Skip to content

[Bug] - Domain manager rebuild() infinite loop? #1027

Closed
#1719
Closed
[Bug] - Domain manager rebuild() infinite loop?#1027
#1719
Assignees
hsluoyz
Labels
bug
@kizjig

Description

@kizjig
kizjig
opened on Jun 7, 2022

Issuehunt badges

Want to prioritise this issue? Try:

issuehunt-to-marktext

Describe the bug
When adding a domain matching function to the default RoleManager, it triggers a rebuild call of the internal DomainManager, this function never seems to finishing executing on a large dataset. Internally it seems to be trying to "AddLinks" forever.

** Model - HRBAC with ABAC**

[request_definition]
r = sub, tenant, perm, act, eft

[policy_definition]
p = sub, tenant, perm, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = (g(r.sub, p.sub, r.tenant) && keyMatch4(r.tenant, p.tenant) && r.perm == p.perm && regexMatch(r.act, p.act))

** Policy data **
Here's a small sample of some of the policy data showing permissions with actions grouped under roles. And wildcarding on the role_superuser1 grouping so it can work across X tenants. Typically the policy dataset is ~45000 database rows.

For example user id 7073 is a super user and can do anything across any tenant. Where as user 65716 is just a creator for tenant 753.

p,role_superuser1,tenant/{id},tenant,(^view$)|(^manage$),allow,
p,role_superuser1,tenant/{id},dashboard,login,allow,
p,role_superuser1,tenant/{id},model_upload_max_size,large,allow,
p,role_superuser1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_superuser1,tenant/{id},invite,(^create$)|(^delete$)|(^edit$)|(^view$),allow,
p,role_superuser1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_superuser1,tenant/{id},desktop,login,allow,
p,role_presenter1,tenant/{id},dashboard,login,deny,
p,role_presenter1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},dashboard,login,allow,
p,role_creator1,tenant/{id},invite,(^create$)|(^edit$)|(^view$),allow,
p,role_creator1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},model_upload_max_size,medium,allow,
p,role_creator1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_creator1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_creator1,tenant/{id},desktop,login,allow,
g,7073,role_superuser1,tenant/*,,,
g,7073,role_presenter1,tenant/34,,,
p,7073,tenant/1,tenant,manage,allow,
g,65716,role_creator1,tenant/753,,,
p,65716,tenant/753,tenant,manage,allow,

I can email/private message a copy of the full policy dataset for bug replication.

To Reproduce
Steps to reproduce the behavior:

  1. Go to load the data into an enforcer
  2. Setup the default role manager with a domain matching function roleManager.AddDomainMatchingFunc("KeyMatch", util.KeyMatch)
  3. Notice that the function never exits.

Expected behavior
No infinite loop/long running behaviour

Desktop (please complete the following information):

  • OS: MacOS 12.1
  • Golang v1.18
  • Version Casbin v2.47.1

Additional context
If I load this dataset with an older version of Casbin v2.31.4 I don't have this infinite loop problem, but my Enforce calls against the model and policy data set are extremely slow, ~ 10-12seconds. Similar to what's reported in this issue: #1004

IssueHunt Summary

Backers (Total: $200.00)

Submitted pull Requests

Become a backer now!

Or submit a pull request to get the deposits!

Tips

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions