Documentation
¶
Index ¶
- Constants
- Variables
- type Action
- type Article
- type Authorizer
- type Category
- type Entity
- type Group
- type Grouping
- type GroupingPersister
- type GroupingPolicy
- type GroupingPolicyChange
- type GroupingReader
- type GroupingWriter
- type Member
- type Object
- type Objector
- type Permission
- type PermissionPersister
- type PermissionPolicy
- type PermissionPolicyChange
- type PersistMethod
- type PresetPolicy
- type Role
- type Subject
- type Subjector
- type User
Constants ¶
const ( Exec Action = 1 << iota Write Read None Action = 0 ReadWrite = Read | Write ReadExec = Read | Exec ReadWriteExec = Read | Write | Exec )
preset actions, users can reset these and define others
Variables ¶
var ( ErrNotFound = errors.New("not found") ErrAlreadyExists = errors.New("already exists") ErrInvalidEntity = errors.New("invlid entity, it should be one of user, role, article, and catetory") ErrInvalidGroup = errors.New("invalid group, it should be a role or a catetory") ErrInvalidMember = errors.New("invalid member, it should be a user or an article") ErrInvlaidSubject = errors.New("invalid subject, it should be a User or Role") ErrInvlaidObject = errors.New("invalid object, it should be an Article or Category") ErrNoSubjectGrouping = errors.New("subject grouping is not configured") ErrNoObjectGrouping = errors.New("object grouping is not used") ErrUnsupportedChange = errors.New("persister changes in a way unsupported") ErrUnknownAction = errors.New("unknown action") )
exported errors
var AllActions = ReadWriteExec
AllActions is union of all actions, it will be reset when ResetActions being called
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action uint32
Action can be done on objects by subjects Actions are power of twos to achieve efficient set operations, like union, intersection, complement. An action is also a union of actions
func ParseAction ¶
ParseAction parses action from string
func ResetActions ¶
ResetActions cleans preset actions, and register custom ones
func (Action) Difference ¶
Difference returns set of actions belong to a but not b: complement of b in a
type Article ¶
type Article string
Article is an Member belongs to some Categories, and an Object in Permissions
type Authorizer ¶
type Authorizer interface {
Subjector
Objector
Permission
}
Authorizer is the top level interface for end use. It decides if anyone can do anthing to some object, with knowledge of user groupings, article groupings, and permission polices
type Entity ¶
type Entity interface {
// String method is used to be serialized when persisting
String() string
}
Entity is anything could be grouped together, or be a group of other entities
func ParseEntity ¶
ParseEntity parses an serialized Entity
type Group ¶
type Group interface {
Entity
// contains filtered or unexported methods
}
Group is an collection of entities, like Role in user-role, or Category in article-cagetory relationships Group is not expecting custom implementations
type Grouping ¶
type Grouping interface {
GroupingWriter
GroupingReader
}
Grouping defines member-group relationships, an member could belong to any number of groups, and a group could contain any members or other groups.
