Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Support different request type in one ABAC model
See original GitHub issueHi All, I am using below ABAC config and I have defined the below two rules in the database:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub_rule, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = eval(p.sub_rule) && r.obj == p.obj && r.act == p.act
Rules In Databas:
Id PType V0 V1 V2 V3 V4 V5
2070 p r.sub.Age >=18 && r.sub.Age <=60 data1 read NULL NULL NULL
2071 p r.sub.prodid==2018 && r.sub.version==58 data1 read NULL NULL NULL
var efCoreAdapter = new CasbinDbAdapter<int>(context);
var enforcer = new Enforcer("examples/abac_model.conf", efCoreAdapter);
enforcer.LoadPolicy();
Person p1 = new Person { Age = 19 };
enforcer.Enforce(p1, "data1", "read"); // This returns true as it maches the policyid 2070
// Similarly I defined another rule 2071 with attributes as prodid and versionid
productdetails pdetails = new productdetails { prodid = 2018, version = 58 };
enforcer.Enforce(pdetails, "data1", "read"); // This retuns below exception
System.ArgumentException: 'Object of type 'productdetails' cannot be converted to type 'Person'.'
Why it is taking Person as the default sub attribute and not taking the rule that is mentioned for productdetails? How to switch of casbin matches the subrule based on the roles policies defined in the table.?
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Attribute-Based Access Control (ABAC)
According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or ...
Read more >What Is Attribute-Based Access Control (ABAC)?
Attribute-based access control (ABAC) is an authorization model that evaluates attributes (or characteristics), rather than roles, ...
Read more >Guide to Attribute Based Access Control (ABAC) Definition ...
ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of...
Read more >ABAC (Attribute-Based Access Control): A Complete Guide
ABAC uses Boolean logic to create access rules containing if-then statements, which define the user, the request, the resource, and the action.
Read more >What is attribute-based access control (ABAC)?
Using Boolean logic, ABAC creates access rules with if-then statements that define the user, request, resource, and action. For example, if the ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Because the same lambda will be cached for each different expression and the request type will be set depending on the first policy. In fact, Enforce will match the policies in order. Therefore, even without caching, A similar exception will be thrown for different request types.
You can write two model and policy files for Person and ProductDetails types to solve this question temporarily and we will try to provide a better API design on PR #94 to resolve this issue.
closed by #230 , now we will use a different cache when request type is different