Wolf is a versatile Role-Based Access Control (RBAC) authority system, suitable for all HTTP applications, offering unified authorization and access control functionalities.
It addresses the common issue within companies where various backend services and their corresponding management interfaces have disparate account systems and authority modules. This redundancy leads to resource wastage and management disarray, particularly when different teams develop these systems. Wolf enables a consolidated account and authorization management across diverse platforms and systems without necessitating any modifications to existing systems.
The Wolf system has the following main features:
- Language Independent: Applicable to any HTTP application, including pure static web pages, JSP, PHP, ASP, Python, Node.js, and other web systems
- Low Coupling & Non-intrusive: New applications can be integrated without modifications, managing resource permissions at the proxy layer
- Supports both Restful interfaces and purely HTML applications rendered on the backend
- Authentication Sources:
- Password Authentication: Using internally stored usernames and passwords
- LDAP Authentication: User authentication through external LDAP servers
- Authentication Protocols:
- JWT (JSON Web Token): For generating and verifying access tokens
- HTTP Basic Auth: Supports basic authentication with username and password
- Authorization Protocol:
- OAuth 2.0: Supports login and authorization using Wolf accounts for other applications
- Built-in management console (console module): Manages applications, users, roles, permissions, and resources
- Supports access log recording and querying, facilitating auditing and issue tracing
- Supports viewing RBAC object relationship charts for applications
- Supports advanced radixtree routing for high-performance, complex URL matching
- Compatible with PostgreSQL and MySQL databases
- Supports integration with APISIX gateway
- Three main modules:
- Wolf-Server: Service implementation and backend management functionality
- Wolf-Console: Frontend code for the management console
- Wolf-Agent: RBAC Access Check proxy
-
Applications: Supports multiple applications, each with distinct permissions, roles, and resources. Allows viewing of RBAC object relationship charts for each application.
-
Users: Shared across the entire system. User-specific authorizations include:
- Administrator Permissions: Users set as administrators can log into the
Consolebackend for application management. - Application List: Users can be assigned zero to multiple applications. The meaning varies based on user type:
- For admin users, it indicates which applications they can manage.
- For non-admin users, it indicates which applications they can log into and use.
- Roles: Users can be assigned multiple roles, accumulating permissions from all roles.
- Permissions: Direct permission assignments are possible, deviating from typical RBAC models.
- Administrator Permissions: Users set as administrators can log into the
-
Roles: Can include a set of permissions.
-
Permission Categories: A way to categorize (group) permissions for easier management, typically aligned with major functional modules. In the system's permission selection box, permissions are displayed grouped by category.
-
Permissions: Have a one-to-many relationship with resources. A resource can be assigned one permission, or multiple resources can share the same permission.
-
Resources: Primarily refers to HTTP requests. A resource is uniquely identified by
Match Type+Name+Action. Key attributes include:- Match Type:
- Without
radixtreerouting: URL matching methods includeExact Match,Suffix Match, andPrefix Match. - With
radixtreerouting: Supportsradixtreemode, implementingExact Match,Suffix Match, andPrefix Matchthrough name syntax.
- Without
- Name: Refers to the HTTP URL.
- Without
radixtreerouting: ForExact MatchandPrefix Match, usually starts with/. ForSuffix Match, typically a common resource suffix like.jpg,.js. Wildcards or regex not supported. - With
radixtreerouting: Default is exact match. Use*for prefix match:/foo*matches/foobarbut not/foo/bar. Use**for any match:/foo**matches/foo/barand/foo/car/far. Use**for suffix match:**.jpgmatches/images/photo.jpgand/uploads/profile.jpg.
- Without
- Action: Refers to the HTTP method.
ALLmatches all methods. - Permission: Indicates the permission required to access the resource. Two built-in permissions:
Allow Allmeans all users can access,Deny Allmeans no user can access.
- Match Type:
-
Audit Log: Records all access through the system (including
Wolf-Consoleand applications managed by the system). Main information recorded:- User ID, username, user nickname;
- Access date, time, and IP of the accessor;
- HTTP method and URL;
- Matched resource;
- Access response status code;
- Request parameters or request body (only supported for
Wolf-Consolerecords).
- Extensive test cases with over 90% code coverage
- Resource matching supports different priority rules:
- Priority of
Match Typefrom high to low: Exact Match, Suffix Match, Prefix Match. - Action (HTTP method) priority: ALL has lower priority, other methods (like GET, POST, PUT) have equal priority but higher than ALL.
- Name (HTTP URL) priority relates to URL length; longer URLs have higher priority.
- Priority of
Note: URLs in this system refer only to the path part of the standard URL, excluding domain name, port, and parameter parts
- Server: Utilizes NodeJS, KOA, Sequelize, JWT
- Console: Employs VueJS, Element, Babel, NodeJS
- Agent: Powered by OpenResty(ngx_lua)
- Database: Supports PostgreSQL.
- Cache: Incorporates Redis.
 |
|---|
| Application List |
 |
|---|
| Application, User, Role, Permission Relations |
 |
|---|
| User Management |
 |
|---|
| Role Management |
 |
|---|
| Details of the Role's Permissions/Permissions Grouping Display |
 |
|---|
| Permission Management |
 |
|---|
| Audit Log |
 |
|---|
| Client Login |
 |
|---|
| Main Page (Note: Added information bar at top.) |
 |
|---|
| No Permission Page |