library god

lanlin/god

An authority proving system that supports ACL, RBAC, ABAC

God Permission System

"God said, Let there be light, and there was light.", _(*1)

"God will decide if you have permission.", _(*2)

"God bless you!", _(*3)

Install

composer require lanlin/god

The Origin

God is written after referring to the Casbin(golang) project, thanks for their hard work., _(*4)

For more detail, please refer to the documentation of Casbin., _(*5)

Supported models

1. ACL (Access Control List)
2. ACL with superuser
3. ACL without users: especially useful for systems that don't have authentication or user log-ins.
4. ACL without resources: some scenarios may target for a type of resources instead of an individual resource by using permissions like write-article, read-log. It doesn't control the access to a specific article or log.
5. RBAC (Role-Based Access Control)
6. RBAC with resource roles: both users and resources can have roles (or groups) at the same time.
7. RBAC with domains/tenants: users can have different role sets for different domains/tenants.
8. ABAC (Attribute-Based Access Control): syntax sugar like resource.Owner can be used to get the attribute for a resource.
9. RESTful: supports paths like /res/*, /res/:id and HTTP methods like GET, POST, PUT, DELETE.
10. Deny-override: both allow and deny authorizations are supported, deny overrides the allow.
11. Priority: the policy rules can be prioritized like firewall rules.

Supported Adapters

1. file adapter
2. MongoDB adapter
3. PHP PDO adapters (now support: MySQL, PostgreSQL, SQLite, SqlServer.)

How it works?

does "Who" as "Role" or "Group" from "Where" do "Operator" to "What" will got "How"?, _(*6)

An access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matchers)., _(*7)

So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration., _(*8)

You can customize your own access control model by combining the available models., _(*9)

For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules., _(*10)

The most basic and simplest model in God is ACL. ACL's model CONF is:, _(*11)

# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

An example policy for ACL model is like:, _(*12)

p, alice, data1, read
p, bob, data2, write

It means:, _(*13)

• alice can read data1
• bob can write data2

Demo

use God\God;

$God = new God('path/to/model.conf', 'path/to/policy.csv');

$God->allows('you', 'evil book', 'read');  // Does God allows you to do this?

new God();

new God(string $modelPath);

new God(string $modelPath, string $policyFile);

new God(string $modelPath, Adapter $adapter);

new God(Model $model);

new God(Model $model, Adapter $adapter);


// demo for mysql
$dbHost   = "127.0.0.1";
$dbPort   = 3306;
$dbName   = "your_database_name";
$username = "root";
$password = "your_password";

// php mysql pdo demo
$pdo = new \PDO("mysql:host={$dbHost};port={$dbPort};dbname={$dbName}", $username, $password);

// init god model with csv
$g = new God('tests/Examples/rbac_model.conf', 'tests/Examples/rbac_policy.csv');
$m = $g->getModel();

// save policy to database
$a = new Adapter($pdo);
$a->savePolicy($m);

For more usage demos, please view the unit tests or, _(*14)

Casbin 中文文档, _(*15)

Casbin Documents, _(*16)

License

This project is licensed under the MIT license., _(*17)