Skip to main content

Management API

The primitive API that provides full support for Casbin policy management.

Filtered API

Almost all filtered api has the same parameters (fieldIndex int, fieldValues ...string). fieldIndex is the index where matching start, fieldValues denotes the values result should have. Note that empty string in fieldValues could be any word.

Example:

p, alice, book, read
p, bob, book, read
p, bob, book, write
p, alice, pen, get
p, bob, pen ,get
e.GetFilteredPolicy(1, "book") // will return: [[alice book read] [bob book read] [bob book write]]

e.GetFilteredPolicy(1, "book", "read") // will return: [[alice book read] [bob book read]]

e.GetFilteredPolicy(0, "alice", "", "read") // will return: [[alice book read]]

e.GetFilteredPolicy(0, "alice") // will return: [[alice book read] [alice pen get]]

Reference

global variable e is Enforcer instance.

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

Enforce()

Enforce decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act).

For example:

ok, err := e.Enforce(request)

EnforceWithMatcher()

EnforceWithMatcher use a custom matcher to decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (matcher, sub, obj, act), use model matcher by default when matcher is "".

For example:

ok, err := e.EnforceWithMatcher(matcher, request)

EnforceEx()

EnforceEx explain enforcement by informing matched rules.

For example:

ok, reason, err := e.EnforceEx(request)

EnforceExWithMatcher()

EnforceExWithMatcher use a custom matcher and explain enforcement by informing matched rules.

For example:

ok, reason, err := e.EnforceExWithMatcher(matcher, request)

BatchEnforce()

BatchEnforce enforces each request and returns result in a bool array

For example:

boolArray, err := e.BatchEnforce(requests)

GetAllSubjects()

GetAllSubjects gets the list of subjects that show up in the current policy.

For example:

allSubjects := e.GetAllSubjects()

GetAllNamedSubjects()

GetAllNamedSubjects gets the list of subjects that show up in the current named policy.

For example:

allNamedSubjects := e.GetAllNamedSubjects("p")

GetAllObjects()

GetAllObjects gets the list of objects that show up in the current policy.

For example:

allObjects := e.GetAllObjects()

GetAllNamedObjects()

GetAllNamedObjects gets the list of objects that show up in the current named policy.

For example:

allNamedObjects := e.GetAllNamedObjects("p")

GetAllActions()

GetAllActions gets the list of actions that show up in the current policy.

For example:

allActions := e.GetAllActions()

GetAllNamedActions()

GetAllNamedActions gets the list of actions that show up in the current named policy.

For example:

allNamedActions := e.GetAllNamedActions("p")

GetAllRoles()

GetAllRoles gets the list of roles that show up in the current policy.

For example:

allRoles = e.GetAllRoles()

GetAllNamedRoles()

GetAllNamedRoles gets the list of roles that show up in the current named policy.

For example:

allNamedRoles := e.GetAllNamedRoles("g")

GetPolicy()

GetPolicy gets all the authorization rules in the policy.

For example:

policy = e.GetPolicy()

GetFilteredPolicy()

GetFilteredPolicy gets all the authorization rules in the policy, field filters can be specified.

For example:

filteredPolicy := e.GetFilteredPolicy(0, "alice")

GetNamedPolicy()

GetNamedPolicy gets all the authorization rules in the named policy.

For example:

namedPolicy := e.GetNamedPolicy("p")

GetFilteredNamedPolicy()

GetFilteredNamedPolicy gets all the authorization rules in the named policy, field filters can be specified.

For example:

filteredNamedPolicy = e.GetFilteredNamedPolicy("p", 0, "bob")

GetGroupingPolicy()

GetGroupingPolicy gets all the role inheritance rules in the policy.

For example:

groupingPolicy := e.GetGroupingPolicy()

GetFilteredGroupingPolicy()

GetFilteredGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified.

For example:

filteredGroupingPolicy := e.GetFilteredGroupingPolicy(0, "alice")

GetNamedGroupingPolicy()

GetNamedGroupingPolicy gets all the role inheritance rules in the policy.

For example:

namedGroupingPolicy := e.GetNamedGroupingPolicy("g")

GetFilteredNamedGroupingPolicy()

GetFilteredNamedGroupingPolicy gets all the role inheritance rules in the policy.

For example:

namedGroupingPolicy := e.GetFilteredNamedGroupingPolicy("g", 0, "alice")

HasPolicy()

HasPolicy determines whether an authorization rule exists.

For example:

hasPolicy := e.HasPolicy("data2_admin", "data2", "read")

HasNamedPolicy()

HasNamedPolicy determines whether a named authorization rule exists.

For example:

hasNamedPolicy := e.HasNamedPolicy("p", "data2_admin", "data2", "read")

AddPolicy()

AddPolicy adds an authorization rule to the current policy. If the rule already exists, the function returns false and the rule will not be added. Otherwise the function returns true by adding the new rule.

For example:

added := e.AddPolicy('eve', 'data3', 'read')

AddPolicies()

AddPolicies adds authorization rules to the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is added to the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is added to the current policy.

For example:

rules := [][] string {
[]string {"jack", "data4", "read"},
[]string {"katy", "data4", "write"},
[]string {"leyo", "data4", "read"},
[]string {"ham", "data4", "write"},
}

areRulesAdded := e.AddPolicies(rules)

AddPoliciesEx()

AddPoliciesEx adds authorization rules to the current policy. If the rule already exists, the rule will not be added. But unlike AddPolicies, other non-existent rules are added instead of returning false directly

For example:

ok, err := e.AddPoliciesEx([][]string{{"user1", "data1", "read"}, {"user2", "data2", "read"}})

AddNamedPolicy()

AddNamedPolicy adds an authorization rule to the current named policy. If the rule already exists, the function returns false and the rule will not be added. Otherwise the function returns true by adding the new rule.

For example:

added := e.AddNamedPolicy("p", "eve", "data3", "read")

AddNamedPolicies()

AddNamedPolicies adds authorization rules to the current named policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is added to the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is added to the current policy.

For example:

rules := [][] string {
[]string {"jack", "data4", "read"},
[]string {"katy", "data4", "write"},
[]string {"leyo", "data4", "read"},
[]string {"ham", "data4", "write"},
}

areRulesAdded := e.AddNamedPolicies("p", rules)

AddNamedPoliciesEx()

AddNamedPoliciesEx adds authorization rules to the current named policy. If the rule already exists, the rule will not be added. But unlike AddNamedPolicies, other non-existent rules are added instead of returning false directly

For example:

ok, err := e.AddNamedPoliciesEx("p", [][]string{{"user1", "data1", "read"}, {"user2", "data2", "read"}})

SelfAddPoliciesEx()

SelfAddPoliciesEx adds authorization rules to the current named policy with autoNotifyWatcher disabled. If the rule already exists, the rule will not be added. But unlike SelfAddPolicies, other non-existent rules are added instead of returning false directly

For example:

ok, err := e.SelfAddPoliciesEx("p", "p", [][]string{{"user1", "data1", "read"}, {"user2", "data2", "read"}})

RemovePolicy()

RemovePolicy removes an authorization rule from the current policy.

For example:

removed := e.RemovePolicy("alice", "data1", "read")

RemovePolicies()

RemovePolicies removes authorization rules from the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is removed from the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is removed from the current policy.

For example:

rules := [][] string {
[]string {"jack", "data4", "read"},
[]string {"katy", "data4", "write"},
[]string {"leyo", "data4", "read"},
[]string {"ham", "data4", "write"},
}

areRulesRemoved := e.RemovePolicies(rules)

RemoveFilteredPolicy()

RemoveFilteredPolicy removes an authorization rule from the current policy, field filters can be specified. RemovePolicy removes an authorization rule from the current policy.

For example:

removed := e.RemoveFilteredPolicy(0, "alice", "data1", "read")

RemoveNamedPolicy()

RemoveNamedPolicy removes an authorization rule from the current named policy.

For example:

removed := e.RemoveNamedPolicy("p", "alice", "data1", "read")

RemoveNamedPolicies()

RemoveNamedPolicies removes authorization rules from the current named policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is removed from the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is removed from the current policy.

For example:

rules := [][] string {
[]string {"jack", "data4", "read"},
[]string {"katy", "data4", "write"},
[]string {"leyo", "data4", "read"},
[]string {"ham", "data4", "write"},
}

areRulesRemoved := e.RemoveNamedPolicies("p", rules)

RemoveFilteredNamedPolicy()

RemoveFilteredNamedPolicy removes an authorization rule from the current named policy, field filters can be specified.

For example:

removed := e.RemoveFilteredNamedPolicy("p", 0, "alice", "data1", "read")

HasGroupingPolicy()

HasGroupingPolicy determines whether a role inheritance rule exists.

For example:

has := e.HasGroupingPolicy("alice", "data2_admin")

HasNamedGroupingPolicy()

HasNamedGroupingPolicy determines whether a named role inheritance rule exists.

For example:

has := e.HasNamedGroupingPolicy("g", "alice", "data2_admin")

AddGroupingPolicy()

AddGroupingPolicy adds a role inheritance rule to the current policy. If the rule already exists, the function returns false and the rule will not be added. Otherwise the function returns true by adding the new rule.

For example:

added := e.AddGroupingPolicy("group1", "data2_admin")

AddGroupingPolicies()

AddGroupingPolicies adds role inheritance rules to the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is added to the current policy. If all authorization the rules are consistent with the policy rules, the function returns true and each policy rule is added to the current policy.

For example:

rules := [][] string {
[]string {"ham", "data4_admin"},
[]string {"jack", "data5_admin"},
}

areRulesAdded := e.AddGroupingPolicies(rules)

AddGroupingPoliciesEx()

AddGroupingPoliciesEx adds role inheritance rules to the current policy. If the rule already exists, the rule will not be added. But unlike AddGroupingPolicies, other non-existent rules are added instead of returning false directly

For example:

ok, err := e.AddGroupingPoliciesEx([][]string{{"user1", "member"}, {"user2", "member"}})

AddNamedGroupingPolicy()

AddNamedGroupingPolicy adds a named role inheritance rule to the current policy. If the rule already exists, the function returns false and the rule will not be added. Otherwise the function returns true by adding the new rule.

For example:

added := e.AddNamedGroupingPolicy("g", "group1", "data2_admin")

AddNamedGroupingPolicies()

AddNamedGroupingPolicies adds named role inheritance rules to the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is added to the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is added to the current policy.

For example:

rules := [][] string {
[]string {"ham", "data4_admin"},
[]string {"jack", "data5_admin"},
}

areRulesAdded := e.AddNamedGroupingPolicies("g", rules)

AddNamedGroupingPoliciesEx()

AddNamedGroupingPoliciesEx adds named role inheritance rules to the current policy. If the rule already exists, the rule will not be added. But unlike AddNamedGroupingPolicies, other non-existent rules are added instead of returning false directly

For example:

ok, err := e.AddNamedGroupingPoliciesEx("g", [][]string{{"user1", "member"}, {"user2", "member"}})

RemoveGroupingPolicy()

RemoveGroupingPolicy removes a role inheritance rule from the current policy.

For example:

removed := e.RemoveGroupingPolicy("alice", "data2_admin")

RemoveGroupingPolicies()

RemoveGroupingPolicies removes role inheritance rules from the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is removed from the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is removed from the current policy.

For example:

rules := [][] string {
[]string {"ham", "data4_admin"},
[]string {"jack", "data5_admin"},
}

areRulesRemoved := e.RemoveGroupingPolicies(rules)

RemoveFilteredGroupingPolicy()

RemoveFilteredGroupingPolicy removes a role inheritance rule from the current policy, field filters can be specified.

For example:

removed := e.RemoveFilteredGroupingPolicy(0, "alice")

RemoveNamedGroupingPolicy()

RemoveNamedGroupingPolicy removes a role inheritance rule from the current named policy.

For example:

removed := e.RemoveNamedGroupingPolicy("g", "alice")

RemoveNamedGroupingPolicies()

RemoveNamedGroupingPolicies removes named role inheritance rules from the current policy. The operation is atomic in nature. Hence, if authorization rules consists of rules which are not consistent with the current policy, the function returns false and no policy rule is removed from the current policy. If all the authorization rules are consistent with the policy rules, the function returns true and each policy rule is removed from the current policy.

For example:

rules := [][] string {
[]string {"ham", "data4_admin"},
[]string {"jack", "data5_admin"},
}

areRulesRemoved := e.RemoveNamedGroupingPolicies("g", rules)

RemoveFilteredNamedGroupingPolicy()

RemoveFilteredNamedGroupingPolicy removes a role inheritance rule from the current named policy, field filters can be specified.

For example:

removed := e.RemoveFilteredNamedGroupingPolicy("g", 0, "alice")

UpdatePolicy()

UpdatePolicy update a old policy to new policy.

For example:

updated, err := e.UpdatePolicy([]string{"eve", "data3", "read"}, []string{"eve", "data3", "write"})

UpdatePolicies()

UpdatePolicies updates all old policies to new policies.

For example:

updated, err := e.UpdatePolicies([][]string{{"eve", "data3", "read"}, {"jack", "data3", "read"}}, [][]string{{"eve", "data3", "write"}, {"jack", "data3", "write"}})

AddFunction()

AddFunction adds a customized function.

For example:

func CustomFunction(key1 string, key2 string) bool {
if key1 == "/alice_data2/myid/using/res_id" && key2 == "/alice_data/:resource" {
return true
} else if key1 == "/alice_data2/myid/using/res_id" && key2 == "/alice_data2/:id/using/:resId" {
return true
} else {
return false
}
}

func CustomFunctionWrapper(args ...interface{}) (interface{}, error) {
key1 := args[0].(string)
key2 := args[1].(string)

return bool(CustomFunction(key1, key2)), nil
}

e.AddFunction("keyMatchCustom", CustomFunctionWrapper)

LoadFilteredPolicy()

LoadFilteredPolicy loads filtered policies from file/database.

For example:

err := e.LoadFilteredPolicy()

LoadIncrementalFilteredPolicy()

LoadIncrementalFilteredPolicy append a filtered policy from file/database.

For example:

err := e.LoadIncrementalFilteredPolicy()

UpdateGroupingPolicy()

UpdateGroupingPolicy updates oldRule to newRulein g section

For example:

succeed, err : = e.UpdateGroupingPolicy([]string{"data3_admin", "data4_admin"}, []string{"admin", "data4_admin"})

UpdateNamedGroupingPolicy()

UpdateNamedGroupingPolicy updates oldRule named ptype to newRulein g section

For example:

succeed, err : = e.UpdateGroupingPolicy("g1",[]string{"data3_admin", "data4_admin"}, []string{"admin", "data4_admin"})

SetFieldIndex()

SetFieldIndex suport customization of conventional name and position of sub, obj, domain and priority.

[policy_definition]
p = customized_priority, obj, act, eft, subject

For example:

e.SetFieldIndex("p", constant.PriorityIndex, 0)
e.SetFieldIndex("p", constant.SubjectIndex, 4)