Implement FilteredAdapter

[xcaptain]

Currently we load all the policies into casbin and then do the matching, this would cause a lot of memory when we have many policies(millions or more). A filtered adapter means when an enforce request happens then query the adapter for result.

diesel-adapter and sqlx-adapter should implement this feature.

[GopherJ]

@xcaptain Is it possible to change GSOC ideas? I would like to put some issues into GSOC ideas. Just to avoid the situation in which two students would like to work on the same idea.

[xcaptain]

@GopherJ I'm afraid not. How about we create a slack channel so all the contributors can discuss some proposals at slack first.

[GopherJ]

@xcaptain It seems FilteredAdapter is not dynamic for now.

I'm not sure if it'll be better if we detect if the request matches one of the element in filter. If not we load that part then do the enforce.

For example, we have initial filter like:

p: vec!["", "domain1"]
g: vec!["", "domain2"]

then suddenly we receive a request vec!["alice", "domain2"], we fount it doesn't matches the filter, then we ask adapter to load policies for domain2 and after that we enrich the initial filter by adding domain2.

[GopherJ]

It will cause some performance downgrade for sure

[xcaptain]

The hard part is when an enforce request happens, the filtered adapter needs to know which policies should be loaded(recursive search, policies for alice, policies for alice's group ...).

The Go version of casbin provides a simple example on how to filter through domain, this is simple because policies won't exist in 2 domains. This way is not idea because only one domain may contains many policies.

[xcaptain]

Sorry I may misunderstand the Go version of FilteredAdapter, let's discuss an example here. We have

rbac_policy.csv

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

An enforce happens

enforce("alice", "data2", "write") // should return true because data2_admin has this permission

Can a sql like

select * from casbin_rule where ptype="p" and v1="data2" union select * from casbin_rule where ptype="g" and v0="alice";

provides enough information to determine the enforce result?

[GopherJ]

@xcaptain If the adapter has a function like: load_filtered_policy I think it's ok. Just like remove_filtered_policy.

But the difficulty for me is: how to generate a more generic filter from a request, we don't want to load only one policy at a time, If we are using rbac maybe we can use domain for fitering but I don't have a good idea for now.

in RBAC we can add load_filtered_policy function for adapter and every time when a new request comes, we check if its domain is in the list.

[xcaptain]

casbin-rs/src/enforcer.rs

Line 99 in a9d5d1e

e.load_policy().await?;

This load_policy function will load all policies from database, if we have a filtered adapter we don't need to load policy at new method. Execute load_filtered_policy at enforce method.

[GopherJ]

close as solved in #119