공개된 Casbin API들
소개
당신의 애플리케이션의 프론트엔드가 로그인한 사용자의 access_token을 얻었다고 가정해 봅시다. 이제 어떤 접근에 대해 사용자를 인증하려고 합니다. 이러한 API를 사용하기 위해 단순히 access_token을 HTTP 요청 헤더에 넣을 수는 없습니다. 왜냐하면 Casdoor는 Authorization 필드를 사용하여 접근 권한을 확인하기 때문입니다. Casdoor가 제공하는 다른 API와 마찬가지로, Authorization 필드는 애플리케이션 클라이언트 id와 secret을 사용하며, 기본 HTTP 인증 체계를 사용합니다. Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>와 같습니다. 이러한 이유로, Casbin API는 애플리케이션 백엔드 서버에 의해 호출되어야 합니다. 그것을 어떻게 하는지에 대한 단계는 다음과 같습니다.
예를 들어 데모 사이트의 app-vue-python-example 애플리케이션을 사용하면, 인증 헤더는 다음과 같아야 합니다: Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d.
- 프론트엔드는 HTTP 요청 헤더를 통해
access_token을 백엔드 서버에 전달합니다. - 백엔드 서버는
access_token에서 사용자 id를 검색합니다.
미리 알려두자면, 이러한 인터페이스들도 현재로서는 (sub, obj, act) 모델을 위해 설계되었습니다. 본문은 권한의 Casbin 모델에 의해 정의된 요청 형식으로, 일반적으로 각각 sub, obj 및 act를 나타냅니다.
권한 제어의 집행을 요청하는 API 인터페이스 외에도, Casdoor는 외부 애플리케이션들이 권한 정책 정보를 얻는 데 도움이 되는 다른 인터페이스들도 제공하며, 이들도 여기에 나열되어 있습니다.
집행
The Enforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelresourceId: The identity of a resource - enforces against all permissions for this resourceenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using resourceId:
curl --location --request POST 'http://localhost:8000/api/enforce?resourceId=example-org/example-resource' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Response:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
true
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, resourceId, enforcerId, or owner parameters, the response data array may contain multiple boolean values (one for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
BatchEnforce
The BatchEnforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"]]'
응답:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
[
true,
true,
false
]
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, enforcerId, or owner parameters, the response data array may contain multiple arrays of boolean values (one array for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
GetAllObjects
This API retrieves all objects (resources) that a user has access to. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-objects?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
응답:
{
"status": "ok",
"msg": "",
"data": [
"app-built-in",
"example-resource"
]
}
GetAllActions
This API retrieves all actions that a user can perform. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-actions?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
응답:
{
"status": "ok",
"msg": "",
"data": [
"read",
"write",
"admin"
]
}
GetAllRoles
This API retrieves all roles assigned to a user. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-roles?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
응답:
{
"status": "ok",
"msg": "",
"data": [
"role_kcx66l"
]
}
RunCasbinCommand
This API executes Casbin CLI commands and returns their output. It's designed for running language-specific Casbin command-line tools through Casdoor's backend, supporting languages like Java, Go, Node.js, Python, and others.
The API includes an in-memory cache that stores command results for 5 minutes. When the same command is executed with identical parameters, the cached result is returned immediately without re-executing the command, improving response times and reducing server load.
Request:
curl --location --request GET 'http://localhost:8000/api/run-casbin-command?language=go&args=["-v"]' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Parameters:
language: The programming language for the Casbin CLI (e.g.,go,java,node,python)args: A JSON-encoded array of command-line arguments (e.g.,["-v"]for version,["new"]for creating new files). Note: URL-encode the JSON array when using it as a query parameter
Response:
{
"status": "ok",
"msg": "",
"data": "casbin version 2.x.x"
}
The cache key is generated from the language and arguments, so different commands are cached independently. Expired entries are automatically cleaned up to prevent memory growth.