Skip to content

luowei428/pbac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 
readme.md
readme.md
 
 

Repository files navigation

Policy Based Access Control

This is Java based implementation based on Ladon

Policy Based Access Control (PBAC) is similar to Role Based Access Control or Access Control Lists. In contrast to ACL and RBAC you get fine-grained access control with the ability to answer questions in complex environments such as multi-tenant or distributed applications and large organizations. PBAC and Ladon are inspired by AWS IAM Policies.

Concepts

PBAC is an access control library that answers the question:

Who is able to do what on something given some context

  • Who: An arbitrary unique subject name, for example "ken" or "printer-service.mydomain.com".
  • Able: The effect which can be either "allow" or "deny".
  • What: An arbitrary action name, for example "delete", "create" or "scoped:action:something".
  • Something: An arbitrary unique resource name, for example "something", "resources.articles.1234" or some uniform resource name like "urn:isbn:3827370191".
  • Context: The current context containing information about the environment such as the IP Address, request date, the resource owner name, the department ken is working in or any other information you want to pass along. (optional)

To decide what the answer is, PBAC uses policy documents which can be represented as JSON

POST /policies HTTP/1.1
Host: localhost:5000
Content-Type: application/json

{
    "id": "1",
    "description": "One policy to rule them all.",
    "subjects": [
        "users:<peter|ken>",
        "users:maria",
        "groups:admins"
    ],
    "effect": "allow",
    "resources": [
        "resources:articles:<.*>",
        "resources:printer"
    ],
    "actions": [
        "delete",
        "<create|update>"
    ],
    "conditions": {
        "resourceOwner": {
            "type": "EqualsSubjectCondition"
        },
        "isBankUser": {
            "type": "StringEqualCondition",
            "options": {
                "equals": "true"
            }
        }
    }
}

and can answer access requests that look like:

 POST /policies/isAllowed HTTP/1.1
 Host: localhost:5000
 Content-Type: application/json
 
 
 {
 	"subject":"users:ken",
 	"resource":"resources:articles:1234",
 	"action":"create",
 	"context":{
 		"isBankUser":"true",
 		"resourceOwner":"users:ken"
 	}
 }

Default implementation is using H2 in-memory database (http://localhost:5000/h2-console/) and exposes REST endpoint on http://localhost:5000/policies

About

Policy based access control

Resources

Readme
Activity

Stars

17 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages