Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] RBAC with conditions and DynamoDB Adapter #1331

Open
kawtar01 opened this issue Oct 17, 2023 · 1 comment
Open

[Question] RBAC with conditions and DynamoDB Adapter #1331

kawtar01 opened this issue Oct 17, 2023 · 1 comment
Assignees
@hsluoyz
Labels
question
Projects
Casbin Easy Tasks for Beginners/Stude...

Comments

@kawtar01
Copy link

kawtar01 commented Oct 17, 2023
edited

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve?
Context:

  • Golang implementation for Casbin enforcer that relies on DynamoDB Adapter

  • I'm adding the grouping policies and setting the link function as below:
    _, err := enforcer.AddGroupingPolicy(policy.User, policy.Group, policy.Dom, startTime, endTime) if err == nil { ok := enforcer.AddNamedDomainLinkConditionFunc(policy.PolicyType, policy.User, policy.Group, policy.Dom, util.TimeMatchFunc) if !ok { return errors.New("AddNamedDomainLinkConditionFunc:Couldn't apply conditional access") } }

  • The policies are stored as below in my DynamoDB:

Screenshot 2023-10-17 at 17 39 14

Scenario: Given that "some_user@somedomain.com" has a role/group "guests" and that the role/group "guests" has been granted temporary access to some resources in a domain when "some_user@domain" tries to access these resources and the time is not matching the temporary access condition then the access is denied.

Goal: I'm trying to leverage the concept of RBAC with conditions to set temporary access on some resources to some roles that I have defined within a domain.

Questions:

  • As I'm not able to achieve my goal, I've tried to debug but with no success as when setting enforcer.EnableLog to true I don't really get the verbosity I was expecting (e.g what happens when the util.TimeMatchFunc is called? Is it even called?) ==> Is there a way to show more logs?
  • I have also tried to provide my own TimeMatchFunc and added some print commands to it but I'm not also able to see if it's being invoked or not
  • Also when trying to retrieve the users implicit roles or permissions, I'm getting the following error (I don't face these issues, when I get rid of the (,) in the g role definition and go with a simple RBAC with domain implementation):
    2023/10/17 17:43:22 http: panic serving 127.0.0.1:54400: runtime error: invalid memory address or nil pointer dereference goroutine 48 [running]: net/http.(*conn).serve.func1() /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:1854 +0xb0 panic({0x100a7f360, 0x100f13320}) /opt/homebrew/Cellar/go/1.20.5/libexec/src/runtime/panic.go:890 +0x258 github.com/casbin/casbin/v2.(*Enforcer).GetNamedImplicitPermissionsForUser(0x14000192c60, {0x100718a09, 0x1}, {0x14000616214, 0x18}, {0x14000108838, 0x1, 0x140000945b8?}) /Users/xxx/go/pkg/mod/github.com/casbin/casbin/v2@v2.77.2/rbac_api.go:312 +0x2c0 github.com/casbin/casbin/v2.(*Enforcer).GetImplicitPermissionsForUser(...) /Users/xxx/go/pkg/mod/github.com/casbin/casbin/v2@v2.77.2/rbac_api.go:286 example.com/casbin-poc/casbin_helper.GetImplicitPermissionsForUserInDomain({0x14000616214?, 0x14000627560?}, {0x1400061622d?, 0x3?}) /Users/xxx/Documents/xxx/access-controls/rbac-serverless-poc-go/casbin_helper/casbin_helper.go:111 +0x60 main.ImplicitPermissionsForUserInDomainHandler({0x100b1e220, 0x140001622a0}, 0x1400013c280?) /Users/xxx/Documents/xxx/access-controls/rbac-serverless-poc-go/main.go:93 +0x98 net/http.HandlerFunc.ServeHTTP(0x1400060a600?, {0x100b1e220?, 0x140001622a0?}, 0x0?) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:2122 +0x38 github.com/gorilla/mux.(*Router).ServeHTTP(0x140001480c0, {0x100b1e220, 0x140001622a0}, 0x1400060a500) /Users/xxx/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x19c net/http.serverHandler.ServeHTTP({0x14000627470?}, {0x100b1e220, 0x140001622a0}, 0x1400060a500) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:2936 +0x2d8 net/http.(*conn).serve(0x1400008d950, {0x100b1e568, 0x1400010cbd0}) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:1995 +0x560 created by net/http.(*Server).Serve /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:3089 +0x520

Your model:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _, (_, _)
g2 = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && g2(r.obj, p.obj, r.dom) && regexMatch(r.act, p.act)

Your policy:

Json file that I load:
[
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions","act":"read"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions","act":"write"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions_resources","act":"read"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions_resources","act":"write"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_partitions","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b1","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b1","act":"write"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b2_floors_f1","act":"read"},

    {"policy_type":"g","user":"super_user@somedomain.com","group":"admins", "dom":"OrgA" , "condition":{"start":"0000-01-01 00:00:00","end":"9999-12-30 00:00:00"}},
    {"policy_type":"g","user":"some_user@somedomain.com","group":"guests","dom":"OrgA" , "condition":{"start":"0000-01-01 00:00:00","end":"0000-01-02 00:00:00"}},
    {"policy_type":"g2","obj":"/partitions/:id","objSet":"orgA_partitions", "dom":"OrgA" },
    {"policy_type":"g2","obj":"/partitions/*","objSet":"orgA_partitions_resources", "dom":"OrgA" },
    {"policy_type":"g2","obj":"/partitions/p1/buildings","objSet":"orgA_p1_buildings", "dom":"OrgA"},
    {"policy_type":"g2","obj":"/partitions/p1/buildings/b1","objSet":"orgA_p1_buildings_b1", "dom":"OrgA"},
    {"policy_type":"g2","obj":"/partitions/p1/buildings/b2/floors/f1","objSet":"orgA_p1_buildings_b2_floors_f1", "dom":"OrgA"}
  ]

Your request(s):

super_user@somedomain, OrgA,  /partitions/*, read ---> false (expected: true)
super_user@somedomain, OrgA,  /partitions/*, write ---> false (expected: true)
some_user@somedomain, OrgA,  /partitions/*, read ---> false (expected: false)
some_user@somedomain, OrgA,  /partitions/*, write ---> false (expected: false)

As am new to Casbin, I'm not really sure if there is something I'm missing, if this is due to the Adapter,...

Thanks a lot for your help and guidance :)
@casbin-bot
Copy link
Member

@tangyang9464 @JalinWang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question
Projects
Casbin Easy Tasks for Beginners/Stude...
Casbin Easy Tasks
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hsluoyz @kawtar01 @casbin-bot