7d6134424a
|
||
|---|---|---|
| .. | ||
| client | ||
| server | ||
| token | ||
| README.md | ||
README.md
RBAC authorization
This example uses the StaticInterceptor from the google.golang.org/grpc/authz
package. It uses a header based RBAC policy to match each gRPC method to a
required role. For simplicity, the context is injected with mock metadata which
includes the required roles, but this should be fetched from an appropriate
service based on the authenticated context.
Try it
Server requires the following roles on an authenticated user to authorize usage of these methods:
UnaryEchorequires the roleUNARY_ECHO:WBidirectionalStreamingEchorequires the roleSTREAM_ECHO:RW
Upon receiving a request, the server first checks that a token was supplied,
decodes it and checks that a secret is correctly set (hardcoded to super-secret
for simplicity, this should use a proper ID provider in production).
If the above is successful, it uses the username in the token to set appropriate
roles (hardcoded to the 2 required roles above if the username matches super-user
for simplicity, these roles should be supplied externally as well).
Start the server with:
go run server/main.go
The client implementation shows how using a valid token (setting username and
secret) with each of the endpoints will return successfully. It also exemplifies
how using a bad token will result in codes.PermissionDenied being returned
from the service.
Start the client with:
go run client/main.go