This is a prototype implemenation of RBAC for testing purposes.
Originally, we wanted to use RBAC with user roles and resource roles (sample model / sample policy ).
For example:
p, free, exports, GET
p, free_to_paid, exports, GET
p, unlimited, exports, GET
g2, /v1/exports/download/:namespace/:project, exports
g2, /v1/exports/meta/*, exports
However, this turned out to be difficult as our resource/API need object wildcard matching as well as group checking.
For example,
Request: user1 belonging to group free accessing /v1/exports/download/0/enwiki.
Instead, we have implemented RBAC with transitive user roles (sample policy) (since our user do not have wildcards). This worked.
p, exports, /v1/exports/download/:namespace/:project, GET
p, exports, /v1/exports/meta/*, GET
g, free, exports
g, free_to_paid, exports
g, unlimited, exports