Supported Models
- ACL (Access Control List)
- ACL with superuser
- ACL without users: especially useful for systems that don't have authentication or user log-ins.
- ACL without resources: some scenarios may target for a type of resources instead of an individual resource by using permissions like
write-article,read-log. It doesn't control the access to a specific article or log. - RBAC (Role-Based Access Control)
- RBAC with resource roles: both users and resources can have roles (or groups) at the same time.
- RBAC with domains/tenants: users can have different role sets for different domains/tenants.
- ABAC (Attribute-Based Access Control): syntax sugar like
resource.Ownercan be used to get the attribute for a resource. - RESTful: supports paths like
/res/*,/res/:idand HTTP methods likeGET,POST,PUT,DELETE. - Deny-override: both allow and deny authorizations are supported, deny overrides the allow.
- Priority: the policy rules can be prioritized like firewall rules.
Examples
| Model | Model file | Policy file |
|---|---|---|
| ACL | basic_model.conf | basic_policy.csv |
| ACL with superuser | basic_with_root_model.conf | basic_policy.csv |
| ACL without users | basic_without_users_model.conf | basic_without_users_policy.csv |
| ACL without resources | basic_without_resources_model.conf | basic_without_resources_policy.csv |
| RBAC | rbac_model.conf | rbac_policy.csv |
| RBAC with resource roles | rbac_with_resource_roles_model.conf | rbac_with_resource_roles_policy.csv |
| RBAC with domains/tenants | rbac_with_domains_model.conf | rbac_with_domains_policy.csv |
| ABAC | abac_model.conf | N/A |
| RESTful | keymatch_model.conf | keymatch_policy.csv |
| Deny-override | rbac_with_not_deny_model.conf | rbac_with_deny_policy.csv |
| Allow-and-deny | rbac_with_deny_model.conf | rbac_with_deny_policy.csv |
| Priority | priority_model.conf | priority_policy.csv |
| Explicit Priority | priority_model_explicit | priority_policy_explicit.csv |
| Subject-Priority | subject_priority_model.conf | subject_priority_policyl.csv |