README
¶
RBAC Package
The rbac package provides Role-Based Access Control (RBAC) functionalities to manage user roles and permissions within the system. It ensures that users can perform only the actions they are authorized for, enhancing the security and integrity of the application.
Features
- Role Definitions: Define various roles such as Admin, Validator, Sequencer, Node, Observer, and User.
- Permission Management: Assign specific permissions to each role.
- User Management: Create users, assign roles, and manage permissions dynamically.
- Concurrency Safety: Thread-safe operations to handle concurrent access in multi-goroutine environments.
Roles and Permissions
Roles
- Admin: Full access to manage keys, propose and approve blocks, finalize blocks, manage shards, monitor network, update validators, sequence blocks, and manage nodes.
- Validator: View keys, propose and approve blocks, store and retrieve data, and update validators.
- Sequencer: Propose blocks, sequence blocks, assign and remove shards.
- Node: Store and retrieve data, monitor network, manage nodes.
- Observer: View keys, retrieve data, monitor network.
- User: View keys, retrieve data.
Permissions
- Manage Keys: Create, update, and delete cryptographic keys.
- View Keys: Access and view cryptographic keys.
- Propose Blocks: Submit new blocks for consensus.
- Approve Blocks: Approve proposed blocks.
- Finalize Blocks: Finalize blocks after reaching consensus.
- Store Data: Store data within the system.
- Retrieve Data: Retrieve stored data.
- Assign Shard: Assign validators to shards.
- Remove Shard: Remove validators from shards.
- Monitor Network: Observe network health and status.
- Update Validator: Update validator information.
- Sequence Blocks: Order or sequence blocks.
- Manage Nodes: Configure or manage node operations.
Documentation
¶
Overview ¶
pkg/rbac/manager.go
pkg/rbac/roles.go
pkg/rbac/user.go
Index ¶
- Constants
- Variables
- func GetCompositeRolesByRole(role types.Role) []types.Role
- func HasRole(roles []types.Role, role types.Role) bool
- func IsConsensusSupported(role types.Role) bool
- func IsConsensusSupportedByRoles(role ...types.Role) bool
- func IsPermissionGranted(role types.Role, permission types.Permission) bool
- type Manager
- func (m *Manager) AssignRole(role types.Role, permissions ...types.Permission) error
- func (m *Manager) GetPermissionsForRole(role types.Role) ([]types.Permission, error)
- func (m *Manager) GetRoles() map[types.Role][]types.Permission
- func (m *Manager) HasPermission(userRoles []types.Role, permission types.Permission) bool
- func (m *Manager) RemoveRole(role types.Role, permissions ...types.Permission) error
- type Option
- type User
Constants ¶
const ( RoleAdmin types.Role = "admin" RoleValidator types.Role = "validator" RoleSequencer types.Role = "sequencer" RoleNode types.Role = "node" RoleObserver types.Role = "observer" RoleUser types.Role = "user" // Added a generic user role RoleSequencerValidator types.Role = "sequencer_validator" )
const ( PermissionManageKeys types.Permission = "manage_keys" PermissionViewKeys types.Permission = "view_keys" PermissionProposeBlocks types.Permission = "propose_blocks" PermissionApproveBlocks types.Permission = "approve_blocks" PermissionFinalizeBlocks types.Permission = "finalize_blocks" PermissionStoreData types.Permission = "store_data" // Example additional permission PermissionRetrieveData types.Permission = "retrieve_data" // Example additional permission PermissionAssignShard types.Permission = "assign_shard" // Example additional permission PermissionRemoveShard types.Permission = "remove_shard" // Example additional permission PermissionMonitorNetwork types.Permission = "monitor_network" // Example additional permission PermissionUpdateValidator types.Permission = "update_validator" // Example additional permission PermissionSequenceBlocks types.Permission = "sequence_blocks" // Specific to Sequencers PermissionManageNodes types.Permission = "manage_nodes" // Specific to Nodes PermissionSignTransactions types.Permission = "sign_transactions" PermissionVerifySignatures types.Permission = "verify_signatures" PermissionCollectSignatures types.Permission = "collect_signatures" // Topology-Specific Permissions PermissionAddPeer types.Permission = "add_peer" PermissionRemovePeer types.Permission = "remove_peer" PermissionViewTopology types.Permission = "view_topology" PermissionProcessActorPacket types.Permission = "process_actor_packet" PermissionSendActorPacket types.Permission = "send_actor_packet" )
