UNPKG

@loopback/docs

Version:

Documentation files rendered at [https://loopback.io](https://loopback.io)

github.com/loopbackio/loopback-next/tree/master/docs

loopbackio/loopback-next

51 lines (37 loc) 4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
--- lang: en title: 'RBAC with Authorization System' keywords: LoopBack 4.0, LoopBack 4, Node.js, TypeScript, OpenAPI, Authorization sidebar: lb4_sidebar permalink: /doc/en/lb4/RBAC-with-authorization.html --- To get familiar with the authorization module and each element's responsibility, this page will use the implementation of a RBAC(role-based-access-control) system as example. ## User scenario This is a RBAC system for users to manage their projects and teams. A user can create a project and an associated team, then it becomes the project owner and other users in the team become team members. When a user wants to perform an action to the protected resource, its role and a collection of access control rules makes decision: allowed or denied. ![User scenario](./imgs/authorization-rbac-user-scenario.png) As you can tell from the table, there are different level's permission rules: - class level permission: admin can view all projects. - instance level permission: a project's owner/team member can check its balance. ## Architecture To build such a system, this is a list of what are needed and how to do it: | WHAT ARE NEEDED | HOW TO DO | | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | A way to annotate endpoints with permission rules. | **Decorate** your endpoints with permission metadata using `@authorize()`. | | A decision maker that processes the metadata and calls the role resolver. | Create **authorizers** to make decision. They process context like the metadata and the principal resolved from request, then invoke enforcer which talks to 3rd party libraries to calculate the result. | | A role resolver to determine whether the principal have access to the resource. | Create **enforcers** calling 3rd party (casbin in this case) APIs to calculate the decision. | | A 3rd party system manages the role mapping. | Leverage a **[casbin system](https://casbin.org/en/)** to define and understand the role mapping. It consists of: 1. A **model file** describes the shape of request, policy, role mapping, and the decision rules. 2. **Policy files** contains all the policy rules. | | A module to put all parts above together. | Mount component `@loopback/authorization`. | The architecture diagram is: ![RBAC architecture](./imgs/authorization-rbac-architecture.png) ## Tutorial The example is created in repository [access-control-migration](https://github.com/loopbackio/loopback-next/tree/master/examples/access-control-migration), and a tutorial of building it from scratch can be found in [access control example migration](./migration/auth/migration-auth-access-control-example.md).