Authorize with Access Control Lists

Distributed Services with Go — by Travis Jeffery (42 / 84)

👈 Authenticate the Client with Mutual TLS Authe ntication | TOC | What You Learned 👉

Authentication is usually half of what you need from your auth process. You authenticate to know who’s behind the client so you can then complete the auth process by authorizing whoever is behind the client for whatever action they’ve attempted. As I mentioned earlier, authorization is the process of verifying what someone has access to.

The simplest way to implement authorization is with an access control list (ACL).[26] An ACL is a table of rules where each row says something like “Subject A is permitted to do action B on object C.” For example: Alice is permitted to read Distributed Services with Go. In this example, Alice is the subject, to read is the action, and Distributed Services with Go is the object.

One of the beautiful things about an ACL is that it’s easy to build. Since it’s just a table, something as simple as a map or a CSV file could back the data — in more complex implementations, a key-value store or relational database would store the data. So building an ACL library from scratch isn’t difficult, but there’s a nice library called Casbin[27] that supports enforcing authorization based on various control models[28] — including ACLs. Plus Casbin is well adopted, tested, and extendable. Casbin is a useful tool to have in your toolkit, so let’s learn how to use it and take…