Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] Prioritizing based on role and user hierarchy level #831

Closed
merajsahebdar opened this issue Jul 3, 2021 · 12 comments · Fixed by #833
Closed

[Question] Prioritizing based on role and user hierarchy level #831

merajsahebdar opened this issue Jul 3, 2021 · 12 comments · Fixed by #833

Comments

@merajsahebdar
Copy link

What's your scenario? What do you want to achieve?
As I read in documents, by default Casbin designed to prioritize rules by given definition order (1); and also there is a way to add priority in rules definitions (2). But what I need in my app is to be able to prioritize by roles/users levels; and as levels could be infinite, I can't use the (2) approach, cause in every change I need to change all priority levels.
Is there a way to prioritze based on hierarchy level currently? If no, is it possible to implement a feature for this?

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = priority(p.eft) || deny

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Your policy:

p, admin, posts, create, allow
p, admin, posts, remove, allow

p, editor, posts, create, allow
p, editor, posts, remove, deny

p, subscriber, posts, create, deny
p, subscriber, posts, remove, deny

p, jane, posts, remove, allow

g, jane, editor
g, john, subscriber

Your request(s):

jane, posts, create ---> true
jane, posts, remove ---> false (expected: true)

john, posts, create ---> false
john, posts, remove ---> false
@hsluoyz
Copy link
Member

hsluoyz commented Jul 4, 2021

@merajsahebdar can you give a concrete example for this?

But what I need in my app is to be able to prioritize by roles/users levels

@hsluoyz
Copy link
Member

hsluoyz commented Jul 4, 2021

@closetool @tangyang9464

@tangyang9464
Copy link
Member

@merajsahebdar In your example, just change the priority can solve it. Do you have any other specific examples?

@kilosonc
Copy link
Contributor

kilosonc commented Jul 4, 2021

@merajsahebdar
p, editor, posts, remove, deny and g, jane, editor denied your request jane, posts, remove

@merajsahebdar
Copy link
Author

@hsluoyz @tangyang9464 @closetool

As I've described in my question, this is the structure we have:

├─ role: editor
│  ├─ user: ...
│  ├─ user: ...
│  └─ user: jane
│
└─ role: subscriber
   ├─ user: ...
   ├─ user: ...
   └─ user: john

However, I know we can easily pass the priority in policy definitions like this:

p, 20, editor, posts, remove, deny
p, 10, jane, posts, remove, allow

But in cases that we have more than one level like this:

role: root
 └─ role: admin
    ├─ role editor
    │  ├─ user: ...
    │  ├─ user: ...
    │  └─ user: jane
    │
    └─ role: subscriber
       ├─ user: ...
       ├─ user: ...
       └─ user: john

It could be hard to manage those priority numbers, cause in some cases we don't know how many levels do we have? and by editing and changing role levels we could face problems and need to change all definitions.

What I'm looking for is a way to prioritize policy definitions automatically by their levels in their tree; so in my last example policies that belong to user: jane have higher priority than policies that belong to role: editor; and also policies belong to role: editor have higher priority than policies that belong to role: admin.

p, editor, posts, remove, deny # lower priority
p, jane, posts, remove, allow # higher priority, it's a child of a role; as an exception, we want to allow jane to have more permissions than normal users (like sam, alice) in this role, but still, keep him as an editor.
g, jane, editor
g, sam, editor
g, alice, editor

@tangyang9464
Copy link
Member

@hsluoyz @closetool Can we use g, jane, editor g, john, subscriber to determine the priority of the user or role ,which means to develop a new method like SortPoliciesByPriority?

@kilosonc
Copy link
Contributor

kilosonc commented Jul 5, 2021

@merajsahebdar I didn't get it, could you demonstrate it with a well designed example, instead of words.

@merajsahebdar
Copy link
Author

@closetool Ok.

1. p, editor, posts, remove, deny
2. p, jane, posts, remove, allow
3. g, jane, editor
└─ role: editor
   └─ user: jane

I expect line: 2, rewrites line: 1 automatically.


role: root                 # auto priority: 30
 └─ role: admin            # auto priority: 20
     ├─ role: editor       # auto priority: 10
     └─ role: subscriber   # auto priority: 10

@tangyang9464 or maybe a method like: SortPoliciesBySubjectHierarchy?!!

@tangyang9464
Copy link
Member

@merajsahebdar ok,I will try to make a pr

@merajsahebdar
Copy link
Author

@tangyang9464 Thanks, then let me know for any help! 🙏🏻

@github-actions
Copy link

🎉 This issue has been resolved in version 2.33.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@tangyang9464
Copy link
Member

@merajsahebdar The part of our docs about this feature refers to your statement.Let you know.See #254

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants