casbin
Recommended learning: Casbin development documentation
Go one casbin per day
Casbin video
Casbin is used to implement role-based HTTP permission control in Go language
What is a casbin
Casbin is a powerful and efficient open source access control framework. Its permission management mechanism supports multiple access control models.
Speaking of access control, JWT is a simple authentication method used before, but in complex scenarios, this method is not suitable.
When it comes to authentication, ask three questions:
- How do you identify a person?
- How to allow one’s behavior?
- How does identity relate to behavior?
The ACL model
The ACL model contains at least the following four parts:
[request_definition] : request definition
[request_definition]
r = sub, obj, act
Copy the codeSub, obj, act represent classical triples: access entities (Subject), access resources (Object), and access methods (Action).
In layman’s terms: sub means who is going to visit, obj means what are you going to visit, and ACT means how are you going to visit
Here’s the rule: you need to follow this definition to initiate a visit.
[policy_definition] : indicates the policy definition
[policy_definition]
p= sub, obj, act, (eft)Copy the codeThis is also the classic triad sub, obj, act. Of course, you can define other names as well.
Eft is an influence, and you can specify an influence, but only allow and deny.
Here are the sections through which restrictions can be imposed
[matchers] : rules
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
Copy the codeTwo parts (request_definition, policy_definition) are used to specify access rules.
You can use arithmetic (such as +, -, *, /) and logical operators (such as &&, | |,!) .
[policy_effect] : indicates the effect of a policy
The policy influence here can only have the following five, and no others are allowed.
| Policy effect | meaning | The sample |
|---|---|---|
| some(where (p.eft == allow)) | At least one Allow | ACL, RBAC, etc. |
| ! some(where (p.eft == deny)) | A deny is not allowed | Deny-override |
| some(where (p.eft == allow)) && ! some(where (p.eft == deny)) | At least one allow but no deny | Allow-and-deny |
| priority(p.eft) || deny | priorities | Priority |
| subjectPriority(p.eft) | Priority based on the role | Topic priority |
That’s part of a model.
We need to specify an access control rule based on this model.
You can open the Casbin compiler and use it to simulate.
Briefly describe the process:
- In order to
alice, data1, readTo initiate a request, then it will be benchmarked in the modelsub=alice.obj=data1.act=read - The strategy side is going to be marked according to what you write
sub=alice.obj=data1.act=read - Match the rules using the values obtained in the request and policy, and there will be one
eft, which is the result (allow or deny). eft, will enterpolicy_effect, verify again.- And then we get the result
Pay attention to the point
① If you want to control the EFT of a policy, you need to be in policy_definition, otherwise by default, you do not have this value. Even if you add it to your strategy, it won’t work.
Because his EFT is generated by a match, not by assigning efT to a match.
② If you want to use! Some (where (p.ft == deny)), then you need to add the efT field to policy_definition, otherwise there is no rule at all.
When you make a request, all policies will be matched. If the match fails, efT will not be assigned a default allow or a definition deny. The result is that the request efT does not have a deny (possibly a null value). This corresponds to his requirement that there be no deny after the match is complete. So the return value is true.
You can use Casbin to test all your assumptions.
This model is like a one-to-one comparison. For some complicated scenes, for example, as long as students can eat, I can’t write all the students’ names one by one, it seems a little difficult to play. Let’s look at the next model.
RBAC
How is this model more advanced than acLs?
[role_definition] : indicates the identity definition
[role_definition]
g = _, _
Copy the codeThe first underscore represents the name (specific request entity) and the second underscore represents the identity (role set)
Let’s go back to the question: as long as students are allowed to eat.
Can I just add roLE_definition?
Break it down according to this question: Character set: student, resource: meal, action: eat.
As long as the current requesting entity is a student, the desired resource is rice, and the behavior is eat, you can pass this request.
In this model, you can control permissions by identity, but you can also control permissions by precise matching.
What did he do? For identity matching, if the match is up, then the subsequent strategy matches, I will take the identity to match, if not, then I can only carry out accurate matching.
In certain situations, it doesn’t seem to work either. For example, I hope the students from Morning Star studio can take the study materials. There are two identities, and these two identities are a subset of the students in Morning Star Studios.
Extended RBAC
It has one more field than RBAC. It seems to me that once again there is a domain under identity. Just like some students have the identity of Morning Star studio.
[request_definition]
r = sub, dom, obj, act
[policy_definition]
p = sub, dom, obj, act
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act
Copy the codePreviously, permission control was based on a global concept, but now it can be divided into multiple domains in the global context, and permission control is based on this domain.
Pay attention to the point
G (r.subu, P.subu, r.dom) feels as if it is just doing one authentication and needs other restrictions to better control the domain.
Did not look at the source! It’s just my guess. After looking at the source code to do further explanation.
ABAC
The RBAC model is useful for implementing regular, relatively static permission management. But for specific, dynamic requirements, RBAC is a little out of its depth. For example, we implement different permission controls on data at different times. All users can read and write data during normal working hours from 9:00 to 18:00, and only the data owner can read and write data during other working hours. This requirement can be easily accomplished by using the Attribute Base Access List (ABAC) model
Other control models
There are many more control models than just points.
| Access control model | The Model file | The Policy document |
|---|---|---|
| ACL | basic_model.conf | basic_policy.csv |
| ACL with superuser | basic_with_root_model.conf | basic_policy.csv |
| No ACL exists for the user | basic_without_users_model.conf | basic_without_users_policy.csv |
| No ACL for resources | basic_without_resources_model.conf | basic_without_resources_policy.csv |
| RBAC | rbac_model.conf | rbac_policy.csv |
| Support RBAC for resource roles | rbac_with_resource_roles_model.conf | rbac_with_resource_roles_policy.csv |
| RBAC for domain/tenant is supported | rbac_with_domains_model.conf | rbac_with_domains_policy.csv |
| ABAC | abac_model.conf | There is no |
| RESTful | keymatch_model.conf | keymatch_policy.csv |
| Refused to priority | rbac_with_not_deny_model.conf | rbac_with_deny_policy.csv |
| Agreement and Rejection | rbac_with_deny_model.conf | rbac_with_deny_policy.csv |
| priority | priority_model.conf | priority_policy.csv |
| 3. Prioritize | priority_model_explicit | priority_policy_explicit.csv |
| Principal priority | subject_priority_model.conf | subject_priority_policyl.csv |
This piece of learning is not very good!! A little bit confused!