Can we define precedence order in model.conf file and accordingly policies will be returned back to user in get_filtered_policy

Question

Can we define precedence order in model.conf file and accordingly policies will be returned back to user in get_filtered_policy

ashwani-dumca opened this issue 2 years ago · comments

Hi Team, here is my question. Please check the below editor link for understanding it better.

For Example: https://casbin.org/casbin-editor/#GVULQJXXD

So for the first request: ashwani@company.com, *, *, *, *
Role that will be used is : g, ashwani@company.com, admin@company.com

For 2nd request this : ashwani@company.com, nm5, *, *, *
Role that will be used: g, ashwani@company.com, leads@company.com
And policies those will get used for above:

p, leads@company.com, region1, *, *, *
p, leads@company.com, region2, *, *, *

But I know ashwani@company.com is part of admin@company.com which i want to refer as higher precedence compare to leads@company.com and dev@company.com.

Is there any way as of now to define the precedence level in model.conf. So i can get the maximum precedent policies rather than there subset or lower precedent policies like in model we can have model.conf something like below

[request_definition]
r = sub, obj, act, ctx, typ

[policy_definition]
p = sub, obj, act, ctx, typ

[role_definition]
g = _, _,

[policy_effect]
e = some(where (p.eft == allow))

[policy_precedence]
precedence1 = sub > obj > act > ctx > type ( i want to say sub value is more precedent than obj going further )
precedence2 = * > anything ( * is more precedent than any other value )
precedenc3 = sub == admin > leads > dev > tester ( sub with value admin is more precedent than leads then dev then tester)

[matchers]
m = g(r.sub, p.sub) && (r.obj == p.obj || p.obj == "") && ( (r.act * 1) <= (p.act * 1) || p.act == "" ) && ( (p.ctx == r.ctx) || p.ctx == "") && (r.typ == p.typ || p.typ == "")

I hope my concern is clear, Please let me know if I need to update anything.

casbin-bot · Answer 1 · Tue Sep 13 2022 18:11:49 GMT+0800 (China Standard Time)

@techoner @Nekotoxin

Yang Luo · Answer 2 · Tue Sep 13 2022 20:07:51 GMT+0800 (China Standard Time)

@Nekotoxin

/cc @leeqvip

Nekotoxin · Answer 3 · Tue Sep 13 2022 20:10:06 GMT+0800 (China Standard Time)

@ashwani-dumca Hello. What kind of results do you expect?

Nekotoxin · Answer 4 · Tue Sep 13 2022 20:11:43 GMT+0800 (China Standard Time)

In casbin. a user can have multiple roles. The enforcer will choose one suitable outcome

ashwani-dumca · Answer 5 · Tue Sep 13 2022 20:20:53 GMT+0800 (China Standard Time)

@Nekotoxin thank you for your reply. Say from casbin my question is:

For user ashawni@company.com give me the highest access he has ?
Procedure 1 might use:

Use method get_implicit_roles_for_user which will give me all the roles ( admin, leads, dev)
Then get all the policies for admin, leads, dev using : get_filtered_policy by just passing the above role 1 by 1.
Then use some code to apply the precedence and return it to caller

Now I know admin has more power than leads which again has more power than dev as per my defined policies.

Ideally I should have some way to define this in my model.conf. So it should give me back like p, admin@company.com, ,,,.

ashwani-dumca · Answer 6 · Tue Sep 13 2022 20:25:39 GMT+0800 (China Standard Time)

Second question i have is: Say in my case act is relevant to access_type ( READ, WRITE, ADMIN). ADMIN has most precedent than WRITE than READ. As of now I have to define 3 policy

p, user_1, data1,admin
p, user_1, data1,write
p, user_1, data1,read

Ideally, I want to say if some one having admin access on data1 ( WRITE and READ) should be part of it. How I can define that precedence or hierarchy. As of now what i can see is: https://casbin.org/docs/en/priority-model ( which take sub into account ) not other attributes defined in policy_definition. We should have some mechanism to pass the Attributes when we are defining the subjectPriority(Any_attribute)

