Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

Authorization

Jump to bottom
Shreekantha Devasya edited this page Sep 3, 2020 · 10 revisions

The go-sec authorization package provides simple rule-based authorization to HTTP-based web services. This extends the authentication flows.

Configuration

The rules are defined in JSON as follows:

{
    "enabled": true,
    "rules": [
        {
            "resources": ["string"],
            "methods": ["string"],
            "users": ["string"],
            "groups": ["string"]
        }
    ]
}

where:

  • enabled toggles the authorization
  • rules is an allow-list array of rules, each defined by the following parameters:
    • resources is an array of resources (API endpoints) to which the rule apply
    • methods is an array of HTTP methods to which the rule applies
    • users is an array of users to which the rule apply
    • groups is an array of users to which the rule applies

A request will be authorized if it matches the resource, method, and either of user or group given in a single rule. The authorization is given if any of the rules match (rules do not override each other).

Example

{
    "enabled": true,
    "rules": [
        {
            "resources": ["/res"],
            "methods": ["GET"],
            "users": ["linksmart"],
            "groups": ["admin"]
        },
        {
            "resources": ["/res"],
            "methods": ["PUT", "DELETE"],
            "users": [],
            "groups": ["admin"]
        }
    ]
}

Given the set of rules in the example above:

  • user linksmart can perform GET requests on resources with a path starting with /res
  • a user from group admin can perform GET as well as PUT and DELETE requests on resources with a path starting with /res

Public Access

An API can open public access to certain endpoints or methods by creating a rule for group anonymous.

Example

{
    "enabled": true,
    "rules": [
        {
            "resources": ["/res"],
            "methods": ["GET"],
            "groups": ["anonymous"]
        },
        {
            "resources": ["/res"],
            "methods": ["GET", "PUT", "DELETE"],
            "groups": ["admin"]
        }
    ]
}

Given the set of rules in the example above:

  • an unauthenticated user can perform GET requests on resources with a path starting with /res
  • a user from group admin can perform GETPUT and DELETE requests on resources with a path starting with /res
Clone this wiki locally