Policy Enforce explain not logging for model with RBAC with deny override
aryalrabin opened this issue ยท comments
Rabin Aryal commented
The model with deny override not logging Hit Policy
when the request policy is evaluated to true.
2023-03-21 21:33:56 INFO PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:34:58 INFO jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:34:58 INFO jcasbin:101 - Hit Policy: []
The model
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
The Policy
p, alice, data1, read, allow
p, bob, data2, write, allow
p, data2_admin, data2, read, allow
p, data2_admin, data2, write, allow
p, alice, data2, write, deny
g, alice, data2_admin
casbin-bot commented
Rabin Aryal commented
However for a model without override deny. The Hit Policy
is logged
2023-03-21 21:41:24 INFO PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:41:30 INFO jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:41:30 INFO jcasbin:101 - Hit Policy: [alice, data1, read, allow]
The Model:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
github-actions commented
๐ This issue has been resolved in version 1.32.3 ๐
The release is available on:
- GitHub release
v1.32.3
Your semantic-release bot ๐ฆ๐