Popularity

4.2

Growing

Activity

0.0

Stable

Stars 111

Watchers 5

Forks 9

Last Commit over 4 years ago

Description

RBAC is role based access control library. At core it uses sync.Map so, it can be used from multiple goroutines concurrently. "Keep it simple" is also in core. It supports role inheritance, persisting and loading. It can be used in middlewares with granular permissions.

Programming language: Go

License: MIT License

Tags: Permissions Security Authentication & OAuth

Latest version: v1.0.9

RBAC alternatives and similar packages

Based on the "Authentication & OAuth" category.
Alternatively, view RBAC alternatives based on common mentions on social networks and blogs.

authelia

9.8 9.9 RBAC VS authelia

The Single Sign-On Multi-Factor portal for web apps
aws-doc-sdk-examples

9.8 9.8 RBAC VS aws-doc-sdk-examples

Welcome to the AWS Code Examples Repository. This repo contains code examples used in the AWS documentation, AWS SDK Developer Guides, and more. For more information, see the Readme.md file below.

WorkOS - The modern identity platform for B2B SaaS

The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

Promo workos.com

casbin

9.8 7.3 RBAC VS casbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
jwt-go

9.7 1.0 RBAC VS jwt-go

DISCONTINUED. ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
oauth2

9.2 7.4 RBAC VS oauth2

Go OAuth2
goth

9.1 6.2 RBAC VS goth

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.
authboss

8.7 7.0 RBAC VS authboss

The boss of http auth.
go-jose

8.4 0.0 RBAC VS go-jose

DISCONTINUED. An implementation of JOSE standards (JWE, JWS, JWT) in Go
go-oauth2-server

8.3 0.0 RBAC VS go-oauth2-server

A standalone, specification-compliant, OAuth2 server written in Golang.
loginsrv

8.1 0.0 RBAC VS loginsrv

JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..
github.com/lestrrat-go/jwx/v2

8.0 8.8 RBAC VS github.com/lestrrat-go/jwx/v2

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies
gologin

8.0 8.5 RBAC VS gologin

Go login handlers for authentication providers (OAuth1, OAuth2)
gorbac

8.0 0.0 RBAC VS gorbac

goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.
auth

7.1 6.7 RBAC VS auth

Authenticator via oauth2, direct, email and telegram
osin

7.0 0.0 RBAC VS osin

DISCONTINUED. Golang OAuth2 server library.
permissions2

6.5 4.7 RBAC VS permissions2

:closed_lock_with_key: Middleware for keeping track of users, login states and permissions
go.auth

6.2 0.0 RBAC VS go.auth

DISCONTINUED. Authentication API for Go web applications.
Go-AWS-Auth

6.0 0.0 RBAC VS Go-AWS-Auth

DISCONTINUED. AWS (Amazon Web Services) request signing library.
jwt-auth

5.6 1.8 RBAC VS jwt-auth

This package provides json web token (jwt) middleware for goLang http servers
httpauth

5.4 0.0 RBAC VS httpauth

HTTP Authentication middlewares
webauthn

4.9 0.0 RBAC VS webauthn

Go package for easy WebAuthn integration
yubigo

4.7 0.0 RBAC VS yubigo

Yubigo is a Yubikey client API library that provides an easy way to integrate the Yubico Yubikey into your existing Go-based user authentication infrastructure.
jwt

4.7 0.0 RBAC VS jwt

This is an implementation of JWT in golang!
sessions

3.8 0.0 RBAC VS sessions

A dead simple, highly performant, highly customizable sessions middleware for go http servers.
Passhash

1.5 3.1 RBAC VS Passhash

Go library providing simple and secure password management
Facecontrol

1.2 0.0 RBAC VS Facecontrol

Simple authentication, single sign-on and (optinal) authorization solution.
go-oauth2

0.8 0.0 RBAC VS go-oauth2

No description, website, or topics provided.

Do you think we are missing an alternative of RBAC or a related project?

Add another 'Authentication & OAuth' Package

Popular Comparisons

README

RBAC - Simple, concurrent Role Based Access Control(GO)

RBAC is role based access control library for GOlang. At core uses sync.Map so, it can be used from multiple goroutines concurrently. "Keep it simple" is also in core.

It supports role inheritance.

It can be used in middleware(example for echo framework is given )

Go 1.9+ is required.

It is built on;

Type	Description	Example
Action	Defines what can possible for a permission	`Create`,`Read`,`Update`...
Permission	Defines permission related to a resource to be accessed	`users`
Role	Defines group of permissions with defined actions	`admin`

Usage

Library usage has 2 phases:

Development
Runtime

Development Phase

First get an instance for RBAC

import "github.com/euroteltr/rbac"

R := rbac.New(nil)
// you can pass a logger to constructor also:
// R := rbac.New(rbac.ConsoleLogger)

During development you will register your permissions for your each resource with valid actions for that permission:

// You can also use rbac.CRUD for those crud actions
usersPerm, err := R.RegisterPermission("users", "User resource", rbac.Create, rbac.Read, rbac.Update, rbac.Delete)
if err != nil {
    panic(err)
}

userPerm is defined with CRUD actions, which means that any action not in that list will be invalid. You can define your own actions( like ApproveAction := rbac.Action("approve")) and add them also.

Runtime Phase

At run time we define our roles and permit permissions to them.

adminRole, err := R.RegisterRole("admin", "Admin role")
if err != nil {
    fmt.Printf("can not add admin role, err: %v\n", err)
}
if err = R.Permit(adminRole.ID, usersPerm, rbac.CRUD, ApproveAction); err != nil {
    fmt.Errorf("can not permit crud and ApproveAction actions to role %s\n", adminRole.ID)
}

Now we can check if a role is granted some permission:


if !R.IsGranted(adminRole.ID, usersPerm, rbac.Write) {
    fmt.Printf("admin role does not have write grant on users\n")
}else{
    fmt.Printf("admin role does have write grant on users\n")
}

// You can also check by perm.ID also
if !R.IsGrantedStr("admin", "users", rbac.CRUD) {
    fmt.Printf("admin role does not have CRUD grants on users\n")
}else{
    fmt.Printf("admin role does have CRUD grants on users\n")
}

Persisting and Loading

rbac.RBAC is json compatible. You can dump all data in RBAC instance to JSON:

b, err := json.Marshal(R)
if err != nil {
    fmt.Printf("rback marshall failed with %v\n", err)
}else{
    fmt.Printf("RBAC: %s", b)
}

Also you can use builtin SaveJSON function to save to a io.Writer:

filename := "/tmp/rbac.json"
f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
    fmt.Printf("can not create json file %s, err: %v\n", filename, err)
    return err
}
defer f.Close()
if err = R.SaveJSON(f); err != nil {
    fmt.Printf("unable to save to json file, err:%v\n", err)
}

And load it from file:

filename := "/tmp/rbac.json"
f, err := os.Open(filename)
if err != nil {
    return err
}
defer f.Close()
if err = R.LoadJSON(f); err != nil {
    fmt.Errorf("unable to load from json file, err:%v\n", err)
}

In dumped JSON root permissions part is just for reference. Root roles is the part you can modify in file and reload it to define Roles with Permissions.

{
  "permissions": [
    {
      "id": "users",
      "description": "User resource",
      "actions": [
        "create",
        "read",
        "update",
        "delete"
      ]
    }
  ],
  "roles": [
    {
      "id": "admin",
      "description": "Admin role",
      "grants": {
        "users": [
          "create",
          "read",
          "update",
          "delete"
        ]
      },
      "parents": []
    }
  ]
}

Role inheritance

A Role can have parent Roles. You can add a parent Role like this:

// Add a new role
sysAdmRole, err := R.RegisterRole("sysadm", "System admin role")
if err != nil {
    fmt.Printf("can not add agent role, err: %v\n", err)
}

// Now add adminRole as parent
if err = sysAdmRole.AddParent(adminRole); err != nil {
    fmt.Printf("adding parent role failed with: %v\n", err)
}

// Now all permissions in adminRole will be also valid for sysAdmRole
if R.IsGranted(sysAdmRole.ID, usersPerm, rbac.CRUD) {
    fmt.Printf("sysadmin role has all crud actions granted\n")
}

If circular parent reference is found, you'll get error while running AddParent.

Usage as middleware

You can check example middleware function for [echo](github.com/labstack/echo) framework here

Middleware usage with granular permissions

If you want user role may modify his own user resource, but not others, you can build a wrapper for RBAC.IsGranted function like(example for echo framework:

// idParam is the parameter name where user_id for data will be gotten
func isGrantedResource(perm *rbac.Permission, action rbac.Action, idParam string) echo.MiddlewareFunc {
    return func(next echo.HandlerFunc) echo.HandlerFunc {
        return func(c echo.Context) error {
            rolesI := c.Get("roles")
            if rolesI == nil {
                log.Errorf("No rbac roles key %s", "roles")
            } else if config.RBAC.AnyGranted(rolesI.([]string), perm, actions...) {
                // Get id parameter from route,form... example from: "user/:id"
                userID, err := strconv.ParseInt(c.Param(idParam), 10, 64)
                if err != nil {
                    return http.StatusBadRequest
                }
                // Get current user_id and check if data belongs to current user
                userIDI := c.Get("user_id")
                if userIDI==nil || userIDI.(int64) != userID {
                    return http.StatusForbidden
                }
                return next(c)
            }
            return echo.ErrUnauthorized
        }
    }
}

*Note that all licence references and agreements mentioned in the RBAC README section above are relevant to that project's source code only.