casbin / casbin Goto Github PK

还有vue，他们都有中文文档。

Is there an inmemory implementation of the policy adapter which I can fill manually? I would prefer not using files to store that 4 or 5 roles I'm just about to create.

I'm still trying to get my head around the model of casbin, but I already have some concerns about it's performance when used with a lot of users.

Given I have an increasing number of users (1000+) and an increasing number of entities (1000+) and I want to grant access to these entities based on certain rules (casbin), how can I ensure that my Go application won't behave as a Java application at some point eating up all the available RAM in the whole data center?

As far as I can see casbin always loads the whole set of rules into the memory, there is no dynamic lookup.

Another concern regarding the number of entities/users: the more data I have, the more changes I receive meaning I have to reload policies frequently.

How does casbin perform in such scenarios? Can this mean that casbin might not be a perfect fit for my use case?

Thanks in advance!

This might no be the appropriate channel for questions but I couldn't find one.

I'm trying to understand the config file in a deeper level but I'm having issues to understand why the config files contain assignments. For example:

# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Why is r, p, e, m necessary?
Do they have special meaning?
Is there an example where you could have multiple policy effects or multiple matchers?
Can you have multiple request definitions?
When you have multiple policy definitions, e.g. p1 and p2, does p inside the policy effect map to both p1 and p2?

It would be nice to either document those things or simplify the syntax so that it communicates better the usage, flexibility and limits of the system.

Sorry for creating this issue, but just a reminder to bump the version once migration to casbin organisation is done. The problem is that current go dependency managers won't work correctly with github.com/casbin/casbin, as it will use latest version by default 0.5.0 which still refers to old repository location.

Thanks for great library :)

Hello,

Please help me to check why following code is not running ok:

Code:

ce := casbin.NewEnforcer(...)

ce.AddRoleForUser("admin", "administrator")
ce.AddRoleForUser("administrator", "feedback")
ce.AddPolicy([]string{"feedback", "/api/v1/feedback", "*"})

ce.Enforce("admin", "/api/v1/feedback", "*")
ce.Enforce("administrator", "/api/v1/feedback", "*")

Model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

Log:

2017/06/14 16:37:45 Model:
2017/06/14 16:37:45 r.r: sub, obj, act
2017/06/14 16:37:45 p.p: sub, obj, act
2017/06/14 16:37:45 e.e: some(where (p_eft == allow))
2017/06/14 16:37:45 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2017/06/14 16:37:45 g.g: _, _
2017/06/14 16:37:46 Policy:
2017/06/14 16:37:46 p: sub, obj, act: [[feedback /api/v1/feedback *]]
2017/06/14 16:37:46 g: _, _: [[admin administrator] [administrator feedback]]
2017/06/14 16:37:46 Role links for: g
2017/06/14 16:37:46 administrator < feedback
2017/06/14 16:37:46 feedback < 
2017/06/14 16:37:46 admin < administrator
2017/06/14 16:37:46 Role links for: g
2017/06/14 16:37:46 admin < administrator
2017/06/14 16:37:46 administrator < 
2017/06/14 16:37:46 Role links for: g
2017/06/14 16:37:46 admin < administrator
2017/06/14 16:37:46 administrator < feedback
2017/06/14 16:37:46 feedback < 
2017/06/14 16:37:46 Request [admin /api/v1/feedback *]: false
2017/06/14 16:37:46 Request [administrator /api/v1/feedback *]: true

The expect result is user "admin" in group "administrator" can use "feedback" api.

Regards,

Anh

How can I serialize/deserialize casbin models and policies to and from JSON?

Using pressly chi if I have routes like the following

r.Route("/test", func(r chi.Router) {
	r.Get("/:id", func(w http.ResponseWriter, r *http.Request){
		id := chi.URLParam(r, "id")
		log.Print(id)
		w.Write([]byte(id))
	})
	r.Get("/all", func(w http.ResponseWriter, r *http.Request){
		log.Print("all")
		w.Write([]byte("all."))
	})
})

How would I go about allowing users to access /:id/ but not /all and vice versa?
Currently I am trying to do

e := &casbin.Enforcer{}
//Uses the example restful model posted in examples 
e.InitWithFile("/home//authz_model.conf", "")
e.AddPermissionForUser("dataset1_admin1","/test/*/","GET")

But this gives permissions to both routes.

Is there any storage backend support? e.g. mongo. redis.

Hi @guijun, Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Casbin supports persisting the policy in database, including RDBMS (like MySQL) and No-SQL (like Cassandra). Let me know if you have any questions:)

Do you have any intention for supported graph-based database. e.g. dgraph or cayley?

I noticed there are couple log.Print in loading model and policy config. There should environmental variable to control this log so it will can give developer to switch it on/off between dev and prod version.

您好，非常感谢您提供此扩展，节省了我非常多的时间
在使用中我遇到这样的问题，场景如下：
我们使用restful的模式，如有一个users资源，含id,name,pass,wechat字段，我们想要强制用户不能GET->pass，同时允许PUT->WeChat
请问有办法实现吗？

Hi
I want to combine these two models , some roles may have owner permission and should access their very own data , some other roles can access to data regardless of whether being owner or not
How to achieve that ?

Hi,

While writing a module using casbin I figured it is required to recover from panics when using casbin to provide a user with a meaningful error message instead of seeing stacktrace, e.g:

func (c *CasbinResource) IsAuthorized(*unversioned.UserSpec, *unversioned.ResourceSpec) (allowed bool, err error) {
	defer func() {
		if r := recover(); r != nil {
			err = r.(error)
			allowed = false
		}
	}()
	allowed = c.casbin.Enforce(`something`)
	return
}

I was wondering if it is possible to provide an option for casbin not to panic when inputs required for Casbin are in wrong format?

Hey!

I had some issues with understandin the policy effect.
First it was not clear that this effect is only important when there are multiple matching policies. I finally understood that when viewing the code.
But that left me with another question: Why did you implement the policy effects so complicated when you just have four different cases.
Do you plan to expand the policy effect cases in the future and use govaluate aswell?

Anyways, it would be cool if it is more obvious when reading the docs! Because I tried to play around with deny/allow and some/any, but nothing went as expected. :)

thanks

It would be nice to support parameterized RBAC. This would allow the ability to define fine-grained roles and permissions to support things like object level permissions and roles.

Here's a django implementation: https://github.com/dimagi/django-prbac

Hi @F21, Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

In my view, PRBAC is just like ABAC, Attribute-Based Access Control. Because we can view parameters to roles and privileges as the attributes to subjects and objects. Whatever, Casbin is able to support ABAC and RBAC. This is the built-in support, so you don't need to write any code about it. Of course, you can specify your own function to determine the access. Let me know if you have any questions:)

Is it possible on a per route basis to set a requirement (ie. POST requests to /posts requires a user to have the create:post permission)?

I'm looking to determine if it would be agreeable to switch from RoleManager the struct to RoleManager the interface.

type RoleManager interface {
    AddLink(name1 string, name2 string, domain ...string)
    DeleteLink(name1 string, name2 string, domain ...string)
    HasLink(name1 string, name2 string, domain ...string) bool
    GetRoles(name string, domain ...string) []string
    GetUsers(name string) []string
    PrintRoles()
}

And the current implementation of RoleManager could become the default implementation.

The only directly impacted part of the code would be
https://github.com/casbin/casbin/blob/master/model/assertion.go

The attribute RM would be interface rbac.RoleManager instead of pointer to an instance of RoleManager. And the implementation of buildRoleLinks()

I can start by submitting a PR with the change, and get additional feedback if the above is agreeable.

Maybe this is possible and I am just not clear on how I would implement it. Is it possible for me to save/load my role and permission data out of a mysql database (or another type of DB)?

