Documentation
¶
Index ¶
- Constants
- Variables
- func Can(userID int, systemRole int, permission Permission) bool
- func ClearUserAuthorization(userID int) error
- func ClearUserAuthorizationInTx(tx *gorm.DB, userID int) error
- func ClearUserPermissions(userID int) error
- func ClearUserPermissionsInTx(tx *gorm.DB, userID int) error
- func Init(db *gorm.DB) error
- func RegisterResource(resource ResourceDefinition)
- func ReloadPolicy() error
- func RoleSubject(roleKey string) string
- func SetUserPermissions(userID int, permissions PermissionsMap) error
- func SetUserPermissionsInTx(tx *gorm.DB, userID int, permissions PermissionsMap) error
- func StartPolicySync(frequency int)
- func UserSubject(userID int) string
- type ActionDefinition
- type Permission
- type PermissionsMap
- type ResourceDefinition
- type RoleDescriptor
- type RoleSpec
Constants ¶
const ( EffectAllow = "allow" EffectDeny = "deny" )
const ( ResourceChannel = "channel" ActionRead = "read" ActionOperate = "operate" ActionWrite = "write" ActionSensitiveWrite = "sensitive_write" ActionSecretView = "secret_view" )
const ( BuiltInRoleRoot = "root" BuiltInRoleAdmin = "admin" )
Variables ¶
var ( ChannelRead = Permission{Resource: ResourceChannel, Action: ActionRead} ChannelOperate = Permission{Resource: ResourceChannel, Action: ActionOperate} ChannelWrite = Permission{Resource: ResourceChannel, Action: ActionWrite} ChannelSensitiveWrite = Permission{Resource: ResourceChannel, Action: ActionSensitiveWrite} ChannelSecretView = Permission{Resource: ResourceChannel, Action: ActionSecretView} )
Functions ¶
func Can ¶
func Can(userID int, systemRole int, permission Permission) bool
Can reports whether the subject may perform the permission. A superuser role short-circuits to allow. Otherwise a per-user override wins, then the union of the subject's role baselines applies.
func ClearUserAuthorization ¶
func ClearUserPermissions ¶
func RegisterResource ¶
func RegisterResource(resource ResourceDefinition)
RegisterResource adds a resource definition to the permission registry.
func ReloadPolicy ¶
func ReloadPolicy() error
func RoleSubject ¶
RoleSubject is the casbin subject string for a role.
func SetUserPermissions ¶
func SetUserPermissions(userID int, permissions PermissionsMap) error
func SetUserPermissionsInTx ¶
func SetUserPermissionsInTx(tx *gorm.DB, userID int, permissions PermissionsMap) error
func StartPolicySync ¶
func StartPolicySync(frequency int)
StartPolicySync periodically reloads the authorization policy from the database. The enforcer keeps an in-memory snapshot, and permission changes are written straight to the DB (see SetUserPermissionsInTx) with only the local node's snapshot refreshed afterwards. Without this loop other instances in a multi-node deployment would keep serving stale permissions (including not honoring a revoked grant) until restart. Mirrors model.SyncOptions polling.
func UserSubject ¶
UserSubject is the casbin subject string for a single user.
Types ¶
type ActionDefinition ¶
type ActionDefinition struct {
Action string `json:"action"`
LabelKey string `json:"label_key"`
DescriptionKey string `json:"description_key"`
DefaultRoles []string `json:"-"`
}
ActionDefinition describes a single action exposed by a resource. DefaultRoles lists the role keys that receive this action as part of their baseline grants.
type Permission ¶
Permission identifies a single action on a resource.
func AllPermissions ¶
func AllPermissions() []Permission
AllPermissions returns every registered permission.
func PermissionsForRole ¶
func PermissionsForRole(roleKey string) []Permission
PermissionsForRole returns the permissions whose DefaultRoles include roleKey.
type PermissionsMap ¶
PermissionsMap is a resource -> action -> allowed lookup.
func Capabilities ¶
func Capabilities(userID int, systemRole int) PermissionsMap
Capabilities returns the full resource/action matrix the subject is allowed.
func ExplicitUserOverrides ¶
func ExplicitUserOverrides(userID int) PermissionsMap
ExplicitUserOverrides returns only the per-user override entries.
func ExplicitUserPermissions ¶
func ExplicitUserPermissions(userID int) PermissionsMap
ExplicitUserPermissions returns the effective permission matrix for the managed role plus any per-user overrides.
type ResourceDefinition ¶
type ResourceDefinition struct {
Resource string `json:"resource"`
LabelKey string `json:"label_key"`
Actions []ActionDefinition `json:"actions"`
}
ResourceDefinition describes a resource and the actions it exposes.
func Catalog ¶
func Catalog() []ResourceDefinition
Catalog returns a copy of the registered resource definitions.
type RoleDescriptor ¶
type RoleDescriptor struct {
Key string `json:"key"`
Name string `json:"name"`
BuiltIn bool `json:"built_in"`
Superuser bool `json:"superuser"`
Grants PermissionsMap `json:"grants"`
}
RoleDescriptor exposes a role together with its baseline grant matrix.
func Roles ¶
func Roles() []RoleDescriptor
Roles returns the role descriptors with their baseline grants.