type GroupingPersister ¶
type GroupingPersister interface {
// Insert inserts a policy to the persister
Insert(Entity, Group) error
// Remove a policy from the persister
Remove(Entity, Group) error
// List all policies from the persister
List() ([]GroupingPolicy, error)
// Watch any changes occurred about the policies in the persister
Watch(context.Context) (<-chan GroupingPolicyChange, error)
}
GroupingPersister persists member-group relationship polices to an external storage
type GroupingPolicy ¶
GroupingPolicy is an entity-group releationship policy
type GroupingPolicyChange ¶
type GroupingPolicyChange struct {
GroupingPolicy
Method PersistMethod
}
GroupingPolicyChange denotes an changing event about a GroupingPolicy
type GroupingReader ¶
type GroupingReader interface {
// IsIn returns true if Member is a member of Group or members of Group
IsIn(Member, Group) (bool, error)
// AllGroups returns all Group have ever seen
AllGroups() (map[Group]struct{}, error)
// AllMembers returns all members have ever seen
AllMembers() (map[Member]struct{}, error)
// MembersIn returns all members belongs to Group or sub Groups of Group
MembersIn(Group) (map[Member]struct{}, error)
// GroupsOf returns all groups the member belongs to
GroupsOf(Entity) (map[Group]struct{}, error)
}
GroupingReader defines methods to get grouping assignment polices
type GroupingWriter ¶
type GroupingWriter interface {
// Join an Entity to a Group, the Entity will "immediately" belongs to the Group
Join(Entity, Group) error
// Leave removes an Entity from a Group, the Entity will no longer belongs to the Group
Leave(Entity, Group) error
// RemoveGroup removes a Group, and all relationships about it
RemoveGroup(Group) error
// RemoveMember removes an Member, and all relationships about it
RemoveMember(Member) error
}
GroupingWriter defines methods to create, update, or remove grouping assignment polices
type Member ¶
type Member interface {
Entity
// contains filtered or unexported methods
}
Member is an entity could be grouped together, like User in user-role, or Article in article-cagetory relationships Member is not expecting custom implementations
func ParseMember ¶
ParseMember parses a serialized Member
type Object ¶
type Object interface {
Entity
// contains filtered or unexported methods
}
Object is an Article or a Category to perform actions on Object is not expecting custom implementations
func ParseObject ¶
ParseObject parses a serialized object
type Objector ¶
type Objector interface {
// ObjectJoin joins an article or a sub category to a category
ObjectJoin(obj Object, cat Category) error
// ObjectLeave removes an article or a sub category from a category
ObjectLeave(obj Object, cat Category) error
// RemoveArticle removes an article and all polices about it
RemoveArticle(art Article) error
// RemoveCategory removes a category and all polices about it
RemoveCategory(cat Category) error
// Objects returns the GroupingReader interface for objects
Objects() GroupingReader
}
Objector manages article-category relationship assignment and authorization
type Permission ¶
type Permission interface {
// Permit subject to perform action on object
Permit(Subject, Object, Action) error
// Revoke permission for subject to perform action on object
Revoke(Subject, Object, Action) error
// Shall subject perform action on object
Shall(Subject, Object, Action) (bool, error)
// PermissionsOn object for all subjects
PermissionsOn(Object) (map[Subject]Action, error)
// PermissionsFor subject on all objects
PermissionsFor(Subject) (map[Object]Action, error)
// PermittedActions for subject on object
PermittedActions(Subject, Object) (Action, error)
}
Permission knows permission assignment, and tells if a subject is permitted to perform some action to an object
type PermissionPersister ¶
type PermissionPersister interface {
// Insert a permission policy to the persister
Insert(Subject, Object, Action) error
// Update a permission policy to the persister
Update(Subject, Object, Action) error
// Remove a permission policy from the persister
Remove(Subject, Object) error
// List all polices from the persister
List() ([]PermissionPolicy, error)
// Watch any changes occurred about the polices in the persister
Watch(context.Context) (<-chan PermissionPolicyChange, error)
}
PermissionPersister persists subject-object-action permission polices to an external storage
type PermissionPolicy ¶
PermissionPolicy is a subject-object-action permission policy
type PermissionPolicyChange ¶
type PermissionPolicyChange struct {
PermissionPolicy
Method PersistMethod
}
PermissionPolicyChange denotes an changing event about a PermissionPolicy
type PersistMethod ¶
type PersistMethod string
PersistMethod defines what happened about the policies
const ( PersistInsert PersistMethod = "insert" PersistDelete PersistMethod = "delete" PersistUpdate PersistMethod = "update" )
possible changes could be happened about policies
type Subject ¶
type Subject interface {
Entity
// contains filtered or unexported methods
}
Subject is a User or a Role to perform actions on Objects Subject is not expecting custom implementations
func ParseSubject ¶
ParseSubject parses an serialized Subject
type Subjector ¶
type Subjector interface {
// SubjectJoin joins a user or a sub role to a role
SubjectJoin(sub Subject, role Role) error
// SubjectLeave removes a user or a sub role from a role
SubjectLeave(sub Subject, role Role) error
// RemoveUser removes a user and all policies about it
RemoveUser(user User) error
// RemoveRole removes a role and all policies about it
RemoveRole(role Role) error
// Subjects returns the GroupingReader interface for subjects
Subjects() GroupingReader
}
Subjector manages user-role relationship assignment and authorization
Source Files