Hi @swill, Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Casbin supports persisting the policy in database, including RDBMS (like MySQL) and No-SQL (like Cassandra). Let me know if you have any questions:)

Hi, I'd like to develop with your library and using redis, but, in the repo with that, there's nothing to use, just a readme but nothing else.
If it is not ready yet, i think is good idea remove that advantage from the main readme.
Thank's and greetings ✋

RT，文档对matchers写的不清晰。
1：

[policy_definition]
p = sub, obj, act
p2 = sub, act

[matchers]
m = r.sub == p.sub && r.sub == p2.sub 

这到底match的哪一个？

2：

m1 = r.sub == p.sub
m2 = r.sub == p2.sub 

这样两个matchers又是什么意思？到底match哪一个policy？

3：
然后match到了，就是allow？

[policy_effect]
e = some(where (p.eft == allow))

这里的p.eft里面的eft是哪里蹦出来的？eft等于什么？

看了一个小时看不懂。能不能写一个流程？match是干什么用的，match哪一个，match到的是allow还是deny？match到多个又怎么样？

Let's say I have a role definition:

[request_definition]
r = user, group,  path, verb

[role_definition]
g = _, _, _

[matchers]
m = g(r.user, r.group, "admin")

and in my policy:

g, ideahitme, *, admin

so the idea is, if I get a request with user ideahitme and any group this user should be treated as admin. How would I go about implementing this. I saw regexMatch but not sure how it can be invoked in this scenario. I guess I could make it differently by changing g semantics to only consider user and entirely drop group, but is this the only work-around?

Another question would be if I can only use g, g1, g2, ... as naming my role definition? Is this a common convention?

Thanks in advance :)

All opened files for reading must be closed.

Hi @smousa,

Sorry for the delay on Gitter, I didn't setup a notification when new Gitter messages come, but I have one now:) I will answer your question here.

Do you have more documentation on the conf file syntax for casbin? For example, what sections and functions (see https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf#L11) are available?

The conf file syntax is described here: https://github.com/casbin/casbin#syntax-for-models

Also, it would be good to know whether custom functions can be configured and how to do that.

Built-in functions are here: https://github.com/casbin/casbin/blob/master/model.md#functions-in-matchers

And customized functions are also supported by casbin, see here: https://github.com/casbin/casbin/blob/master/model.md#how-to-add-a-customized-function

And can you describe this syntax here: https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf#L8

Policy effect is described here: https://github.com/casbin/casbin/blob/master/model.md#policy-effect

I am working on a API that involves interacting with models in a database. Users have either guest owner or admin roles on the data and have create, read, update and delete permissions on the data. Each of those is different for each model and each model only allows access to specific fields.

Example:
user model has full CRUD but only certain fields can be directly manipulated by owners and there are only read permissions on some minimal values for guest. How would I go about using gorbac for my use case?

Hi @abrykajlo Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Based on the requirement, I think Casbin fits in your scenario. Let me know if you have any questions:)

I am seriously considering using casbin as a starting point for a new distributed ABAC authorization system that I want to put into place for enterprise applications.

Casbin stands out to me because of it appears to be relatively well adopted by some big projects leveraging ABAC in the current market, and it appears to be reasonably mature. However, I still have some reservations, and I was hoping that you may be able to answer them for me.

1. Casbin defines its own model and policy syntax and is not developed according to modern OASIS XACML (v3.0) standards. Was there a reason for this decision? Also, are there any plans in the very near future to adopt XACML standards as the means to define the models and policies?

2. I noticed the code frequency metrics have been on a pretty steady decline since May, 2017. Obviously the holiday season has it's impact on developer productivity in the November and December months, but a steady decline over that period of time suggests that project support is dying or discontinuing slowly. Is there a reason for this? Where do you see this project in a year or two?

If you know the java web framework spring,then you must know spring have a module named spring security, the spring security has four concepts as below:

1. user -> the people of web's visitors.

2. role -> roles are associate with users and authorities. User and role have the relation of many-many.

3. authority -> authorities are associate with roles and resources. Role and authority also have the relation of many-many.

4. resource -> resource could be URLs in web project, one URL always mean one web request. Authority and resource have the relation of many-many.

In the spring security ,if an user want to access an URL, then the user must have been associate with a role, and the role have been associate with an authority,and the authority must have been associate with the resource(the request URL).

the relation as below:

user>role>authority>resource

in simple terms, an user visits a web page ,then the system(web system) check whether the user can access the system by the authority. If the user have the authority ,the user must have the right role .

I don't know whether casbin could implement the functions as below that what i want:

1. an user visit a web page ,then the system could control whether user can access by the user's authority.
2. an user visit a web page ,the page contains some URL that associate with authority,if the user don't have the authority,then the URL couldn't visible.

If casbin can implement the functions,some body could give a complete example with a web project,thank you!

I have some situation in RBAC, but I'm not sure casbin can solve this.

Example:
Alice is a role called Role1, Role1 can read data1.
But Alice is special women that she can't read data1.
In model.conf , I define Alice is role1, but I don't know how to solve this problem in casbin.
How is model.conf define that can solve this problem?
Could casbin solve my problem?

Currently Safe functions call panicing functions and they recover from panics. I think that's a waste of resources. Why not call Safe functions from the panicing ones and panic if an error is returned?

Related to #50: it's a common practice in go to have both versions, but the error returning functions are usually the regular ones and panicing functions are prefixed with must. Even of you think panicing is better, following accepted practice can be better sometimes to effectively communicate your code to developers. But this is a breaking change, so would require a major version bump.

In my use case I will have dynamically changing user/role assignments which I was planning to user Enforcer.AddRoleForUser. I've seen a lot of maps and no use of the sync package, I didn't audit the package but is this style of use thread safe?

Hi, first of all, awesome project. This kind of things are always needed for UI-like app.

Would you consider writing a common interface so that a different database can be used? for example Cassandra (via gocql)?

dotweb也是国人开发的一款web框架，更新挺勤快的。
作者能否也支持一下，开发dotweb的casbin中间件？

地址：https://github.com/devfeel/dotweb

谢谢。

Just wanted to ask if you have any plans of supporting multiple roles in the permission check? For example by sending in a slice of roles. How will that work with the parenting system?

According to the Wikipedia article on RBAC that seems like a common use case: http://en.wikipedia.org/wiki/Role-based_access_control

Hi @maxekman, Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

RBAC in Casbin supports multiple roles on one user. I don't see any point here not to support it. And the roles in casbin can inherit each other, forming an inheritance tree.

map可读性下降

I'd like to setup authorization based on validition of OAuth2 JWT token, and the claims that appear in it.
I didn't find references to OAuth2 or JWT in the project, is there any information on how this can be accomplished?

Several advices:

SetParent, if you set 1 to a, then a == 1, but SetParent is more like AddParent
If there are some potential circle errors, they should be thrown immediately rather than at runtime

Hi @nullne,

please try to use Casbin. It has a better RBAC API. For example, you can use AddRoleForUser() to add a role for a user or a role. And you can remove it by DeleteRoleForUser() as well.

Casbin is an authorization library that supports models like ACL, RBAC, ABAC.

Related to RBAC, Casbin has several advantages:

1. roles can be cascaded, aka roles can have roles.
2. support resource roles, so users have their roles and resource have their roles too. role = group here.
3. the permission assignments (or policy in Casbin's language) can be persisted in files or database (MySQL and Cassandra).

And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.

Hi @DenisNeustroev, Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Casbin supports persisting the policy in database, including RDBMS (like MySQL) and No-SQL (like Cassandra). Cassandra is similar to MongoDB as a NoSQL DB. Let me know if you have any questions:)

I'm trying to use ABAC and I'm getting a panic

I'm using the example ABAC model

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == r.obj.Owner

I have a simple test

package main

import (
	"fmt"
	"testing"

	"github.com/casbin/casbin"
	"github.com/govaluate"
)

type Blah struct {
	Owner string
}

func TestCasbin(t *testing.T) {
	enforcer := casbin.NewEnforcer("./abac_model.conf")
	res := enforcer.Enforce("one", Blah{Owner: "one"}, "two")
	fmt.Println(res)
}

I get the following...

Running tool: /usr/local/bin/go test -timeout 30s github.com/danedmunds/myrepo -run ^TestCasbin$

2017/12/07 13:56:36 [Model:]
2017/12/07 13:56:36 r.r: sub, obj, act
2017/12/07 13:56:36 p.p: sub, obj, act
2017/12/07 13:56:36 e.e: some(where (p_eft == allow))
2017/12/07 13:56:36 m.m: r_sub == r_obj.Owner
--- FAIL: TestCasbin (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x12bee1c]

goroutine 6 [running]:
testing.tRunner.func1(0xc420104270)
	/usr/local/Cellar/go/1.8/libexec/src/testing/testing.go:622 +0x29d
panic(0x132a500, 0x1517850)
	/usr/local/Cellar/go/1.8/libexec/src/runtime/panic.go:489 +0x2cf
github.com/danedmunds/myrepo/vendor/github.com/casbin/casbin.(*Enforcer).Enforce(0xc420018960, 0xc420055f68, 0x3, 0x3, 0x0)
	/Users/ddm/go/src/github.com/danedmunds/myrepo/vendor/github.com/casbin/casbin/enforcer.go:361 +0x165c
github.com/danedmunds/myrepo.TestCasbin(0xc420104270)
	/Users/ddm/go/src/github.com/danedmunds/myrepo/access_test.go:28 +0x202
testing.tRunner(0xc420104270, 0x13931e0)
	/usr/local/Cellar/go/1.8/libexec/src/testing/testing.go:657 +0x96
created by testing.(*T).Run
	/usr/local/Cellar/go/1.8/libexec/src/testing/testing.go:697 +0x2ca
FAIL	github.com/danedmunds/myrepo	0.012s
Error: Tests failed.

I've traced it down to govaluate returning the error Unable to parse numeric value '.' to float64 when the expression is parsed.

What's strange is that the following test passes without any issue

func TestGovaluate(t *testing.T) {
	exp, err := govaluate.NewEvaluableExpressionWithFunctions("r_sub == r_obj.Owner", nil)
	fmt.Println(err)
	res, err := exp.Evaluate(map[string]interface{}{
		"r_sub": "one",
		"r_obj": Subject{Blah: "one"},
	})
	fmt.Println(err)
	fmt.Println(res)
}

Have I made a mistake in my configuration of casbin? Am I hitting a conflict between casbin/govaluate?

I'm using glide to vendor both of these dependencies...

- package: github.com/casbin/casbin
  version: ^1.2.0
- package: github.com/Knetic/govaluate
  version: ^3.0.0

lock file...

- name: github.com/casbin/casbin
  version: 3b25a82bd1e3ce20dd037ba7ecb06140bd9acc5c
  subpackages:
  - config
  - file-adapter
  - model
  - persist
  - rbac
  - util
- name: github.com/Knetic/govaluate
  version: d216395917cc49052c7c7094cf57f09657ca08a8

Any help would be greatly appreciated! Thanks!

I have problem using casbin.Enforcer with negroni, could you please give some pointers

For our use case, it would be highly beneficial to be able to send multiple subjects as part of the same request, e.g. "subjects": ["user:peter", "group:admin"] to avoid having to query the API multiple times.

I'm more than happy to provide a PR for this, just wanted to check first of there are any reservations or concerns?

Cheers,
dim

Hi @dim, Casbin is a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Casbin supports defining the request format, the most commonly used format is:

[request_definition]
r = sub, obj, act

which means subject, object, action.

But you can customize it as:

[request_definition]
r = sub, sub2, sub3, obj, act

The only requirement is that you design the proper matchers in casbin model. For example, the original model is:

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Now you may need:

[matchers]
m = (r.sub == p.sub || r.sub2 == p.sub || r.sub3 == p.sub) && r.obj == p.obj && r.act == p.act

It means that if any of sub, sub2, sub3 in a request matches the subject in the policy rules, it will return an allow.

Let me know if you have any questions:)

For example, I want to create that structure:

p, admin, tenant1, data1, read
p, admin, tenant2, data2, read

g, alice, admin, tenant1
g, alice, user, tenant2

Quoting from the wiki:

The author believes that Golang error is very unfriendly for developers to debug, because it's only a string and has no faulty call stack information.

This is actually not true. Errors can be anything that implements the error interface.

See https://github.com/pkg/errors for an easy way to include stack trace in errors. Common error handlers can also handle traces like that: airbrake/gobrake#39

Nowadays it's quite common that multiple instance of an application run scaled in clouds.

What is the proper way of reloading policies in case they change in one of the instances?

I guess it's a quite common, so some sort of builtin or suggested solution would be nice.

For example:

• automatic reload of policies every X minutes (opt-in)
• some distributed messaging solution (listening to a channel maybe, where a custom messaging solution could push messages)
• add support to adapters to implement a way to check for updates (eg. changed timestamp in a database)

(Update: BTW the library is great, thanks)

Does anyone have instructions how to run the policy editor GUI?

Hey there,

I want to realize an RBAC session concept that supports the following features:

• (A user can have assigned any number of roles.)
• (A role can have assigned any number of permissions.)
• A user needs to activate one or more of his roles to actually being able to use them.
• This should be done with sessions.
• A session consists of one user and one or more roles. It should have a creation date and an expiration date.
• The policy matcher should then only grant access if and only if the requesting user has a running session activating the needed role.
• So: It is not sufficient to only have the user-role-assignment. You will always need to activate your needed roles with a session. This supports the principle of Least Privilege.

This concept is derived from Ravi Sandhu's paper on "role-based access control".

My ideas are the following:
Change the request definition to be

r = sub, obj, act, time

Create a session definition:

s = sub, role, start_time, end_time

How am I then able to match an access request. Like this?

m = s(r.sub, p.sub, _, _) && r.obj == p.obj && r.act == p.act && r.time > s.start_time && r.time < s.end_time

BTW: All time data will be unix time in nanoseconds, so I hope they'll be comparable.

Could you create an authorization middleware for the chi framework? It would be most helpful. Read about this library through the Go Newsletter from Golang Weekly

Thanks.

Unfortunatelly I still don't quite understand casbin's model, but doing my best.

Due to the questions in #45 (and partly because of my model) I decided to go with ABAC based access control which checks my object's attributes and tries to decide whether the subject can do the action or not. Unfortunately ABAC does not seem to be the primary use case with casbin. It's a bit underdocumented IMO.

So here is a case which I don't know how to solve: I have multiple entities, multiple actions and I would like to decide which users can what. These entities have several attributes that I want to use.

Let's take a simple example: there are entities which have Owner and Collaborator attributes. Obviously Owners can delete, collaborators can edit. These entities belong to Groups where we have the same actors: Owners and Collaborators. The rule is the same except now we have a create action as well, which only owners can do.

How would I model this in casbin with ABAC? Do I have to create multiple casbin instances? (There are only two entites here, but in large scale there could be much more in which case separate casbin instances could be a huge bottleneck.)

Maybe it can also be interesting that Owners are available as an attribute, Collaborators can be fetched using a method.

I'm not asking you to solve my problem, this is actually only a dummy example, but I can't seem to understand how casbin works.

Thanks a lot!

It's possible match with regexp in the rest paths or option area ?

Ex

/alice/*/account
/accounts/{name:[a-z]+}/details