My App has about 1 millions policies, 800k P policy and 200K G policy. Whenever I add new P policy and assign it to one role, should I call BuildRoleLinks function?

Usage of the following functions is as follows :

rule1 := []interface{} {"jack", "data4", "read"}
rule2 := []interface{} {"katy", "data4", "write"}
rule3 := []interface{} {"leyo", "data4", "read"}
rule4 := []interface{} {"ham", "data4", "write"}

e.AddPolicies(rule1, rule2, rule3, rule4)

e.RemovePolicies(rule1, rule2, rule3, rule4)

Have also added tests for these functions, all the tests pass. Please let me know if any changes required, this is open to changes if required any.

@techoner, I re-implemented the default role manager as requested https://github.com/casbin/pycasbin/pull/232#issuecomment-995623085

The implementation is almost identical to pycasbin:role_manager.py

Changes:

• split RoleManager into DomainManager and RoleManager
• remove RoleManager.BuildRelationship

Bugfixes:

• avoid mixing RBAC systems in Enforcer.GetImplicitRolesForUser and Enforcer.GetImplicitUsersForRole

This is my first contribution using golang, so please review carefully :)

I'm confused while seeing Lock in every struct with `map. I'm wondering if it's correct and ncessary?

It's not necessary for Enforcer because normal Enforcer is not thread-safe.

For syncedEnforcer we can have multiple goroutines reading/writing, we already have a top-level mutex, why do we still need other mutex/lock?

Any idea?

YAML is a human friendly data serialization standard for all programming languages.

It can help users to write and verify the model .

How to help users to write and verify the model?

We need to write the YAML schema then IDE can provides hints based upon YAML schema provided to helps user write schema efficiently.

Please refer to https://dzone.com/articles/two-ways-configuration-documentation-with-springnb to write YAML schema then publish to https://github.com/SchemaStore/schemastore.

I am looking to support ABAC for a CMS-type system, where there could be thousands to potentially even more ABAC rules. Writing one long matcher isn't feasible in this case, nor is having multiple enforcers. Is there any other workaround this?

An ABAC policy for us is something like If user age is between 24 and 64, then they can "view" some "resource". Any thoughts?

Also, if this isn't supported, yet, what's the roadmap for something like this?

I'm using Casbin library with pg Gorm adapter in one of my services. I wonder how I can keep Casbin enforcers synched if I'm running multiple instances of that services? Since Casbin policies are loaded once at startup and stored in memory, if one of the instances updates policies later, other enforcers wouldn't be notified. I looked at Casbin server but not sure if that would be helpful in this case, if so how I can achieve the synchronization by using Casbin server? or what are the other options?

I managed to create an environment in which the LoadPolicyLine function regularly causes concurrent map writes panics. Added a global sync.Mutex object that is used exclusively within the LoadPolicyLine function. Have not encountered any locks or concurrent map writes since this addition.

fatal error: concurrent map writes

goroutine 2247 [running]:
runtime.throw(0xdd5620, 0x15)
        /usr/local/go/src/runtime/panic.go:1116 +0x72 fp=0xc000175278 sp=0xc000175248 pc=0x43d8d2
runtime.mapassign_faststr(0xcfd340, 0xc0001db200, 0xc0004d7fa0, 0x19, 0xc0002d1818)
        /usr/local/go/src/runtime/map_faststr.go:291 +0x3d8 fp=0xc0001752e0 sp=0xc000175278 pc=0x41be78
github.com/casbin/casbin/v2/persist.LoadPolicyLine(0xc0004d7f20, 0x1e, 0xc0002a9ce0)
        /home/example/go/pkg/mod/github.com/casbin/casbin/[email protected]/persist/adapter.go:43 +0x547 fp=0xc000175470 sp=0xc0001752e0 pc=0x9fbcc7

Hello everyone. I wanna choose casbin for manage authorization. I read a lot of documentation and I have a few questions.

I want to combine RBAC and ABAC. With RBAC I want to control the general access to the API. With ABAC, I want to control access to certain entities (records in database). For example, I have the entity of orders and the entity of the company. Should I create three enforcers? The first one will be with the RBAC model. The second with the ABAC model to control the entity of orders. The third with the ABAC model to control the entity of companies. Right? (each entity has its own set of fields).

