Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

Authorization

Jump to bottom
Farshid Tavakolizadeh edited this page Jun 4, 2020 · 10 revisions

The go-sec authorization package provides simple rule-based authorization to HTTP-based web services. This extends the authentication flows.

Configuration

The rules are defined in JSON as follows:

{
    "enabled": true,
    "rules": [
        {
            "resources": ["string"],
            "methods": ["string"],
            "users": ["string"],
            "groups": ["string"]
        }
    ]
}

where:

  • enabled toggles the authorization
  • rules is an array of rules, each defined by following parameters:
    • resources is an array of resources (api endpoints) to which the rule apply
    • methods is an array of HTTP methods to which the rule apply
    • users is an array of users to which the rule apply
    • groups is an array of users to which the rule apply

A request will be authorized if it matches the resource, method, and either of user or group given in a single rule. The authorization is given if any of the rules match (rules do notoverride each other).

Example

{
    "enabled": true,
    "rules": [
        {
            "resources": ["/rc"],
            "methods": ["GET"],
            "users": ["fit"],
            "groups": ["admin"]
        },
        {
            "resources": ["/rc"],
            "methods": ["POST", "PUT", "DELETE"],
            "users": [],
            "groups": ["admin"]
        }
    ]
}

Given the set of rules in the example above:

  • user fit can perform GET requests on resources with path starting with /rc
  • a user from group admin can perform GET, POST, PUT and DELETE requests on resources with path starting with /rc

Public Access

An API can open public access to certain endpoints or methods by creating a rule for group "anonymous".

Example

{
    "enabled": true,
    "rules": [
        {
            "resources": ["/rc"],
            "methods": ["GET"],
            "groups": ["anonymous"]
        },
        {
            "resources": ["/rc"],
            "methods": ["GET", "POST", "PUT", "DELETE"],
            "groups": ["admin"]
        }
    ]
}

Given the set of rules in the example above:

  • an unauthenticated user can perform GET requests on resources with path starting with /rc
  • a user from group admin can perform GET, POST, PUT and DELETE requests on resources with path starting with /rc
Clone this wiki locally