node-casbin icon indicating copy to clipboard operation
node-casbin copied to clipboard

Published 20 hours ago verified publisher icon casbin

Multiple policies config?

Open yamilfrich opened this issue 3 years ago • 24 comments

Hi, I'm new with Casbin and I'm trying to configure it with multiple policies like:

  • Feature policy (for each subscription plan, it will contain or not certain features): For example, for the subscription plan "professional" it will have the feature "insights" My policy config for this would be probably just: p = sub, obj

  • Roles policy (basic ACL, like: admin, users, write): My policy config would be: p2 = sub, obj, act

I read on https://casbin.org/docs/en/syntax-for-models#policy-definition that it's actually possible to define multiple policies and you have some examples below, but I can't find the way to make it work on node-casbin.

When adding the policy in the DB (I'm using casbin-sequelize-adapter) it allows you to use "named" policies by using: e.addNamedPolicies.

But when you want to enforce and choose which namedPolicy you want to use, I can't find how to do so.

This is the config I'm trying (I'm repeating all just in case based on the docs):

[request_definition]
r = sub, obj
r2 = sub, obj, act

[policy_definition]
p = sub, act # features
p2 = sub, obj, act # roles

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj
m2 = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Hope this is clear, thanks in advance.

yamilfrich avatar Aug 12 '21 13:08 yamilfrich

@Zxilly @Gabriel-403 @closetool @tangyang9464

hsluoyz avatar Aug 12 '21 13:08 hsluoyz

It seems that node-casbin does not support this feature now.

tangyang9464 avatar Aug 12 '21 13:08 tangyang9464

@yamilfrich your m2 have an error.
Should it be r2

tangyang9464 avatar Aug 12 '21 14:08 tangyang9464

It seems that node-casbin does not support this feature now.

I think so,and this seems that I wrote this part

Gabriel-403 avatar Aug 12 '21 14:08 Gabriel-403

@yamilfrich your m2 have an error. Should it be r2

Not sure, I couldn't make it work anyway, so I couldn't validate if I need to reference to r2, p2, etc.

It seems that node-casbin does not support this feature now.

I think so,and this seems that I wrote this part

So, how would you solve this? Different configs + Different Enforcers?

If so, can they still share the same adapter + db_table?

yamilfrich avatar Aug 12 '21 14:08 yamilfrich

@yamilfrich r-p-e-m four type must one-to-one correspondence. In Go-casbin you can pass in a EnforceContext to specify which types you need to use for your request. See Multiple sections type

tangyang9464 avatar Aug 12 '21 14:08 tangyang9464

@yamilfrich r-p-e-m four type must one-to-one correspondence. In Go-casbin you can pass in a EnforceContext to specify which types you need to use for your request. See Multiple sections type

Ok thank you 😄 , but I have node, so I need to find a way to make this work with node. Should it be with multiple configs and multiple enforcers? Can they share the same db_table?

yamilfrich avatar Aug 13 '21 01:08 yamilfrich

@yamilfrich r-p-e-m four type must one-to-one correspondence. In Go-casbin you can pass in a EnforceContext to specify which types you need to use for your request. See Multiple sections type

Ok thank you 😄 , but I have node, so I need to find a way to make this work with node. Should it be with multiple configs and multiple enforcers? Can they share the same db_table?

node-casbin is implementing this feature. It should be consistent with go-casbin

tangyang9464 avatar Aug 13 '21 02:08 tangyang9464

@Zxilly @Gabriel-403 plz implement it

hsluoyz avatar Aug 13 '21 02:08 hsluoyz

@Zxilly @Gabriel-403 plz implement it

ok!

Gabriel-403 avatar Aug 13 '21 02:08 Gabriel-403

@yamilfrich

This function has been added and can be used later

Gabriel-403 avatar Aug 21 '21 13:08 Gabriel-403

Thank you, how can we implement it? Is there any code example? 🙏🏻 I'll look in the changes and the code and see if I can manage my way.

yamilfrich avatar Aug 26 '21 04:08 yamilfrich

@yamilfrich Full discussion can be found at https://github.com/casbin/casbin.js/pull/172 https://github.com/casbin/casbin.js/pull/176. If that PR got merged, we will apply it to node-casbin immediately.

