-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC]support RBAC #126
Comments
@jinmingjian I'm glad that the casbin-rs community is helping us to do this, so I update our primary plans here based on the discussions before. Please correct me if there is any problem. Basically, we need two kinds of policies, which:
These two rules might be described by:
In addition, we need to find a way to dynamically update the policies during runtime. This might be done by a housekeeper which loads the policy file immediately after it changes. Or it would be nice if casbin-rs can support this function. |
@whjpji So, this is based on my understanding of the policy requirement. I think this would need two Casbin enforcers based on the two policy requirements. For the first case, we could simply use a Access Control List based policy if all users have not so much databases/access patterns in common. Otherwise if there are many users who have access to a specific database with the same access patterns, we could optimize it to use a RBAC model. For example, the model in this case could be:
And the policy could be:
This would mean For the second case, assuming quota means quota limits we can create a similar RBAC model for this which will use the priority effect. An example model could be:
And the policy could be:
So, when we send an enforcement request with user and quota used parameters - it compares if the user has access to the computing resources and if the current used quota is lesser than the quota limits. Here This is just a rough idea, I believe this can be made better. Please correct me if anything is wrong. (cc: @hsluoyz @hackerchai @PsiACE) |
@whjpji thanks for updating detailed thoughts for this issue. I think we should have a unified model rather than two. And there are some dynamic requirements like quote here. |
@rushitote thanks for sharing your great idea! It is a good material to reference! |
Based on the current capability of TB, I have a primary plan to support access control:
|
@whjpji self-hosted access control is cool, and we thanks for casbin framework for policy as well:) |
Blocked on #230, and I'm going to fix it first. |
this will be done in some configuration file rather than DDL dialect in ClickHouse
We may reuse some existed libraries, for example, casbin-rs.
The text was updated successfully, but these errors were encountered: