Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] RABC With Resource Roles not meet expectations #693

Closed
yiranzai opened this issue Jan 29, 2021 · 6 comments
Closed

[Question] RABC With Resource Roles not meet expectations #693

yiranzai opened this issue Jan 29, 2021 · 6 comments
Assignees
@hsluoyz
Labels
question

Comments

@yiranzai
Copy link

yiranzai commented Jan 29, 2021
edited

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve?

Hi, Team

  • p Since the adapter does not support p2, I designed the p.type to distinguish it
  • g represents the relationship between user and roles
  • g2 represents the relationship between resource entities and resources
  • g3 represents the relationship between a user and a resource entity

Now when p.type = 'b', I want to ignore the g3 rule
When p.type = 'a', I want to have to satisfy the g3 rule

Now I have two users, allen and bob.
bob is the admin and he can read all the deal information.
There are now two deals with ID 1 and ID 2(refer to g2 rule).
allen is the deal.leader in the deal with ID 1 (g3).
Since all the deal can be seen by the deal.leader(p), he can read the deal with ID 1.

But now allen can read deal with ID 2. why ?

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, type

[role_definition]
g = _, _
g2 = _, _
g3 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = ((p.type == 'a' && g3(r.sub, p.obj)) || p.type == 'b') && r.act == p.act && g(r.sub, p.sub) && g2(r.obj, p.obj)

Your policy:

p, deal.leader, deal, read, a
p, admin, deal, read, b

g, allen, deal.leader
g, bob, admin

g2, deal_id_1, deal
g2, deal_id_2, deal

g3, allen, deal_id_1

Your request(s):

allen, deal_id_1, read ---> true (expected: true)
allen, deal_id_2, read ---> true (expected: false)

bob, deal_id_2, read ---> true (expected: true)
bob, deal_id_1, read ---> true (expected: true)
@yiranzai yiranzai changed the title [Question] [Question] RABC With Resource Roles not meet expectations Jan 29, 2021
@hsluoyz
Copy link
Member

hsluoyz commented Jan 29, 2021

@closetool plz take a look.

@kilosonc
Copy link
Contributor

@yiranzai You got some thing wrong, g represents a has role of b, if you want to describe onwership you should use p

@yiranzai
Copy link
Author

@closetool

I don't really understand.
like :

p, allen, deal_id_1, read
p, allen, deal_id_2, read

???

p doesn't seem to be enough

Because allen is the deal.leader of the deal with id 1 and the deal.leader has read privileges on the deal. That's why allen has read privileges on the deal with id 1

@yiranzai
Copy link
Author

rbac_with_resource_roles_policy.csv

In this scenario, my understanding is that g stands for maintaining role/group relationships and g2 stands for object instance/object relationships

@hsluoyz
Copy link
Member

hsluoyz commented Jan 29, 2021

@yiranzai your matcher is wrong, the g3 part should be: g3(r.sub, r.obj)), see: https://casbin.org/en/editor

image

@hsluoyz hsluoyz closed this as completed Jan 29, 2021
@hsluoyz hsluoyz mentioned this issue Jan 29, 2021
Closed
@yiranzai
Copy link
Author

@hsluoyz emmm, stupid low-level mistake

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hsluoyz @yiranzai @kilosonc