casbin is a powerful and efficient open-source access control library for Golang projects. It provides support for enforcing authorization based on various models like ACL, RBAC, ABAC.
In casbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matchers). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. A model CONF can be as simple as:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
A simple policy for this model is a CSV like:
p, alice, data1, read
p, bob, data2, writeWhat casbin does:
- enforce the policy in the classic
{subject, object, action}form or a customized form as you defined. - handle the storage of the access control model and its policy.
- manage the role-user mappings and role-role mappings (aka role hierarchy in RBAC).
- support built-in superuser like
rootoradministrator. A superuser can do anything without explict permissions. - multiple built-in operators to support the rule matching. For example,
keyMatchcan map a resource key/foo/barto the pattern/foo*.
What casbin does NOT do:
- authentication (aka verify
usernameandpasswordwhen a user logs in) - manage the list of users or roles. I believe it's more convenient for the project itself to manage these entities. Users usually have their passwords, and casbin is not designed as a password container. However, casbin stores the user-role mapping for the RBAC scenario.
go get github.com/hsluoyz/casbin
- Initialize an enforcer by specifying a model CONF file and the policy file.
e := &Enforcer{}
e.Init("examples/basic_model.conf", "examples/basic_policy.csv")- Add the enforcement hook into your code before the access happens.
sub := "alice"
obj := "data1"
act := "read"
if e.Enforce(sub, obj, act) == true {
// permit alice to read data1
} else {
// deny the request, show an error
}- You can get the roles for a user with our management API.
roles := e.GetRoles("alice")- Please refer to the
_test.gofiles for more usage.
By default, both model and policy are stored in files. The model should be in .CONF format, and the policy should be in .CSV (Comma-Separated Values) format. The database backend will be added in a near future.
We think the model represents the access control model that our customer uses and is not often modified at run-time, so we don't implement an interface to save the current model (like modified by API) back into the model CONF file. The policy is much more dynamic than model and can be loaded from a policy file or saved to a policy file at any time.
Here're some common-used persistence APIs. the path to the model and policy is already specified in enforcer.Init() function and can't be changed when reloading or saving.
e := &Enforcer{}
e.Init("examples/basic_model.conf", "examples/basic_policy.csv")
// Reload the model file and policy file, usually used when those files have been changed.
e.LoadAll()
// Reload the policy file only.
e.LoadPolicy()
// Save the current policy (usually changed with casbin API) back to the policy file.
e.SavePolicy()| Model | Model file | Policy file |
|---|---|---|
| basic | basic_model.conf | basic_policy.csv |
| basic with root | basic_model_with_root.conf | basic_policy.csv |
| RESTful | keymatch_model.conf | keymatch_policy.csv |
| RBAC | rbac_model.conf | rbac_policy.csv |
| RBAC with resource roles | rbac_model_with_resource_roles.conf | rbac_policy_with_resource_roles.csv |
| ABAC | abac_model.conf | N/A |
This project is licensed under the Apache 2.0 license.