Skip to content

access control for go, supports RBAC, ABAC and ACL, drop-in replacement for casbin

License

Notifications You must be signed in to change notification settings

abichinger/fastac

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FastAC

access control for go, supports RBAC, ABAC and ACL, drop-in replacement for casbin

Test Coverage Go Report Card Godoc

FastAC is a drop in replacement for Casbin. In some cases, FastAC can improve the performance significantly.

API documentation: https://pkg.go.dev/github.com/abichinger/fastac

Please refer to the Casbin Docs for explanation of terms.

Getting Started

Installation

go get github.com/abichinger/fastac

First you need to prepare an access control model. The syntax of FastAC models is identical to Casbin models.

An ACL (Access Control List) model looks like this:

#File: model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
r.sub == p.sub && r.obj == p.obj && r.act == p.act

Next, you need to load some policy rules. To get started you can load your rules from a text file. For production you should use a storage adapter.

#File: policy.csv
p, alice, data1, read
p, alice, data2, read
p, bob, data1, write
p, bob, data2, write

Go code to resolve access requests

//create an enforcer
e, err := fastac.NewEnforcer("model.conf", "policy.csv")

//check if alice is allowed to read data1
if allow, _ := e.Enforce("alice", "data1", "read"); allow == true {
    // permit alice to read data1
} else {
    // deny the request
}

New Features

Policy Indexing

Matchers will be divided into multiple stages. As a result FastAC will index all policy rules, which reduces the search space for access requests. This feature brings the most performance gain.

Advanced Policy Filtering

FastAC can filter the policy rules with matchers. The Filter function also supports filtering grouping rules. The fields of a grouping rule can be accessed by g.user, g.role, g.domain

//Examples

//get all policy rules belonging to domain1
e.Filter(SetMatcher("p.dom == \"domain1\"")

//get all policy rules, which grant alice read access
e.Filter(SetMatcher("g(\"alice\", p.sub) && p.act == \"read\"")

//get all grouping rules for alice
e.Filter(SetMatcher("g.user == \"alice\"")

Supported Models

  • ACL - Access Control List
  • ACL-su - Access Control List with super user
  • ABAC - Attribute Based Access Control
  • RBAC - Role Based Access Control
  • RBAC-domain - Role Based Access Control with domains/tenants

Adapter List

  • File Adapter (built-in) - not recommended for production
  • Gorm Adapter

Performance Comparison

RBAC Benchmark

ABAC Benchmark

More benchmarks

Feature Overview

  • Enforcement
  • RBAC
  • ABAC
  • Adapter
  • Default Role Manager
  • Third Party Role Managers
  • Filtered Adapter
  • Watcher
  • Dispatcher

Attribution

FastAC uses the following libraries or parts of it.

About

access control for go, supports RBAC, ABAC and ACL, drop-in replacement for casbin

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages