice");

Rust

e.get_implicit_permissions_for_user("alice", None); // No domain

Java

List<List<String>> implicitPermissions = e.getImplicitPermissionsForUser("alice");

GetNamedImplicitPermissionsForUser()

GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy Compared to GetImplicitPermissionsForUser(), this function allow you to specify the policy name.

For example:

p, admin, data1, read
p2, admin, create
g, alice, admin

GetImplicitPermissionsForUser("alice") only get: [["admin", "data1", "read"]], whose policy is default "p"

But you can specify the policy as "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice")

例如：

Go

e.GetNamedImplicitPermissionsForUser("p2","alice")

.NET

var permissions = e.GetNamedImplicitPermissionsForUser("p2", "alice");

Python

e.get_named_implicit_permissions_for_user("p2", "alice")

GetDomainsForUser()

GetDomainsForUser gets all domains which a user has.

For example:

p, admin, domain1, data1, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, alice, admin, domain2

GetDomainsForUser("alice") could get ["domain1", "domain2"]

For example:

Go

result, err := e.GetDomainsForUser("alice")

.NET

var result = e.GetDomainsForUser("alice");

GetImplicitResourcesForUser()

GetImplicitResourcesForUser returns all policies that should be true for user.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

GetImplicitResourcesForUser("alice") will return [[alice data1 read] [alice data2 read] [alice data2 write]]

Go

resources, err := e.GetImplicitResourcesForUser("alice")

.NET

var resources = e.GetImplicitResourcesForUser("alice");

GetImplicitUsersForPermission()

GetImplicitUsersForPermission gets implicit users for a permission.

For example:

p, admin, data1, read
p, bob, data1, read
g, alice, admin

GetImplicitUsersForPermission("data1", "read") will return: ["alice", "bob"].

Note: only users will be returned, roles (2nd arg in "g") will be excluded.

Go

users, err := e.GetImplicitUsersForPermission("data1", "read")

.NET

var users = e.GetImplicitUsersForPermission("data1", "read");

GetImplicitObjectPatternsForUser()

GetImplicitObjectPatternsForUser returns all object patterns (with wildcards) that a user has for a given domain and action.

For example:

p, admin, chronicle/123, location/*, read
p, user, chronicle/456, location/789, read
g, alice, admin
g, bob, user

GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read") will return ["location/*"]. GetImplicitObjectPatternsForUser("bob", "chronicle/456", "read") will return ["location/789"].

Go

patterns, err := e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read")

Node.js

const patterns = await e.getImplicitObjectPatternsForUser("alice", "chronicle/123", "read")

PHP

$patterns = $e->getImplicitObjectPatternsForUser("alice", "chronicle/123", "read");

Python

patterns = e.get_implicit_object_patterns_for_user("alice", "chronicle/123", "read")

.NET

var patterns = e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read");

Rust

let patterns = e.get_implicit_object_patterns_for_user("alice", "chronicle/123", "read").await?;

Java

List<String> patterns = e.getImplicitObjectPatternsForUser("alice", "chronicle/123", "read");

GetAllowedObjectConditions()

GetAllowedObjectConditions returns a string array of object conditions that the user can access.

For example:

p, alice, r.obj.price < 25, read
p, admin, r.obj.category_id = 2, read
p, bob, r.obj.author = bob, write

g, alice, admin

e.GetAllowedObjectConditions("alice", "read", "r.obj.") will return ["price < 25", "category_id = 2"], nil

Note:

0. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix. After removing the prefix, the remaining part is the condition of the object. If there is an obj policy that does not meet the prefix requirement, an errors.ERR_OBJ_CONDITION will be returned.

1. If the 'objectConditions' array is empty, return errors.ERR_EMPTY_CONDITION This error is returned because some data adapters' ORM return full table data by default when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM) If you are using an adapter that does not behave like this, you can choose to ignore this error.

Go

conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")

.NET

var conditions = e.GetAllowedObjectConditions("alice", "read", "r.obj.");

GetImplicitUsersForResource()

GetImplicitUsersForResource return implicit user based on resource.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

GetImplicitUsersForResource("data2") will return [["bob", "data2", "write"], ["alice", "data2", "read"] ["alice", "data2", "write"]], nil.

GetImplicitUsersForResource("data1") will return [["alice", "data1", "read"]], nil.

Go

ImplicitUsers, err := e.GetImplicitUsersForResource("data2")

.NET

var implicitUsers = e.GetImplicitUsersForResource("data2");

备注

Only users will be returned, roles (2nd arg in "g") will be excluded.

GetNamedImplicitUsersForResource()

GetNamedImplicitUsersForResource return implicit user based on resource with named policy support. This function handles resource role relationships through named policies (e.g., g2, g3, etc.).

For example:

p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data

GetNamedImplicitUsersForResource("g2", "app") will return users who have access to admin_data through g2 relationship.

Go

ImplicitUsers, err := e.GetNamedImplicitUsersForResource("g2", "app")

.NET

var implicitUsers = e.GetNamedImplicitUsersForResource("g2", "app");