Skip to content

Instantly share code, notes, and snippets.

@tsandall

tsandall/ABAC

Last active November 7, 2018 16:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tsandall/ddaf1087aa2baf3df98c33e1dc7d62ee to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tsandall/ddaf1087aa2baf3df98c33e1dc7d62ee to your computer and use it in GitHub Desktop.
Download ZIP
ALFA comparison
Raw
ABAC
package example
default allow = false
allow {
input.action = "GET"
input.path = "/index.html"
allowed_roles := ["guest", "user", "admin"]
input.subject.roles[_] = allowed_roles[_]
}
allow {
input.action = "GET"
input.path = "/motd"
allowed_roles := ["user", "admin"]
input.subject.roles[_] = allowed_roles[_]
}
allow {
input.action = "POST"
input.path = "/motd"
input.subject.roles[_] = "admin"
}
allow {
input.action = "GET"
input.path = "/admin"
input.subject.roles[_] = "admin"
}
allow {
input.action = "GET"
input.path = "/stats"
input.subject.ip = "127.0.0.1"
}
Raw
RBAC+ABAC
package example
default allow = false
# Define RBAC permission data structure.
# Hardcoded into policy for clarity, but could
# be supplied as raw JSON data and kept in-memory
# by the OPA.
roles = {
"/index.html": {
"GET": ["guest", "user", "admin"],
},
"/motd": {
"GET": ["user", "admin"],
"POST": ["admin"],
},
"/admin": {
"GET": ["admin"],
}
}
# Interpret RBAC permission data structure.
allow {
input.subject.roles[_] = roles[input.path][input.action][_]
}
# Handle ABAC scenario.
allow {
input.action = "GET"
input.path = "/stats"
input.subject.ip = "127.0.0.1"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment