New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question]I don't know how to implement my matchers. #1111
Comments
The matcher can't support priority.
|
Thank you for your reply。 But the priority model will only select a matching strategy, but in fact I need to obtain all matching results of the same priority, and comprehensively calculate bysome(where (p.eft == allow)) && !some(where (p.eft == deny)) |
@JalinWang I don't know if I understand it right. The priority model can only match one policy, even if multiple policies have the same priority. But I need to get the result by combining multiple policies with the same priority. |
@hsluoyz Thank you. I'll read and try it. |
@Zacama I am following your issue. If the issue is solved, please ignore below comments. I also tried your model, policy and request in casbin online editor. It failed with "Cannot use 'in' operator to search for '111' in false". |
@DavidLetGo Hello DavidLetGo, thank you for your attention. I haven't looked into it carefully as I have other things to do. But it may not seem to work because I'm using ABAC instead of RBAC. The reason why there are multiple ids in a query is because the subject of the policy can be a department, not just a person, so the policy that needs to be hit when querying is the subject's id of the person or the id of all the departments he belongs to.
But when I execute this program casbin returns an error: |
please try e.BatchEnforce |
@DavidLetGo Hello DavidLetGo, thank you. While this allows for multiple computations at the same time, it loses the priority of the policy. If only the following two strategies are hit:
In the end, it should be allow, not deny because when the result of the hit contains both medium and high-level strategies, the medium strategy should be discarded. Apparently BatchEnforce can't do this. And this moves part of the calculation into the code, the model are actually incomplete. |
@Zacama BatchEnforce() will also iterate on all policy rules, so priority still works. BatchEnforce() just try to do multiple Enforce() calls in a parallel way. |
Want to prioritize this issue? Try:
What's your scenario? What do you want to achieve?
I am using ABAC models and the policies has two priority(not the priority model) level: medium and high. I don't how to modify this matcher to achieve that when both strategies of priority levels are matched, discard the medium policies and use the high policies to calculate the final result. And If policies with only one priority level are matched, then none of the policies will be discarded.
Your model:
Your policy:
Your request(s):
The matched strategy should be the following two
p, high, 1114, data1, write, allow
p, high, 1113, data1, write, deny
The text was updated successfully, but these errors were encountered: