access control for go, supports RBAC, ABAC and ACL, drop-in replacement for casbin
FastAC is a drop in replacement for Casbin. In some cases, FastAC can improve the performance significantly.
API documentation: https://pkg.go.dev/github.com/abichinger/fastac
Please refer to the Casbin Docs for explanation of terms.
Installation
go get github.com/abichinger/fastac
First you need to prepare an access control model. The syntax of FastAC models is identical to Casbin models.
An ACL (Access Control List) model looks like this:
#File: model.conf
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
r.sub == p.sub && r.obj == p.obj && r.act == p.actNext, you need to load some policy rules. To get started you can load your rules from a text file. For production you should use a storage adapter.
#File: policy.csv
p, alice, data1, read
p, alice, data2, read
p, bob, data1, write
p, bob, data2, writeGo code to resolve access requests
//create an enforcer
e, err := fastac.NewEnforcer("model.conf", "policy.csv")
//check if alice is allowed to read data1
if allow, _ := e.Enforce("alice", "data1", "read"); allow == true {
// permit alice to read data1
} else {
// deny the request
}Matchers will be divided into multiple stages. As a result FastAC will index all policy rules, which reduces the search space for access requests. This feature brings the most performance gain.
FastAC can filter the policy rules with matchers. The Filter function also supports filtering grouping rules.
The fields of a grouping rule can be accessed by g.user, g.role, g.domain
//Examples
//get all policy rules belonging to domain1
e.Filter(SetMatcher("p.dom == \"domain1\"")
//get all policy rules, which grant alice read access
e.Filter(SetMatcher("g(\"alice\", p.sub) && p.act == \"read\"")
//get all grouping rules for alice
e.Filter(SetMatcher("g.user == \"alice\"")- ACL - Access Control List
- ACL-su - Access Control List with super user
- ABAC - Attribute Based Access Control
- RBAC - Role Based Access Control
- RBAC-domain - Role Based Access Control with domains/tenants
- File Adapter (built-in) - not recommended for production
- Gorm Adapter
- Enforcement
- RBAC
- ABAC
- Adapter
- Default Role Manager
- Third Party Role Managers
- Filtered Adapter
- Watcher
- Dispatcher
FastAC uses the following libraries or parts of it.
- Casbin - concept, examples and builtin_operators are used
- govaluate - used to evaluate matcher expressions (modified version)
- go-ini - used to read the model config
- testify