Intro

An API Server serving RBAC authorization using OPA where rule data are stored in DB.

External Data: Option 5: Pull Data during Evaluation

Tech stacks used

• language
  • go, rego
• db:
  • mariadb
• framework
  • gin-gonic framework
  • go wire
• orm
  • gorm
• rule engine
  • OPA

Check List

[ o ] implement opa logic using opa lib
[ o ] service web using gin
[ o ] use DI framework - used go wire
[ o ] api for evaluating rbac
[ x ] Select SQL for data json used by opa engine from DB
[ x ] api for CRUD permission, role, user, project
[ x ] api for CRUD permission to role, role to user

Rego

package rbac

default allow = false

allow {
    # Look up the list of projects the user has access too.
    project_roles := data.roles[input.user_id]

    # For each of the roles held by the user for the named project.
    project_role := project_roles[input.project]
    pr := project_role[_]

    # Lookup the permissions for the roles.
    permissions := data.permissions[pr]

    # For each role permission, check if there is a match.
    p := permissions[_]
    p == concat("", [input.action, ":", input.resource])
}

Data.json

{
  "roles": {
    "id:customer_1:project:project_1:user:user_1": {
      "id:customer_1:project:project_1": [
        "administrator"
      ]
    },
    "id:customer_1:project:project_2:user:user_2": {
      "id:customer_1:project:project_2": [
        "administrator"
      ]
    },
    "id:customer_1:project:project_1:user:user_3": {
      "id:customer_1:project:project_1": [
        "viewer"
      ]
    },
    "id:customer_1:project:project_2:user:user_4": {
      "id:customer_1:project:project_2": [
        "manager"
      ]
    }
  },
  "permissions": {
    "administrator": [
      "view:resource",
      "update:resource",
      "create:resource",
      "delete:resource"
    ],
    "viewer": [
      "view:resource"
    ],
    "manager": [
      "view:resource",
      "update:resource"
    ]
  }
}

Test

1. user_1 who is in project_1 wants to create resource

Request

curl -X POST --location "http://localhost:9999/api/v1/eval" \
    -H "Content-Type: application/json" \
    -d "{
          \"user_id\": \"id:customer_1:project:project_1:user:user_1\",
          \"project\": \"id:customer_1:project:project_1\",
          \"action\": \"create\",
          \"resource\": \"resource\"
        }"

Response

{
  "code": 1,
  "message": "Success",
  "data": true
}

RESULT: Allowed!

2. user_4 who is in project_2 wants to delete resource

Request

curl -X POST --location "http://localhost:9999/api/v1/eval" \
    -H "Content-Type: application/json" \
    -d "{
          \"user_id\": \"id:customer_1:project:project_2:user:user_4\",
          \"project\": \"id:customer_1:project:project_2\",
          \"action\": \"delete\",
          \"resource\": \"resource\"
        }"

Response

{
  "code": 1,
  "message": "Success",
  "data": false
}

RESULT: Denied! No permission to delete resource!