service backend
This commit is contained in:
Stephan D
54
api/pkg/auth/internal/casbin/models/auth.conf
Normal file
54
api/pkg/auth/internal/casbin/models/auth.conf
Normal file
@@ -0,0 +1,54 @@
|
||||
######################################################
|
||||
# Request Definition
|
||||
######################################################
|
||||
[request_definition]
|
||||
# Explanation:
|
||||
# - `accountRef`: The account (user) making the request.
|
||||
# - `organizationRef`: The organization in which the role applies.
|
||||
# - `permissionRef`: The specific permission being requested.
|
||||
# - `objectRef`: The object/resource being accessed (specific object or all objects).
|
||||
# - `action`: The action being requested (CRUD: read, write, update, delete).
|
||||
r = accountRef, organizationRef, permissionRef, objectRef, action
|
||||
|
||||
|
||||
######################################################
|
||||
# Policy Definition
|
||||
######################################################
|
||||
[policy_definition]
|
||||
# Explanation:
|
||||
# - `roleRef`: The role to which the policy is assigned.
|
||||
# - `organizationRef`: The organization in which the role applies.
|
||||
# - `permissionRef`: The permission associated with the policy.
|
||||
# - `objectRef`: The specific object/resource the policy applies to (or all objects).
|
||||
# - `action`: The CRUD action permitted or denied.
|
||||
# - `eft`: Effect of the policy (`allow` or `deny`).
|
||||
p = roleRef, organizationRef, permissionRef, objectRef, action, eft
|
||||
|
||||
|
||||
######################################################
|
||||
# Role Definition
|
||||
######################################################
|
||||
[role_definition]
|
||||
# Explanation:
|
||||
# - Maps `accountRef` (user) to `roleRef` (role) within `organizationRef` (scope).
|
||||
# Casbin requires underscores for placeholders, so we do not literally use accountRef, roleRef, etc. here.
|
||||
g = _, _, _
|
||||
|
||||
|
||||
######################################################
|
||||
# Policy Effect
|
||||
######################################################
|
||||
[policy_effect]
|
||||
# Explanation:
|
||||
# - Grants access if any `allow` policy matches and no `deny` policies match.
|
||||
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
|
||||
|
||||
|
||||
######################################################
|
||||
# Matchers
|
||||
######################################################
|
||||
[matchers]
|
||||
# Explanation:
|
||||
# - Checks if the user (accountRef) belongs to the roleRef within an organizationRef via `g()`.
|
||||
# - Ensures the organizationRef, permissionRef, objectRef, and action match the policy.
|
||||
m = g(r.accountRef, p.roleRef, r.organizationRef) && r.organizationRef == p.organizationRef && r.permissionRef == p.permissionRef && (p.objectRef == r.objectRef || p.objectRef == "*") && r.action == p.action
|
||||
Reference in New Issue
Block a user