Variables ¶
var EligibleConsensusRoles = []types.Role{ RoleSequencerValidator, RoleValidator, RoleSequencer, }
EligibleConsensusRoles Defines consensus eligible leadership roles
var RolePermissions = map[types.Role][]types.Permission{ RoleAdmin: { PermissionManageKeys, PermissionViewKeys, PermissionProposeBlocks, PermissionApproveBlocks, PermissionFinalizeBlocks, PermissionStoreData, PermissionRetrieveData, PermissionAssignShard, PermissionRemoveShard, PermissionMonitorNetwork, PermissionUpdateValidator, PermissionSequenceBlocks, PermissionManageNodes, PermissionSignTransactions, PermissionVerifySignatures, PermissionCollectSignatures, PermissionAddPeer, PermissionRemovePeer, PermissionViewTopology, PermissionProcessActorPacket, PermissionSendActorPacket, }, RoleSequencerValidator: { PermissionViewKeys, PermissionProposeBlocks, PermissionApproveBlocks, PermissionFinalizeBlocks, PermissionRetrieveData, PermissionStoreData, PermissionMonitorNetwork, PermissionUpdateValidator, PermissionProposeBlocks, PermissionSequenceBlocks, PermissionAssignShard, PermissionRemoveShard, PermissionAddPeer, PermissionRemovePeer, PermissionViewTopology, PermissionProcessActorPacket, PermissionSendActorPacket, }, RoleValidator: { PermissionViewKeys, PermissionProposeBlocks, PermissionApproveBlocks, PermissionFinalizeBlocks, PermissionRetrieveData, PermissionStoreData, PermissionMonitorNetwork, PermissionUpdateValidator, PermissionAddPeer, PermissionRemovePeer, PermissionViewTopology, PermissionProcessActorPacket, PermissionSendActorPacket, }, RoleSequencer: { PermissionProposeBlocks, PermissionSequenceBlocks, PermissionAssignShard, PermissionRemoveShard, PermissionAddPeer, PermissionRemovePeer, PermissionViewTopology, PermissionProcessActorPacket, PermissionSendActorPacket, }, RoleNode: { PermissionStoreData, PermissionRetrieveData, PermissionMonitorNetwork, PermissionManageNodes, PermissionAddPeer, PermissionRemovePeer, PermissionViewTopology, PermissionProcessActorPacket, PermissionSendActorPacket, }, RoleObserver: { PermissionViewKeys, PermissionRetrieveData, PermissionMonitorNetwork, PermissionViewTopology, }, RoleUser: { PermissionViewKeys, PermissionRetrieveData, PermissionSignTransactions, PermissionVerifySignatures, }, }
RolePermissions maps roles to their permissions
Functions ¶
func IsConsensusSupported ¶
IsConsensusSupported a helper function to check if the current role has consensus capabilities or if it should be used in the consensus...
func IsConsensusSupportedByRoles ¶
IsConsensusSupportedByRoles a helper function to check if the current role has consensus capabilities or if it should be used in the consensus...
func IsPermissionGranted ¶
func IsPermissionGranted(role types.Role, permission types.Permission) bool
IsPermissionGranted checks if a role has a specific permission
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager manages roles and permissions.
func NewManager ¶
NewManager initializes a new RBAC Manager. If withDefaults is true, it initializes with predefined roles and permissions. Additional roles and permissions can be provided via variadic options.
func (*Manager) AssignRole ¶
AssignRole assigns one or more permissions to a role. If the role does not exist, it is created.
func (*Manager) GetPermissionsForRole ¶
GetPermissionsForRole returns all permissions assigned to a specific role. Returns an error if the role does not exist.
func (*Manager) GetRoles ¶
func (m *Manager) GetRoles() map[types.Role][]types.Permission
GetRoles returns all roles and their associated permissions.
func (*Manager) HasPermission ¶
HasPermission checks if any of the user's roles grant the specified permission.
func (*Manager) RemoveRole ¶
RemoveRole removes one or more permissions from a role. If the role does not exist, an error is returned.
type Option ¶
Option defines a functional option for configuring the Manager.
func WithDefaultRoles ¶
func WithDefaultRoles() Option
WithDefaultRoles sets up the default roles with their respective permissions.
type User ¶
User represents a system user with roles and permissions.
func (*User) Authorize ¶
func (u *User) Authorize(permission types.Permission) error
Authorize ensures the user has the required permission. Returns nil if authorized, otherwise an error.
func (*User) HasPermission ¶
func (u *User) HasPermission(permission types.Permission) bool
HasPermission checks if the user has the specified permission using RBACManager.
func (*User) RemoveRole ¶
RemoveRole removes a role from the user if it exists.
Source Files