Policy Enforce explain not logging for model with RBAC with deny override
aryalrabin opened this issue ยท comments
The model with deny override not logging Hit Policy when the request policy is evaluated to true.
2023-03-21 21:33:56 INFO PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:34:58 INFO jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:34:58 INFO jcasbin:101 - Hit Policy: []
The model
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
The Policy
p, alice, data1, read, allow
p, bob, data2, write, allow
p, data2_admin, data2, read, allow
p, data2_admin, data2, write, allow
p, alice, data2, write, deny
g, alice, data2_admin
However for a model without override deny. The Hit Policy is logged
2023-03-21 21:41:24 INFO PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:41:30 INFO jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:41:30 INFO jcasbin:101 - Hit Policy: [alice, data1, read, allow]
The Model:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
๐ This issue has been resolved in version 1.32.3 ๐
The release is available on:
- GitHub release
v1.32.3
Your semantic-release bot ๐ฆ๐