Skip to content
This repository was archived by the owner on Apr 4, 2023. It is now read-only.

Authorization

Jump to bottom
Farshid Tavakolizadeh edited this page Dec 1, 2020 · 10 revisions

The go-sec authorization package provides simple rule-based authorization to HTTP-based web services. This extends the authentication flows.

Configuration

The rules are defined in JSON as follows:

{
    "enabled": true,
    "rules": [
        {
            "paths": ["string"],
            "methods": ["string"],
            "users": ["string"],
            "groups": ["string"],
            "roles": ["string"],
            "clients": ["string"],
            "denyPathSubstrings": ["string"],
        }
    ]
}

where:

  • enabled toggles the authorization
  • rules is an allow-list array of rules, each defined by the following parameters:
    • paths is an array of HTTP path prefixes (API endpoints) to which the rule apply
    • methods is an array of HTTP methods to which the rule applies
    • users is an array of users to which the rule apply
    • groups is an array of user groups to which the rule applies
    • roles is an array of user roles to which the rule applies
    • clients is an array of clients to which the rule applies
    • denyPathSubstrings is an array of path substring exceptions for which access is excluded within this rule's scope

A request will be authorized if it matches the resource, method, and either of user or group given in a single rule. The authorization is given if any of the rules match (rules do not override each other).

Example

{
    "enabled": true,
    "rules": [
        {
            "paths": ["/res"],
            "methods": ["GET"],
            "users": ["linksmart"],
            "groups": ["admin"]
        },
        {
            "paths": ["/res"],
            "methods": ["PUT", "DELETE"],
            "groups": ["admin"]
        },
        {
            "paths": ["/public"],
            "methods": ["GET"],
            "groups": ["anonymous"] // this is a special group assigned to unauthenticated users
        }
    ]
}

Given the set of rules in the example above:

  • user linksmart can perform GET requests on resources with a path starting with /res
  • a user from group admin can perform GET as well as PUT and DELETE requests on resources with a path starting with /res
  • an unauthenticated user can perform GET requests on resources with a path starting with /public

Clone this wiki locally