Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separating roles->permission data from user->roles data #230

Closed
pchakravarthy opened this issue May 18, 2019 · 3 comments
Closed

Separating roles->permission data from user->roles data #230

pchakravarthy opened this issue May 18, 2019 · 3 comments
Assignees
@hsluoyz
Labels
question

Comments

@pchakravarthy
Copy link

I really like the casbin library. I am trying to figure out how the following can be acheived. May be this is simple question, but would like to get help in configuring casbin to support this scenario

  1. We want to implement RBAC with domains as we support access to multiple products / features in one user account
  2. We want the role -> permission data in a config file. eg: table_reader(role) has read access to table X. Our code in different parts will check if the user's role is eligible for accessing that feature.
  3. We want the user -> role data stored in database as we want to provision new users and customers using our web app.

As I understand it, #2 and #3 data is clubbed together in casbin. Would like some examples on how we can separate them.
@hsluoyz
Copy link
Member

hsluoyz commented May 18, 2019

Hi @pchakravarthy , given that you want to store the g policy rules (user -> role) in DB, it's easier to use an existing DB adapter to do it. So there are only g rules in your DB.

For handling the p rules (role -> permission), there can be more ways. I can think of two solutions at least:

  1. Read the config file in your own way, then call Management API to dynamically load the rules into an enforcer.

  2. Use another adapter (so you are using an adapter for g and another adapter for p), can be built-in File Adapter, JSON Adapter, or String Adapter (https://casbin.org/docs/en/adapters). Init a temporary enforcer with this adapter, then get the policy rules from this temporary enforcer and add them to your own enforcer. This way reuses the adapter mechanism, but maybe need more policy copy.

Another 3rd way would be defining a role manager to handle the g policy rules totally on your own: https://casbin.org/docs/en/role-managers So you let Casbin handle the p rules with the built-in file adapter and you handle the g rules with your own defined role manager (like reading DB).

@hsluoyz hsluoyz self-assigned this May 18, 2019
@pchakravarthy
Copy link
Author

@hsluoyz Thank you for the update. I will follow your advice.

@hsluoyz
Copy link
Member

hsluoyz commented May 21, 2019

OK. Closed as resolved.

@hsluoyz hsluoyz closed this as completed May 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pchakravarthy @hsluoyz