Skip to content

fix: abac not using policy#918

Merged
hsluoyz merged 1 commit intoapache:masterfrom
Abingcbc:fix_abac
Nov 24, 2021
Merged

fix: abac not using policy#918
hsluoyz merged 1 commit intoapache:masterfrom
Abingcbc:fix_abac

Conversation

@Abingcbc
Copy link
Copy Markdown
Contributor

@Abingcbc Abingcbc commented Nov 16, 2021

Signed-off-by: abingcbc abingcbc626@gmail.com

Fix: #917

How it works

Ignore all policies when matcher doesn't contain any match related to policy.

@casbin-bot
Copy link
Copy Markdown

casbin-bot commented Nov 16, 2021

@tangyang9464 @closetool @sagilio please review

@Abingcbc Abingcbc marked this pull request as draft November 16, 2021 03:31
@Abingcbc Abingcbc marked this pull request as ready for review November 16, 2021 05:53
@hsluoyz
Copy link
Copy Markdown
Member

hsluoyz commented Nov 16, 2021

@nodece plz review

@hsluoyz
Copy link
Copy Markdown
Member

hsluoyz commented Nov 16, 2021

@silverspace plz review

nodece
nodece approved these changes Nov 16, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@nodece nodece left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

silverspace
silverspace reviewed Nov 16, 2021
View reviewed changes
silverspace
silverspace reviewed Nov 16, 2021
View reviewed changes
sagilio
sagilio requested changes Nov 18, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@sagilio sagilio left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide a more reasonable test case? I try to remove the matcher check and run the test, it returns another error:
image
image

Then I try to add eft to the abac_model.conf, the new test is passed:
image

I think your changes have nothing to do with the error in the issue.

@Abingcbc
Copy link
Copy Markdown
Contributor Author

Abingcbc commented Nov 18, 2021

@sagilio Yep. I realized this error when I wrote the test. But if the matcher doesn't use policy, no policy should be matched for the request. So no matter what policy definitions look like, policy should have no effect on the request?

@sagilio
Copy link
Copy Markdown
Member

sagilio commented Nov 18, 2021
edited
Loading

@sagilio Yep. I realized this error when I wrote the test. But if the matcher doesn't use policy, no policy should be matched for the request. So no matter what policy definitions look like, policy should have no effect on the request?

Yeah, you changes are right,we need not to scan all policies when matcher is not included rtype. But this just is a enhancment about performance. I do not know why the wrong result be returned in #917.

@Abingcbc
Copy link
Copy Markdown
Contributor Author

Abingcbc commented Nov 18, 2021

@sagilio Yep. I realized this error when I wrote the test. But if the matcher doesn't use policy, no policy should be matched for the request. So no matter what policy definitions look like, policy should have no effect on the request?

Yeah, you changes is right,we need not scan.all policies when matcher is not include rtype. But this just a enhance about performance. I do not know why the wrong result returned in #917.

I think the root cause is that policy is for other model like rbac and the request's model is abac.

When the matcher doesn't use any policy and the request meets the judgment of the matcher, the request will match all policies because the matcher always returns true.
Therefore, if there is deny policy, the result of merged effects will be deny.

Take #917 as an example, request:

{ User: 'alice', Superuser: true }, { Owner: 'bob'}, read

will match policy

p, foobar, /blah, read, deny

and the merged effect is deny, although it is allowed in respect to abac.

@sagilio
Copy link
Copy Markdown
Member

sagilio commented Nov 20, 2021

@Abingcbc I see, you are right. We may need a more effective test case to descript the situation.

@Abingcbc
fix: abac not using policy
4d1762a 
Signed-off-by: abingcbc <abingcbc626@gmail.com>
@Abingcbc
Copy link
Copy Markdown
Contributor Author

Abingcbc commented Nov 21, 2021

@Abingcbc I see, you are right. We may need a more effective test case to descript the situation.

@sagilio I have updated the test case. PTAL ❤️

@hsluoyz
Copy link
Copy Markdown
Member

hsluoyz commented Nov 22, 2021

@sagilio plz review

sagilio
sagilio approved these changes Nov 23, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@sagilio sagilio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hsluoyz hsluoyz merged commit 1f22100 into apache:master Nov 24, 2021
@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 24, 2021

🎉 This PR is included in version 2.39.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@Abingcbc Abingcbc deleted the fix_abac branch December 8, 2021 15:27
@harshalmittal4
Copy link
Copy Markdown

harshalmittal4 commented Feb 17, 2023
edited
Loading

Hi @Abingcbc , @hsluoyz , @sagilio
I was seeking to understand the abac policy and read the discussion above and at #917, and thought the request must not depend on policy file for a model like below, i.e. it must be allowed everytime the condition r.sub == r.obj.Owner holds. Is this correct?

model -

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = r.sub == r.obj.Owner

I used request as alice, { Owner: 'alice'}, write with the above model and the below policy in online editor -

p, alice, /data1, read, deny
p, alice, /data1, write, allow
p, bob, /data2, write, allow
p, bob, /data2, read, allow

and got the result as false.

On replacing p, alice, /data1, read, deny in policy file with p, alice, /data1, read, allow (so that all eft in policy become allow), the result changes to true.

Is this the expected behaviour for the above case that the request depends on policy file instead of just relying on matcher m = r.sub == r.obj.Owner?
Thanks

@hsluoyz hsluoyz mentioned this pull request Feb 18, 2023
Closed
@hsluoyz
Copy link
Copy Markdown
Member

hsluoyz commented Feb 18, 2023

@harshalmittal4 the online editor is pure frontend (https://github.com/casbin/casbin-editor), which uses Node-Casbin: https://github.com/casbin/node-casbin for Casbin enforcement. Usually we have latest features in Golang version Casbin and Node-Casbin maybe still doesn't have the feature of this PR: #918 yet.

Issue proposed here: apache/casbin-node-casbin#433

@harshalmittal4
Copy link
Copy Markdown

harshalmittal4 commented Feb 18, 2023

Thanks @hsluoyz , got it. I'm currently getting more familiar with Casbin and would like to try contributing to some issues once I get comfortable

This was referenced Dec 8, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hsluoyz hsluoyz hsluoyz left review comments

@nodece nodece nodece approved these changes

@sagilio sagilio sagilio approved these changes

@kilosonc kilosonc Awaiting requested review from kilosonc

@tangyang9464 tangyang9464 Awaiting requested review from tangyang9464

+1 more reviewer

@silverspace silverspace silverspace left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Casbin ABAC rules fail if policy includes any "deny" rows

7 participants

@Abingcbc @casbin-bot @hsluoyz @sagilio @harshalmittal4 @silverspace @nodece