Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] RBAC matcher function isn't called with inherited roles #1351

Open
cannahum opened this issue Jan 2, 2024 · 1 comment
Open

[Question] RBAC matcher function isn't called with inherited roles #1351

cannahum opened this issue Jan 2, 2024 · 1 comment
Assignees
@hsluoyz
Labels
question
Projects
Casbin Easy Tasks for Beginners/Stude...

Comments

@cannahum
Copy link

cannahum commented Jan 2, 2024

What's your scenario? What do you want to achieve?
I have an RBAC scenario where I'm trying to create policies with parameters in them. Then, by using a slightly more elaborate matcher function I'm trying to enforce users that I've assigned to these policies.
In my system say there are two entities: rooms and activities. Each activity belongs in a room. If a user has "authorization" to participate in a room, they have authorization to participate in every activity in that room. I'm trying to avoid creating policies per room (e.g. /room/1) by trying to use a pattern (e.g. /room/{roomID}). Please see my config, policies and tests below.
The pattern business is working well. The issue happens when I assign one of these roles to a user. When the user's name gets passed to the matcher function, the g(r.sub, p.sub) returns true, but rest of the matching function returns false.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft
		
[role_definition]
g = _, _
		
[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.act == p.act && \
    keyMatch5(r.obj, p.obj) && \
    keyGet3(r.sub, p.sub, 'roomID') == keyGet3(r.obj, p.obj, 'roomID')

NOTE: e.AddNamedMatchingFunc("g", "keyMatch3", casbinutil.KeyMatch3)

Your policy:

p, room_{roomID}_participant, room/{roomID}, read, allow
p, room_{roomID}_participant, room/{roomID}/*, read, allow
p, room_{roomID}_participant, room/{roomID}/*, write, allow

Your request(s):

room_1_participant, room/1, read ---> true (expected: true)
room_1_participant, room/1/activity/a, read ---> true (expected: true)
room_1_participant, room/1/activity/a, write ---> true (expected: true)
room_1_participant, room/1/activity/b, read ---> true (expected: true)
room_1_participant, room/1/activity/b, write ---> true (expected: true)
room_1_participant, room/2/activity/a, read ---> false (expected: false)
room_1_participant, room/2/activity/a, write ---> false (expected: false)

So far, everything worked as expected. Here is where things don't work:

Your policy:

g, harry, room_1_participant

Your request(s):

harry, room/1, read ---> false (expected: true)

It looks like in the matcher function the r.sub is always harry and never gets swapped with room_1_participant. Maybe I didn't set up my matcher function correctly to use the roles that users inherit. I would appreciate some help here. Thank you!
@casbin-bot
Copy link
Member

@tangyang9464 @JalinWang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question
Projects
Casbin Easy Tasks for Beginners/Stude...
Casbin Easy Tasks
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hsluoyz @cannahum @casbin-bot