RBAC
Role-based permission control helper
rbac provides an auth.PermissionChecker implementation. It does not handle login. It resolves roles and permissions from the subject in the current auth info.
Install
go get github.com/duxweb/runa/rbac
It is usually used with auth:
go get github.com/duxweb/runa/auth github.com/duxweb/runa/rbac
Memory Store
store := rbac.NewMemoryStore()
store.AssignRole("1", "admin")
store.Grant("admin", "system.user.*")
store.GrantSubject("1", "profile.view")
Permission checks
checker := rbac.Checker(store)
info := &auth.Info{Data: runa.Map{"id": "1"}}
err := checker.Check(context.Background(), info, "system.user.edit")
_ = err
Permissions support exact matching and .* prefix matching. For example, system.user.* can match system.user.edit.
Connect to HTTP
route.Default().Get("/admin/users", handler).
Name("system.user.list").
Use(authmw.Use("web"), authmw.Permission(rbac.Checker(store)))
The default subject resolver reads id, user_id, subject, and sub from auth.Info.Data in order.
Custom subject
checker := rbac.Checker(store, rbac.Subject(func(ctx any, info *auth.Info) string {
return core.Cast[string](info.Data["tenant_id"]) + ":" + core.Cast[string](info.Data["id"])
}))
Custom Store
type Store struct{}
func (Store) Roles(ctx context.Context, subject string) ([]string, error) { return []string{"admin"}, nil }
func (Store) RolePermissions(ctx context.Context, roles []string) ([]string, error) { return []string{"*"}, nil }
func (Store) SubjectPermissions(ctx context.Context, subject string) ([]string, error) { return nil, nil }
Common mistakes
Treating RBAC as a login system
RBAC checks permissions. It does not authenticate users. Use it together with auth.
Unstable permission names
Permission strings become part of business policy. Keep names stable and organized by domain.
Using memory Store for production permissions
Memory Store is useful for examples and tests. Production permissions usually need database-backed storage or your own Store implementation.
API quick reference
rbac.Checker(store, options...)creates a permission checker.rbac.NewMemoryStore()creates an in-memory Store.store.AssignRole(subject, roles...)assigns roles.store.Grant(role, permissions...)grants permissions to a role.store.GrantSubject(subject, permissions...)grants permissions directly to a subject.rbac.Subject(fn)customizes subject resolution.