Support wildcards in RBAC plugin casbin rule evaluation #2025
Assignees
Labels
Comments
|
What I am looking here is patterns on the |
Open
|
I took the model and worked with this casbin online editor and used the So given this policy: This requests for the admin user are allowed: This is allowed for guest And this is denied The concern here is how will this play with current policies with the behaviour changed from exact match to regex match. |
rgolangh
added a commit
that referenced
this issue
Sep 13, 2024
Motivation:
There is no way to capture multiple objects in a single policy today and
match against it. The outcome is that policies for basic permission,
where the object are not catalog entities, are not fine grained. Either
you have permission on an action on all the category, or not.
For example the workflows that the orchestrator plugins exposes are not
a catalog entity. They only have a workflow ID the plugins exposes and
there is no way today to deny or allow some of the workflows usage.
It has today this permission:
orchestrator.workflow.read, read, allow
Modification:
The only modification for the rbac plugin is to use a regexp match:
[matchers]
m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act
Result:
With this change we have the permission be matched by a regexp:
orchestrator.workflow , read, allow // catches all workflow
orchestrator.workflow.banned ,read, deny // catches banned workflow
Resolves: #2025
Signed-off-by: Roy Golan <[email protected]>
rgolangh
added a commit
that referenced
this issue
Sep 13, 2024
Motivation:
There is no way to capture multiple objects in a single policy today and
match against it. The outcome is that policies for basic permission,
where the object are not catalog entities, are not fine grained. Either
you have permission on an action on all the category, or not.
For example the workflows that the orchestrator plugins exposes are not
a catalog entity. They only have a workflow ID the plugins exposes and
there is no way today to deny or allow some of the workflows usage.
It has today this permission:
orchestrator.workflow.read, read, allow
Modification:
The only modification for the rbac plugin is to use a regexp match:
[matchers]
m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act
Result:
With this change we have the permission be matched by a regexp:
orchestrator.workflow , read, allow // catches all workflow
orchestrator.workflow.banned ,read, deny // catches banned workflow
Resolves: #2025
Signed-off-by: Roy Golan <[email protected]>
rgolangh
added a commit
that referenced
this issue
Sep 13, 2024
Motivation:
There is no way to capture multiple objects in a single policy today and
match against it. The outcome is that policies for basic permission,
where the objects are not catalog entities, are not fine grained. Either
you have permission on an action on all the category, or not at all.
For example the workflows that the orchestrator plugin exposes are not
a catalog entity. They only have a workflow ID the plugin exposes and
there is no way today to deny or allow some of the workflows usage.
It has today this permission:
orchestrator.workflow.read, read, allow
Modification:
The only modification for the rbac plugin is to use a regexp match:
[matchers]
m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act
Result:
With this change we have the permission be matched by a regexp:
orchestrator.workflow , read, allow // catches all workflow
orchestrator.workflow.banned ,read, deny // catches banned workflow
Resolves: #2025
Signed-off-by: Roy Golan <[email protected]>
rgolangh
added a commit
that referenced
this issue
Sep 13, 2024
Motivation:
There is no way to capture multiple objects in a single policy today and
match against it. The outcome is that policies for basic permission,
where the objects are not catalog entities, are not fine grained. Either
you have permission on an action on all the category, or not at all.
For example the workflows that the orchestrator plugin exposes are not
a catalog entity. They only have a workflow ID the plugin exposes and
there is no way today to deny or allow some of the workflows usage.
I.e, this is the permission a workflow have for read:
orchestrator.workflow.read, read, allow
Modification:
The only modification for the rbac plugin is to use a regexp match:
[matchers]
m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act
Result:
With this change we have the permission be matched by a regexp:
orchestrator.workflow , read, allow // catches all workflow
orchestrator.workflow.banned ,read, deny // catches 'banned' workflow id
Resolves: #2025
Signed-off-by: Roy Golan <[email protected]>
|
@rgolangh can you explain why the guest user is allowed to read the Shouldn't |
that is a typo and should be 'allow' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What do you want to improve?
The definition and evaluation of RBAC rules
What is the current behavior?
Currently there is no way for plugins to create a rule that can automatically address objects by wildcars.
The orchestrator plugin is using this role definition and it allow or deny a specific action for all the workflows object:
What will the new behavior be?
We would like to change the rule to deny a specific workflow ID but allowing all (or vice-versa)
Here is how we can workaround that today:
And for that to work we need to implement the wildcard behaviour in our plugin because those are 2 different objects, while with wildcards it can be:
and the permission check is with a single object
orchestrator.workflow.XYZ(XYZ is a different workflow ID for that matter and should result an allow)There is another scenario where the wildcards can be added to the
subjectsection and with that capturea role in a way which is not only by using groups, but this is not my main interest, but was posted on #1994
I think this is doable with casbin https://casbin.org/docs/rbac-with-pattern#use-pattern-matching-in-rbac
The text was updated successfully, but these errors were encountered: