This repository has been archived by the owner on Apr 4, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Authorization
Farshid Tavakolizadeh edited this page Aug 29, 2019
·
10 revisions
The go-sec authorization package provides simple rule-based authorization that can be used to implement access control in the services.
The rules are defined in JSON as follows:
{
"rules": [
{
"resources": ["string"],
"methods": ["string"],
"users": ["string"],
"groups": ["string"]
}
]
}where:
-
rulesis an array of rules, each defined by following parameters: -
resourcesis an array of resources (api endpoints) to which the rule apply -
methodsis an array of HTTP methods to which the rule apply -
usersis an array of users to which the rule apply -
groupsis an array of users to which the rule apply
A request will be authorized if it matches the resource, method, and either of user or group given in a single rule. The authorization is given if any of the rules match (rules do notoverride each other).
Example
{
"rules": [
{
"resources": ["/rc"],
"methods": ["GET"],
"users": ["fit"],
"groups": ["admin"]
},
{
"resources": ["/rc"],
"methods": ["POST", "PUT", "DELETE"],
"users": [],
"groups": ["admin"]
}
]
}Given the set of rules in the example above:
- user fit can perform GET requests on resources with path starting with /rc
- a user from group admin can perform GET, POST, PUT and DELETE requests on resources with path starting with /rc
An API can open public access to certain endpoints or methods by creating a rule for group "anonymous".
Example
{
"rules": [
{
"resources": ["/rc"],
"methods": ["GET"],
"groups": ["anonymous"]
},
{
"resources": ["/rc"],
"methods": ["GET", "POST", "PUT", "DELETE"],
"groups": ["admin"]
}
]
}Given the set of rules in the example above:
- an unauthenticated user can perform GET requests on resources with path starting with /rc
- a user from group admin can perform GET, POST, PUT and DELETE requests on resources with path starting with /rc