casbin
[Bug] - Domain manager rebuild() infinite loop?
Want to prioritise this issue? Try:
Describe the bug When adding a domain matching function to the default RoleManager, it triggers a rebuild call of the internal DomainManager, this function never seems to finishing executing on a large dataset. Internally it seems to be trying to "AddLinks" forever.
** Model - HRBAC with ABAC**
[request_definition]
r = sub, tenant, perm, act, eft
[policy_definition]
p = sub, tenant, perm, act, eft
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = (g(r.sub, p.sub, r.tenant) && keyMatch4(r.tenant, p.tenant) && r.perm == p.perm && regexMatch(r.act, p.act))
** Policy data **
Here's a small sample of some of the policy data showing permissions with actions grouped under roles. And wildcarding on the role_superuser1 grouping so it can work across X tenants. Typically the policy dataset is ~45000 database rows.
For example user id 7073 is a super user and can do anything across any tenant. Where as user 65716 is just a creator for tenant 753.
p,role_superuser1,tenant/{id},tenant,(^view$)|(^manage$),allow,
p,role_superuser1,tenant/{id},dashboard,login,allow,
p,role_superuser1,tenant/{id},model_upload_max_size,large,allow,
p,role_superuser1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_superuser1,tenant/{id},invite,(^create$)|(^delete$)|(^edit$)|(^view$),allow,
p,role_superuser1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_superuser1,tenant/{id},desktop,login,allow,
p,role_presenter1,tenant/{id},dashboard,login,deny,
p,role_presenter1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},dashboard,login,allow,
p,role_creator1,tenant/{id},invite,(^create$)|(^edit$)|(^view$),allow,
p,role_creator1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},model_upload_max_size,medium,allow,
p,role_creator1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_creator1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_creator1,tenant/{id},desktop,login,allow,
g,7073,role_superuser1,tenant/*,,,
g,7073,role_presenter1,tenant/34,,,
p,7073,tenant/1,tenant,manage,allow,
g,65716,role_creator1,tenant/753,,,
p,65716,tenant/753,tenant,manage,allow,
I can email/private message a copy of the full policy dataset for bug replication.
To Reproduce Steps to reproduce the behavior:
- Go to load the data into an enforcer
- Setup the default role manager with a domain matching function
roleManager.AddDomainMatchingFunc("KeyMatch", util.KeyMatch) - Notice that the function never exits.
Expected behavior No infinite loop/long running behaviour
Desktop (please complete the following information):
- OS: MacOS 12.1
- Golang v1.18
- Version Casbin v2.47.1
Additional context If I load this dataset with an older version of Casbin v2.31.4 I don't have this infinite loop problem, but my Enforce calls against the model and policy data set are extremely slow, ~ 10-12seconds. Similar to what's reported in this issue: https://github.com/casbin/casbin/issues/1004
IssueHunt Summary
Backers (Total: $200.00)
numajig ($200.00)
Submitted pull Requests
Become a backer now!
Or submit a pull request to get the deposits!
Tips
- Checkout the Issuehunt explorer to discover more funded issues.
- Need some help from other developers? Add your repositories on IssueHunt to raise funds.
@numajig has funded $200.00 to this issue.
- Submit pull request via IssueHunt to receive this reward.
- Want to contribute? Chip in to this issue via IssueHunt.
- Checkout the IssueHunt Issue Explorer to see more funded issues.
- Need help from developers? Add your repository on IssueHunt to raise funds.
![issuehunt-oss[bot] avatar](https://avatars.githubusercontent.com/in/29881?v=4 "Published by a pub.dev verified publisher"){kind=small}
@abichinger Is there any way we can improve performance? Does the FastAC solution you mentioned apply?
Here is my code for reproduction.
func main() {
e, err := casbin.NewEnforcer("model.conf", "policies.csv")
if err != nil {
println(err.Error())
}
e.AddNamedDomainMatchingFunc("g", "keyMatch4", util.KeyMatch4)
println("done")
}
