-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scaling ABAC Rules #354
Comments
I think you want to write ABAC expressions in policy rules instead of matcher. But a blocking issue is that Golang is a static language. How to load dynamic rules into static logic? |
Just my two cents here: It would be great if it was possible to use any custom function (a predicate) instead of current "effect" function, the same way we can extend the matcher with custom functions. Then we could use arbitrary expressions on the result of the match, and casbin would be much more general. I don't know how difficult is to provide pluggable/extensible functions in casbin/go. But in python, for instance, this should not be very difficult. Just make the enforcer to accept a function (matched_rules -> boolean) that, if defined, would be used instead of the built-in expressions such as (some(where (p.eft == allow)). This could also have the benefit that we could have an Enforcer that returns other things than a boolean. |
In cases as posted, where ABAC rules get more complex, clingy and so as to say infeasible to add entire boolean expressions to the matchers, we must use custom function registering member function which is already implemented in the enforcer
This can be definitely a solution to this problem, but this is open for discuss1.ion |
We should have a way to write ABAC policy like |
Do you mean we need to define policy like this
We just need to generate a matcher for each policy. I am doing this now, but it will take some time. |
That approach can work for some scenarios, but I doubt it is general enough. Wouldn't be easier to just allow to inject any function that takes the matched rules and return the effect? |
Yes, In my way, we can also write function like this
|
I have been working on this from last 5 days, Let's take the original example :
Now, the CONF file looks like this,
|
A lot more complexity would be scaled in this way, a lot more functions can be employed in this way to carry the complexity of ABAC rules with it in this way. |
If we add the ABAC rules in the policy file, it will bloat the entire file with it. |
What do you think, @jruizaranguren and @hsluoyz? |
Hi ~ @divypatel9881
So it is difficult to generalize with a single matcher. In addition, Your one matcher works on all resources, and the focus is on some resources |
Well, @dovics it was just an example, you can concatenate more restrictions like this,
I thought it was understood, but I hope, I have made more clearer for you by this. |
Thank you for your explanation, you are correct, this does solve the problem, But these functions need to be defined by the user. Don't you think that the user needs to do too much work?
You don't think this solution is simpler I can't find the difference with single matcher
Maybe your solution has more features, can you show me? |
Yeah, why not, for example, you can,
CONF file :
It's literally up to user how he wants to make the ABAC policies, it gives a huge range of flexibility. |
You can certainly reduce the code in the functions, by using control structures like |
@divypatel9881, your approach is very interesting, but I see two problems:
Thus, any function that we use within matcher, can only serve to filter policy rules. But we may build arbitrary predicate models over the rules that depend on context (ABAC). We may check cardinality, use implication, or even machine learning models. This could be more easily solved, simply by allowing the injection of custom effect functions:
e.add_effect(custom_effect) And we can define any logic in a Turing complete language at our disposal. This is a great balance between what casbin offers you without customization, and what can you achieve when needed. |
Oh, then how do you suggest to encode data in policy model? Do you have some ideas regarding this? |
@jruizaranguren can you elaborate on your solution? |
@jruizaranguren I don't think custom effect is good and will help solving the problems in this issue, but I do agree many people want :
including me...To implement this we need something similar like a json rule engine https://www.npmjs.com/package/json-rules-engine and the users will be able to give: r.sub
then our json rule parsed from policy
I would really to have this in casbin and I'll try to implement in casbin-rs. |
@jruizaranguren Your senario isn't that easy, because it requires keeping many things in memory. Let's say a subset of policies which are related to request. However to achieve this we need to keep a subset of policies in memory to be returned. That's not good... If you want only |
@GopherJ Managing or not policies in memory is a matter of plumbing and specific scenarios and infrastructure. In the cases I see, with up to only thousands of policies, I find that having all of them in memory is the best approach and the most efficient. Returnin tens or hundreds of policies that will feed the effect function is not a big deal. In any case, I can't think a scenario where your matcher returns large subset of policies. |
@jruizaranguren Ok after some thoughts I think it's ok. I've also made some new tests to try to solve this issue in casbin-rs: casbin/casbin-rs#121 Now in model we can define some thing like this: [request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = Any(_) && r.obj == p.obj && r.act == p.act
# Any(_) is the place holder which matches Any(....) in policy
# inside `Any()` we can put abac rules and use `r.sub, r.obj, r.act, &&, ||` etc and in policy we can write like this:
This policy means that we don't care who is the person sending request, but his/her age should be greater than 18, if yes then he/she will be able to I made it works in casbin-rs, not sure if we should do like this but I think it may helps solving some problems. |
Will |
Can anyone sync casbin/casbin-rs#121 to casbin golang? |
@harsimranb this issue is solved, please see: https://casbin.org/docs/abac#scaling-the-model-for-complex-and-large-number-of-abac-rules |
I just found this page and wanted to provide a link update for anybody who stumbles upon this in the future. The correct link mentioned above is now https://casbin.org/docs/abac#scaling-the-model-for-complex-and-large-number-of-abac-rules |
@jlecount link updated, thanks! |
I am looking to support ABAC for a CMS-type system, where there could be thousands to potentially even more ABAC rules. Writing one long matcher isn't feasible in this case, nor is having multiple enforcers. Is there any other workaround this?
An ABAC policy for us is something like
If user age is between 24 and 64, then they can "view" some "resource"
. Any thoughts?Also, if this isn't supported, yet, what's the roadmap for something like this?
The text was updated successfully, but these errors were encountered: