rbac

package
v0.0.0-...-314c4ad Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2015 License: LGPL-3.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrAlreadyGranted error = fmt.Errorf("Already granted")
View Source 
var ErrNotFound error = fmt.Errorf("Not found")

Functions

This section is empty.

Types

type Access 

type Access struct {
	Store Store
	Roles RoleMap
}

Access provides query capabilities over the role-based access control system.

func NewAccess 

func NewAccess(store Store, roles RoleMap) *Access

func (*Access) Can 

func (s *Access) Can(pr Principal, pm Permission, r Resource) (bool, error)

Can tests if the principal's granted roles provide a permission on a given resource or its container.

func (*Access) HasGrant 

func (s *Access) HasGrant(pr Principal, ro Role, r Resource) (bool, error)

HasGrant tests if the principal has been granted a role on a given resource or its container.

type Admin 

type Admin struct {
	*Access
}

Admin provides administrative capabilities over the role-based access control system.

func NewAdmin 

func NewAdmin(store Store, roles RoleMap) *Admin

func (*Admin) Grant 

func (s *Admin) Grant(pr Principal, ro Role, rs Resource) error

Grant allows a principal permissions to act upon a given resource.

func (*Admin) Revoke 

func (s *Admin) Revoke(pr Principal, ro Role, rs Resource) error

Revoke removes a prior grant of permissions to a principal on a resource.

type Grant 

type Grant interface {
	// Principal is the subject granted permissions.
	Principal() Principal
	// Role is the predicated bundle of permissions.
	Role() Role
	// Resource is the object of said permissions.
	Resource() Resource
}

Grant represents a statement of fact that a principal (user, group, identity) can act in a given role (perform actions on) with regard to some resource object.

type Permission 

type Permission interface {
	Perm() string
}

Permission represents a granular capability that can be performed on a resource.

func NewPermission 

func NewPermission(name string) Permission

NewPermission defines a new permission identified by a well-known, unique name.

type PermissionMap 

type PermissionMap map[string]Permission

func NewPermissionMap 

func NewPermissionMap(permissions ...Permission) PermissionMap

type Resource 

type Resource interface {
	// Capabilities returns all the possible permissions that are defined for this type of resource.
	Capabilities() PermissionMap
	// URI returns the uniform identifier for this resource.
	URI() string
	// ParentOf returns the resource which contains this one, or nil.
	ParentOf() Resource
}

Resource represents the object of access controls.

func NewResource 

func NewResource(uri string, capabilities ...Permission) Resource

type Role 

type Role interface {
	// Permissions that have been relegated to this role.
	Capabilities() PermissionMap
	// Role returns the locally distinguished name for this role.
	Role() string
	// Can tests if the role allows the given permission.
	Can(p Permission) bool
}

Role represents a set of permissions (capabilities, actions) to operate on a resource.

func NewRole 

func NewRole(name string, permissions ...Permission) Role

NewRole defines a new role identified by a well-known, unique name with access to the specified permissions.

type RoleMap 

type RoleMap map[string]Role

func NewRoleMap 

func NewRoleMap(roles ...Role) RoleMap

type Store 

type Store interface {
	// HasGrant tests if the principal is assigned to a role for operating on the resource.
	HasGrant(principal, role, resource string, transitive bool) (bool, error)
	// AddGroup adds a group.
	AddGroup(group string) error
	// RemoveGroup removes a group and all its members
	RemoveGroup(group string) error
	// AddMember adds a group-member relationship between principal identifiers.
	AddMember(group, member string) error
	// RemoveMember removes a group-member relationship between principal identifiers.
	RemoveMember(group, member string) error
	// GroupsOf returns the groups to which the given principal belongs to.
	// Note that a principal can be a member of multiple groups. Either immediate
	// or complete, transitive group memberships can be obtained.
	GroupsOf(principal string, transitive bool) ([]string, error)
	// InsertGrant adds a principal-role-resource statement of fact that represents
	// a role assignment.
	InsertGrant(principal, role, resource string) error
	// RemoveGrant removes the principal-role-resource representation of a role assignment.
	RemoveGrant(principal, role, resource string) error
	// ResourceGrants returns index-matched slices containing all the principal-role grants
	// on the given resource.
	ResourceGrants(resource string) (principals, roles []string, err error)
	// PrincipalGrants returns index-matched slices containing the immediate
	// or complete, transitive role-resource pairs that apply to the principal.
	PrincipalGrants(principal string, transitive bool) (roles, resources []string, err error)
	// RoleGrants returns a slice of the roles granted to a principal on a resource.
	RoleGrants(principal, resource string, transitive bool) ([]string, error)
}

Store defines the backend storage API for the affinitya role-based access control system. The interface is designed to be low-level enough for NoSQL databases such as document or key-value stores.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.