Zxilly avatar Aug 26 '21 06:08 Zxilly

any ETA on this? We have a need for this soon.

rashid301 avatar Aug 31 '21 04:08 rashid301

@rashid301 An early bird version is available at casbin.js@next, but it has some limitation right now. The migration will take place when it is functionally complete. You can find casbin.js@next at https://github.com/casbin/casbin.js/tree/v1

Zxilly avatar Aug 31 '21 04:08 Zxilly

hey, can I work on this? it is in the docs but not present.

Shivansh-yadav13 avatar Mar 18 '22 09:03 Shivansh-yadav13

how's the progress?

vaseala avatar Jun 25 '22 14:06 vaseala

@Gabriel-403

It seems that node-casbin does not support this feature now.

I think so,and this seems that I wrote this part

https://github.com/Gabriel-403/node-casbin/blob/master/src/coreEnforcer.ts#L378

I find you fixed it, but why not merged it to master branch?

vaseala avatar Jun 25 '22 14:06 vaseala

Can we merge this code to origin? @Gabriel-403 @Shivansh-yadav13

/cc @nodece @Zxilly

hsluoyz avatar Jun 25 '22 17:06 hsluoyz

I'm not sure of it's working how is this returning true

import { newEnforcer, newModel, MemoryAdapter, EnforceContext } from 'casbin';

const ec = new EnforceContext('r2', 'p2', 'e', 'm2');

const model = newModel(`
[request_definition]
r = sub, obj
r2 = sub, obj, act

[policy_definition]
p = sub, obj
p2 = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj
m2 = r.sub == p.sub && r.obj == p.obj && r.act == p.act
`);

const adapter = new MemoryAdapter(`
p2, alice, data1, read
p2, bob, data2, write
`);

const enforcer = await newEnforcer(model, adapter);

const res = await enforcer.enforce(ec, 'alice', 'data2', 'read');
console.log(res);

Shivansh-yadav13 avatar Jun 26 '22 01:06 Shivansh-yadav13

@Shivansh-yadav13 Could you cherry-pick the https://github.com/casbin/node-casbin/commit/cc58c57ae4a7c3202c7217497bef8016df93fe26 and https://github.com/casbin/node-casbin/commit/33c784cbdc0d650ba75b8177b69f41dc0ca11fae to your branch, then make a PR?

nodece avatar Jun 26 '22 15:06 nodece

This should be returned false, could you work on this?

I'm not sure of it's working how is this returning true

import { newEnforcer, newModel, MemoryAdapter, EnforceContext } from 'casbin';

const ec = new EnforceContext('r2', 'p2', 'e', 'm2');

const model = newModel(`
[request_definition]
r = sub, obj
r2 = sub, obj, act

[policy_definition]
p = sub, obj
p2 = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj
m2 = r.sub == p.sub && r.obj == p.obj && r.act == p.act
`);

const adapter = new MemoryAdapter(`
p2, alice, data1, read
p2, bob, data2, write
`);

const enforcer = await newEnforcer(model, adapter);

const res = await enforcer.enforce(ec, 'alice', 'data2', 'read');
console.log(res);

also I think we should set default values here

https://github.com/casbin/node-casbin/blob/81e3c156ddc1c7291c52c768310c2255c726127d/src/enforceContext.ts#L3

nodece avatar Jun 26 '22 15:06 nodece

This should be returned false, could you work on this?

@nodece sorry it should be m2 = r2.sub == p2.sub && r2.obj == p2.obj && r2.act == p2.act

Shivansh-yadav13 avatar Jun 28 '22 06:06 Shivansh-yadav13

@yamilfrich

hsluoyz avatar Jun 28 '22 10:06 hsluoyz