RBAC API

发布者：admin 发表于：445天前阅读数：579 评论:0

RBAC API

一个更友好的RBAC API。这个API是Management API的子集。 RBAC用户可以使用这个API来简化代码。

参考

全局变量 e是实施者实例。

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

[]()GetRolesForUser()GetRolesForUser 获取用户具有的角色。

例如：

res := e.GetRolesForUser("alice")

[]()GetUsersForRole()GetUsersForRole 获取具有角色的用户。

例如：

res := e.GetUsersForRole("data1_admin")

[]()HasRoleForUser()HasRoleForUser 确定用户是否具有角色。

例如：

res := e.HasRoleForUser("alice", "data1_admin")

[]()AddRoleForUser()AddRoleForUser 为用户添加角色。如果用户已经拥有该角色（aka不受影响），则返回false。

例如：

e.AddRoleForUser("alice", "data2_admin")

[]()AddRolesForUser()AddRolesForUser adds multiple roles for a user. Returns false if the user already has one of these roles (aka not affected).

For example:

Rust

let roles = vec!["data1_admin".to_owned(), "data2_admin".to_owned()];
let all_added = e.add_roles_for_user("alice", roles, None).await?; // No domain

[]()DeleteRoleForUser()DeleteRoleForUser deletes a role for a user. Returns false if the user does not have the role (aka not affected).

例如：

e.DeleteRoleForUser("alice", "data1_admin")

[]()DeleteRolesForUser()DeleteRolesForUser deletes all roles for a user. Returns false if the user does not have any roles (aka not affected).

例如：

e.DeleteRolesForUser("alice")

[]()DeleteUser()DeleteUser deletes a user. Returns false if the user does not exist (aka not affected).

例如：

e.DeleteUser("alice")

[]()DeleteRole()DeleteRole deletes a role.

例如：

e.DeleteRole("data2_admin")

[]()DeletePermission()DeletePermission deletes a permission. Returns false if the permission does not exist (aka not affected).

例如：

e.DeletePermission("read")

[]()AddPermissionForUser()AddPermissionForUser adds a permission for a user or role. Returns false if the user or role already has the permission (aka not affected).

例如：

e.AddPermissionForUser("bob", "read")

[]()AddPermissionsForUser()AddPermissionsForUser adds multiple permissions for a user or role. Returns false if the user or role already has one of the permissions (aka not affected).

例如：

Rust

let permissions = vec![
    vec!["data1".to_owned(), "read".to_owned()],
    vec!["data2".to_owned(), "write".to_owned()],
];

let all_added = e.add_permissions_for_user("bob", permissions).await?;

[]()DeletePermissionForUser()DeletePermissionForUser deletes a permission for a user or role. Returns false if the user or role does not have the permission (aka not affected).

例如：

e.DeletePermissionForUser("bob", "read")

[]()DeletePermissionsForUser()DeletePermissionsForUser deletes permissions for a user or role. Returns false if the user or role does not have any permissions (aka not affected).

例如：

e.DeletePermissionsForUser("bob")

[]()GetPermissionsForUser()GetPermissionsForUser gets permissions for a user or role.

For example:

e.GetPermissionsForUser("bob")

[]()HasPermissionForUser()HasPermissionForUser determines whether a user has a permission.

例如：

e.HasPermissionForUser("alice", []string{"read"})

[]()GetImplicitRolesForUser()GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.

For example:

g, alice, role:admin

g, role:admin, role:user

GetRolesForUser(“alice”) can only get: [“role:admin”].

But GetImplicitRolesForUser(“alice”) will get: [“role:admin”, “role:user”].

For example:

e.GetImplicitRolesForUser("alice")

[]()GetImplicitUsersForRole()GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.

For example:

g, alice, role:admin

g, role:admin, role:user

GetUsersForRole(“role:user”) can only get: [“role:admin”].

But GetImplicitUesrsForRole(“role:user”) will get: [“role:admin”, “alice”].

例如：

users := e.GetImplicitUsersForRole("role:user")

[]()GetImplicitPermissionsForUser()GetImplicitPermissionsForUser gets implicit permissions for a user or role.

Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.

For example:

p, admin, data1, read

p, alice, data2, read

g, alice, admin

GetPermissionsForUser(“alice”) can only get: [[“alice”, “data2”, “read”]].

But GetImplicitPermissionsForUser(“alice”) will get: [[“admin”, “data1”, “read”], [“alice”, “data2”, “read”]].

For example:

e.GetImplicitPermissionsForUser("alice")

[]()GetDomainsForUser()GetDomainsForUser gets all domains which a user has.

For example: p, admin, domain1, data1, read p, admin, domain2, data2, read p, admin, domain2, data2, write g, alice, admin, domain1 g, alice, admin, domain2

GetDomainsForUser(“alice”) could get [“domain1”, “domain2”]

For example:

result, err := e.GetDomainsForUser("alice")

[]()GetImplicitResourcesForUser()GetImplicitResourcesForUser returns all policies that should be true for user.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

GetImplicitResourcesForUser(“alice”) will return [[alice data1 read] [alice data2 read] [alice data2 write]]

resources, err := e.GetImplicitResourcesForUser("alice")