Nekotoxin · Answer 7 · Tue Sep 13 2022 20:29:10 GMT+0800 (China Standard Time)

1.yes, enforcer default give the highest access he has. it will look up access rights for all roles for this user
2.For p, user_1, data1,admin, you can use p, user_1, data1, (write | read) to reach the goal because the conf support regex.

ashwani-dumca · Answer 8 · Tue Sep 13 2022 20:38:14 GMT+0800 (China Standard Time)

For 1st you might be considering I am giving the input of request as:
ashwani@company.com, *, *, *, *

what if I am not giving this as request. Instead i am just giving ashwani@company.com and wants casbin to return me the highest access he has. How I will go about this ? And what would be the result ideally casbin should return me ?

As I defined admin@company.com has every access
leads@company.com has few lesser access than admin@company.com some lesser access for dev@company.com

Ideally it should return me admin@company.com , how can I achieve this with casbin as of now ?

Nekotoxin · Answer 9 · Tue Sep 13 2022 20:46:40 GMT+0800 (China Standard Time)

You can use the role inherit. Such as the example, the admin has the highest acess, the you assign the admin to a user

Nekotoxin · Answer 10 · Tue Sep 13 2022 20:48:04 GMT+0800 (China Standard Time)

In you case, you can let the admin@company.com inherit from dev@company.com and leads@company.com. then add more access to admin and assign the admin role to ashwani@company.com. Having too many identities for one user can lead to performance degradation, role inheritance can reduce this problem

ashwani-dumca · Answer 11 · Tue Sep 13 2022 20:56:21 GMT+0800 (China Standard Time)

Using above approach, if I am doing this:

enforcer = casbin.Enforcer("model.conf", "policy.csv")
model = enforcer.get_model()
result = model.get_filtered_policy("p", "p", 0, "ashwani@company.com")

result will be just [p, admin@company.com, *, *, *, *, allow] ? Or it will be[[p, admin@company.com, *, *, *, *, allow], [p, leads@company.com, region1, *, *, *, allow], [p, leads@company.com, region2, *, *, *, allow], [p, dev@company.com, region3, 2, *, *, allow], [p, dev@company.com, region2, 2, *, *, allow], .......]

ashwani-dumca · Answer 12 · Tue Sep 13 2022 21:17:23 GMT+0800 (China Standard Time)

1 more example : https://casbin.org/casbin-editor/#F9QGCUT5T

In this case: I want to define the precedence for various attributes I have used over my policy definition. For e.g

sub : admin > leads > dev ( admin more power with leads with more power than dev)
obj: prod_env > dev_env > test_env  ( If some one has access to prod_env he will have access to dev_env and test_env)
act: 4 > 2 > 1 ( 4 is admin privileges for operation 2 is write and 1 is read )

Now If user is just asking me give me the highest access for "ashwani@company.com" , which is p, admin@company.com, prod_env, 4, *, *, allow. Because this policy in terms for precedence that I have defined above contains all the remaining policy. How I can get this result from casbin ?

Another questions is can we defined the precedence on multiple attributes in casbin, what i suggested in my base question ?

Nekotoxin · Answer 13 · Tue Sep 13 2022 21:18:31 GMT+0800 (China Standard Time)

Nekotoxin commented 2 years ago

Nekotoxin · Answer 14 · Tue Sep 13 2022 21:23:18 GMT+0800 (China Standard Time)

The definition of priority is now not supported. You can go to casbin/casbin, the pycasbin is synced from casbin, to raise new feature requests if required.
From my point of view, the problem can be solved by inheritance, admin > leads > dev, so that leads can inherit from the role dev and admin can inherit from leads. the end of the inheritance chain naturally has the highest authority, and you can return this directly.

ashwani-dumca · Answer 15 · Tue Sep 13 2022 21:33:12 GMT+0800 (China Standard Time)

Thank you @Nekotoxin , it was very helpful discussion. Will try building up the use case in my project. will get in touch soon on this.