New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
suggestion: add YAML support for model #432
Comments
We can add support for YAML but do not break current API. |
Here want to collection some YAML config. |
consider multiple |
@hsluoyz @nodece I also think we should move to Also we should maybe find a way to indicate which To implement multiple |
To summary:
Also: If we would like to use matcher in other matchers, we also need to find a better way to store this information into model. Like Image the following matchers: m = r.sub == p.sub
m2 = r.dom == p.dom
m3 = r.obj == p.obj
m5 = m && m2
m6 = m3 && m5 When we calculate When we calculate If we would like to use matcher in other matchers, we also need to find a better way to store this information into model. Like m3 = m && !m2, we should at least have the information that m3 will relies on m and m2. This will help to improve bench. |
m2 maps to e2 and p2.
We will support both p, p2, p3... and p["basic"], p["admin"], ...
Matchers can be referred as m2 or m["admin"] in another matcher. |
The latter is not supported yet, we also don't know which p are we using for
It requires knowing the reference relationshop, otherwise we will need to calculate every |
We provide a YAML config: request_definition:
- name: r
token:
- sub
- obj
- act
policy_definition:
- name: p
token:
- sub_rule
- obj
- act
- name: p2
token:
- sub_rule
- obj
- act
matchers:
- name: m
token: eval(p.sub_rule) && r.obj == p.obj && r.act == p.act
effect: some(where (p.eft == allow))
- name: m1
token: eval(p.sub_rule) && r.obj == p.obj && r.act == p.act
effect: some(where (p.eft == allow))
- name: m2
token: m && m1 && eval(p2.sub_rule) && r.obj == p2.obj && r.act == p2.act
with:
- m # Use matcher name is m
- m1 # Use matcher name is m1
effect: some(where (p.eft == allow)) It looks very complicated, but we support autocomplete, so easy. |
@nodece autocomplete can be useful only when we are turing-complete |
How to be turing-complete? |
@hsluoyz My idea on turing complete is:
|
new basic_model conf example: [request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = p.some(x => m(x) == true)
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act should be converted to: function enforce(req: string[]. policies: string[][]): boolean {
let r = {};
let p = [];
let rtokens = ["sub", "obj", "act"];
let ptokens = ["sub", "obj", "act"];
function e(p: string[][]): boolean {
return p.some(x => m(x) == true)
}
for (i, rtoken) in rokens {
r[rtoken] = req[i];
}
for (i, rule) in policies {
for (j, ptoken) in ptokens {
let tmp = {};
tmp[ptoken] = rule[j];
p.push(tmp);
}
}
function m(p: string[]): boolean {
return r.r.sub == p.sub && r.obj == p.obj && r.act == p.act
}
return e(p);
} we just need to use evaluation engine to call this function with |
The advantage is that every assignment will be taken into account |
How to dynamically generate such a function? Also govaluate can only evaluate expressions? |
I believe this can only be supported by a few expression evaluator, rhai will be able to support this type of thing. If I managed to have a general idea, I can try on casbin-rs. In my point of view, To support |
Your idea looks interesting. But:
But it's a nice try. Maybe a minor improvement for now is to evaluate the effect like matcher too. Currently it's hard-coded. |
@hsluoyz Yes, I think that can be a start, in my example we don't |
General speaking it should be slower, but except of converting model.conf a real script, I cannot see how to achieve turing complete. Let's gather more ideas and decide how to improve ~ |
This is often not the case, because many evaluators target at |
How is evaluator like govaluate working? It's like Docker or run-time instruction translation? And if we choose this function idea. Why not just re-write Casbin in Lua and embed a Lua interpreter for all languages? |
@hsluoyz evaluator parses string as AST then use Yes it's possible, I haven't used lua yet. but we definitly need some powerful script language interpreter. Maybe that's why that person choosed to use python |
The number looks nice. Expecting your result. |
@hsluoyz While thinking more, I think it can also be dangerous to use lua stuff, because it looks more like a real language, that means it may raise security issue since I haven't found how to limit user's input. |
AFAIK, Lua has a JIT. That's gonna make it fly!
Any time you jump out to C/C++, you break open the sand box and depends solely on the code quality of the external library. For a security-oriented project maybe not a good idea to trade performance with safety... |
We have a Lua-Casbin now: https://github.com/casbin/lua-casbin Closed here. |
YAML is a human friendly data serialization standard for all programming languages.
It can help users to write and verify the model .
How to help users to write and verify the model?
We need to write the
YAML schema
then IDE can provides hints based uponYAML schema
provided to helps user write schema efficiently.Please refer to https://dzone.com/articles/two-ways-configuration-documentation-with-springnb to write YAML schema then publish to https://github.com/SchemaStore/schemastore.
The text was updated successfully, but these errors were encountered: