27 lines
931 B
Plaintext
27 lines
931 B
Plaintext
# Casbin model for the Gateway permission module.
|
|
#
|
|
# Multi-tenant RBAC with HTTP path/method matching. The 5th policy column
|
|
# (name) is the permission.name (dot notation) so audit logs can attribute
|
|
# the matched permission without re-querying the catalog.
|
|
#
|
|
# Request: (tenant, role, path, method)
|
|
# Policy: (tenant, role, path, methods, name)
|
|
# Effect: any role/policy that matches → allow
|
|
# Matcher: same tenant + same role + path keyMatch2 + method regexMatch
|
|
#
|
|
# Platform admin bypass is enforced before this matcher (middleware short
|
|
# circuit) so it does not appear here. See internal/model/permission/SDD.md
|
|
# §3.3 (RBAC Model).
|
|
|
|
[request_definition]
|
|
r = tenant, role, path, method
|
|
|
|
[policy_definition]
|
|
p = tenant, role, path, methods, name
|
|
|
|
[policy_effect]
|
|
e = some(where (p.eft == allow))
|
|
|
|
[matchers]
|
|
m = r.tenant == p.tenant && r.role == p.role && keyMatch2(r.path, p.path) && regexMatch(r.method, p.methods)
|