The procedure will be as follows (request to API):

Run the RBAC enforcer to determine if the user has access to the entity. Run the ABAC enforcer for a specific entity (orders or companies). In the case of ABAC, should I first select an entity from the database and pass it to the enforcer? What if the user requests a list of orders (pagination = 1000)? How to handle this? For example, I can’t pass 1000 entities to an enforcer (my idea is that there should be a common API point, which, depending on the rule, gives only those records that satisfy the condition of the model matcher)? P.S. Sorry for my english. Thanks.

Hi hsluoyz,

I use casbin gorm_adapter to store policies and roles in database, when I run the program, all policies will be load into memory. But if there are millions policies, I can not do this. How to solve the huge policy data? Can I check only one policy from database?

Cheers Gordon

Want to prioritize this issue? Try:

What's your scenario? What do you want to achieve? Is there a config or a way to use multi-policy like methods?

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)

Your policy:

p, alice1, /alice_data, (GET)|(POST), allow
p, alice2, /alice_data/:id, (GET)|(PUT)|(DELETE), allow
p, bob1, /bob_data, (GET)|(POST), allow
p, bob2, /bob_data/:id, (GET)|(PUT)|(DELETE), allow

g, alice, (alice1)|(alice2)
g, other, bob1

Your request(s):

alice, /alice_data, GET ---> false (expected: true)
other, /bob_data, POST ---> true (ok)

When I configure the following figure in the conf file： Error will be displayed: can not find the assertion at the section m and policy type m. 。 I don't know if. net temporarily doesn't support defining multiple M's in matchers, or if my writing is wrong.

Describe the bug

With the same number of policies, depending of the number of roles the enforce time may be very very long, 6 seconds demoed in example/test below ! This time depends of the role definition/creation position, fast for first defined roles, slow for last defined roles (in example below: 2499).

go test -run ^TestManyRoles$ github.com/casbin/casbin/v2 -v

=== RUN   TestManyRoles
    rbac_api_test.go:598: RESPONSE abu        /projects/1        GET :  true IN: 438.379µs
    rbac_api_test.go:598: RESPONSE abu        /projects/2499     GET :  true IN: 39.005173ms
    rbac_api_test.go:598: RESPONSE jasmine    /projects/1        GET :  true IN: 1.774319ms
    rbac_api_test.go:598: RESPONSE jasmine    /projects/2499     GET :  true IN: 6.164071648s
    rbac_api_test.go:600: More than 100 milliseconds for jasmine /projects/2499 GET : 6.164071648s
    rbac_api_test.go:598: RESPONSE jasmine    /projects/2499     GET :  true IN: 12.164122ms
--- FAIL: TestManyRoles (6.24s)
FAIL
FAIL    github.com/casbin/casbin/v2     6.244s
FAIL

To Reproduce

Here is the code of a test that can be added for example in rbac_api_test.go file to reproduce the problem :

const rbac_models = `
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
`

func TestManyRoles(t *testing.T) {

	m, _ := model.NewModelFromString(rbac_models)
	e, _ := NewEnforcer(m, false)

	roles := []string{"admin", "manager", "developer", "tester"}

	// 2500 projects
	for nbPrj := 1; nbPrj < 2500; nbPrj++ {
		// 4 objects and 1 role per object (so 4 roles)
		for _, role := range roles {
			roleDB := fmt.Sprintf("%s_project:%d", role, nbPrj)
			objectDB := fmt.Sprintf("/projects/%d", nbPrj)
			e.AddPolicy(roleDB, objectDB, "GET")
		}
		jasmineRole := fmt.Sprintf("%s_project:%d", roles[1], nbPrj)
		e.AddGroupingPolicy("jasmine", jasmineRole)
	}

	e.AddGroupingPolicy("abu", "manager_project:1")
	e.AddGroupingPolicy("abu", "manager_project:2499")

	// With same number of policies
	// 	User 'abu' has only two roles
	// 	User 'jasmine' has many roles (1 role per policy, here 2500 roles)

	request := func(subject, object, action string) {
		t0 := time.Now()
		resp, _ := e.Enforce(subject, object, action)
		tElapse := time.Since(t0)
		t.Logf("RESPONSE %-10s %s\t %s : %5v IN: %+v", subject, object, action, resp, tElapse)
		if tElapse > time.Millisecond*100 {
			t.Errorf("More than 100 milliseconds for %s %s %s : %+v", subject, object, action, tElapse)
		}
	}

	request("abu", "/projects/1", "GET")        // really fast because only 2 roles in all policies and at the beginning of the casbin_rule table
	request("abu", "/projects/2499", "GET")     // fast because only 2 roles in all policies
	request("jasmine", "/projects/1", "GET")    // really fast at the beginning of the casbin_rule table

	request("jasmine", "/projects/2499", "GET") // slow and fail the only 1st time   <<<< pb here
	request("jasmine", "/projects/2499", "GET") // fast maybe due to internal cache mechanism
	
        // same issue with non-existing roles
 	// request("jasmine", "/projects/999999", "GET") // slow fail the only 1st time   <<<< pb here
	// request("jasmine", "/projects/999999", "GET") // fast maybe due to internal cache mechanism
}

Expected behavior

Enforce time must be quite constant and independent to the order of role creation even for the 1st enforcement request.

I want to have a RBAC model where there are multiple domains and subdomains. The roles across all domains can be the same with access to the same resources, but they should only be allowed access within a specific subdomain/domain

Your model:

r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub, r.dom) || g2(r.dom, p.dom)) && \
r.obj == p.obj && \
r.act == p.act

Your policy:

p, user, *, data, read
p, user, *, data, write
p, admin, *, data, read
p, admin, *, data, write

g, alice, user, subdomain1
g, bob, admin, domain1

g2, subdomain1, domain1
g2, subdomain2, domain1

Your request(s):

alice, subdomain1, data, read --> true (expected true)
bob, domain1, data, read --> true (expected true)
bob, subdomain1, data, read --> false( expected true)
bob, subdomain2, data, read --> false (expected true

In this case, bob is an admin of domain1, and subdomain1 and subdomain2 are part of domain1, which he should automatically inherit access to. How can I get the || g2(r.dom, p.dom) part of to use keyMatch. It is changing subdomain1 in the request to domain1, but then matching domain1 and *, which only match through keyMatch

I've been trying to resolve the domain hierarchy and I eventually got stuck on your PR https://github.com/casbin/casbin/pull/1040 on casbin which is still not merged.

On latest casbin changes, some test cases failed. I couldn't solve the issue. If anyone could help me fix the issue.

Here in the tests, first 5 tests are failing in https://gist.github.com/sujit-baniya/95afc4219a7f0d0de0e7781d8f9fce19#file-rbac_domain_test-go

Please suggest any solution.

Want to prioritize this issue? Try:

What's your scenario? What do you want to achieve?

Sometimes when a watcher calls LoadPolicy to synchronize policies, panic occurs:

fatal error: concurrent map iteration and map write goroutine 152 [running]: runtime.throw({0x2557e5c?, 0x3711778?}) /usr/local/Cellar/go/1.18.3/libexec/src/runtime/panic.go:992 +0x71 fp=0xc000c9b818 sp=0xc000c9b7e8 pc=0x103e7d1 runtime.mapiternext(0xc000307dd0?) /usr/local/Cellar/go/1.18.3/libexec/src/runtime/map.go:871 +0x60a fp=0xc000c9b8a8 sp=0xc000c9b818 pc=0x1012eea runtime.mapiterinit(0x234dae0?, 0xc00064d110, 0xc000c9ba78) /usr/local/Cellar/go/1.18.3/libexec/src/runtime/map.go:861 +0x18c fp=0xc000c9b8c8 sp=0xc000c9b8a8 pc=0x101288c github.com/casbin/casbin/v2/model.(*Assertion).copy(0xc0008fe880) /Users/sasakiyori/go/pkg/mod/github.com/casbin/casbin/[email protected]/model/assertion.go:108 +0x2cf fp=0xc000c9bae8 sp=0xc000c9b8c8 pc=0x199c00f github.com/casbin/casbin/v2/model.Model.Copy(0xc0006dd800) /Users/sasakiyori/go/pkg/mod/github.com/casbin/casbin/[email protected]/model/model.go:384 +0x1b0 fp=0xc000c9bc58 sp=0xc000c9bae8 pc=0x19a0cd0 github.com/casbin/casbin/v2.(*Enforcer).LoadPolicy(0xc000684000) /Users/sasakiyori/go/pkg/mod/github.com/casbin/casbin/[email protected]/enforcer.go:291 +0x5a fp=0xc000c9bdc8 sp=0xc000c9bc58 pc=0x19b76ba github.com/casbin/casbin/v2.(*Enforcer).SetWatcher.func1({0x1c29, 0xa}) /Users/sasakiyori/go/pkg/mod/github.com/casbin/casbin/[email protected]/enforcer.go:260 +0x25 fp=0xc000c9bde8 sp=0xc000c9bdc8 pc=0x19b7645 github.com/casbin/etcd-watcher/v2.(*Watcher).startWatch(0xc000349c00) /Users/sasakiyori/go/pkg/mod/github.com/casbin/etcd-watcher/[email protected]/watcher.go:127 +0x268 fp=0xc000c9bfc0 sp=0xc000c9bde8 pc=0x2289c28 github.com/casbin/etcd-watcher/v2.NewWatcher.func1() /Users/sasakiyori/go/pkg/mod/github.com/casbin/etcd-watcher/[email protected]/watcher.go:67 +0x25 fp=0xc000c9bfe0 sp=0xc000c9bfc0 pc=0x22892e5 runtime.goexit() /usr/local/Cellar/go/1.18.3/libexec/src/runtime/asm_amd64.s:1571 +0x1 fp=0xc000c9bfe8 sp=0xc000c9bfe0 pc=0x1072e01 created by github.com/casbin/etcd-watcher/v2.NewWatcher /Users/sasakiyori/go/pkg/mod/github.com/casbin/etcd-watcher/[email protected]/watcher.go:66 +0x2a8

I can't reproduce it every time, but I think the problem may arised here:

As the call chain shown below, when a goroutine do iteration in ast.PolicyMap from ast.copy(), any other goroutines write into this map(such as AddPolicy) may cause panic.

func (e *Enforcer) LoadPolicy() error {
	needToRebuild := false
        // panic occurs
	newModel := e.model.Copy()
	newModel.ClearPolicy()
        // ...
}

func (model Model) Copy() Model {
	newModel := NewModel()

	for sec, m := range model {
		newAstMap := make(AssertionMap)
                 // ast is a pointer of AssertionMap
		for ptype, ast := range m {
			newAstMap[ptype] = ast.copy()
		}
		newModel[sec] = newAstMap
	}

	newModel.SetLogger(model.GetLogger())
	return newModel
}

func (ast *Assertion) copy() *Assertion {
	tokens := append([]string(nil), ast.Tokens...)
	policy := make([][]string, len(ast.Policy))

	for i, p := range ast.Policy {
		policy[i] = append(policy[i], p...)
	}
	policyMap := make(map[string]int)
        // map is unsafe between goroutines
        // when it is iterating, other goroutine's write operation may cause panic
	for k, v := range ast.PolicyMap {
		policyMap[k] = v
	}

	newAst := &Assertion{
		Key:           ast.Key,
		Value:         ast.Value,
		PolicyMap:     policyMap,
		Tokens:        tokens,
		Policy:        policy,
		FieldIndexMap: ast.FieldIndexMap,
	}

	return newAst
}

And What confused me is: After copy a new model, it will clear policy map, so the copy of PolicyMap from ast.copy() is useless. Could you create a new copy function to eliminate these unsafe operations?

func (e *Enforcer) LoadPolicy() error {
	needToRebuild := false
	newModel := e.model.Copy()
	newModel.ClearPolicy()
        // ...
}

func (model Model) ClearPolicy() {
	for _, ast := range model["p"] {
		ast.Policy = nil
		ast.PolicyMap = map[string]int{}
	}

	for _, ast := range model["g"] {
		ast.Policy = nil
		ast.PolicyMap = map[string]int{}
	}
}

Want to prioritize this issue? Try:

Describe the bug As described in #421, we could do the following change to ensure concurrent requests are deal in correct way.

If user set a watcher, when call add/remove policy/policies api, we should only write it back with the persist adapter, and publish a message with the watcher, we should not modify our model in memory. all of the modification of the model in memory should be hold by the watcher.

A watcher should do two things, publish the message, and the other thing is to deal with the messages received in sequence.

But this would bring another question: how can a watcher ensure the messages received are in right sequence. The message published by the watchers may be delayed for the poor connection or something else. I think this is the duty of watcher, it should add timestamps in the message and do the things which sort the messages received by the timestamps or anything else.

So in this way, if a user call add/remove policy api, it only checks whether the requests are persisted by the adapter, if not, the user's request would fail, otherwise, it would succeed.

Any idea about this?