Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Retrieve all objects for subject with particular action

See original GitHub issue

I am checking java API and I do not seem to find a way to fetch all objects of a particular type that a user has access to.

Say, I am implementing an API (not necessarily a REST-based) that is supposed to return a list of all entities the user has read access to.

What jcasbin API call would that be?

I am looking into Enforcer interface and it seems to check whether a user (subject) can do a particular action on the given object.

How do I list all the objects for a user with the given action?

I think RBAC with resource roles is what I want, my model.conf:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act

p, role:viewer, context, read
g, alice, role:viewer
g2, c1, context
g2, c2, context

Here, viewer role grants read permission to the entity type context. alice is assigned viewer role. c1 and c2 objects are of type context. Now, I want to read all contexts for the user alice. How do I do that?

Issue Analytics

State:
Created 2 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

1reaction

imochuradcommented, May 4, 2021

Ok, I am using rbac_with_resource_roles_model.conf for model file and rbac_with_resource_roles_policy.csv as policy file.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act

p, alice, data1, read
p, bob, data2, write
p, data_group_admin, data_group, write

g, alice, data_group_admin
g2, data1, data_group
g2, data2, data_group

Here is my test:

    public static void main(String[] args) {
        Enforcer e = new Enforcer(Path.of("src/main/resources/rbac_with_resource_roles_model.conf").toUri().getPath(),
                Path.of("src/main/resources/rbac_with_resource_roles_policy.csv").toUri().getPath());
        System.out.println(e.getImplicitPermissionsForUser("alice"));
    }

The output:

[[alice, data1, read], [data_group_admin, data_group, write]]

How do I retrieve all objects that the user has access to with write permission? The API above doesn’t allow me to do it, it returns all permissions for some reason. I need to loop through the list and then filter it out myself, why not have an API: getObjectsForUserWithPermittedAction("alice", "write"); ?
Also, why data1 and data2 is not shown in the response? Clearly, Alice has been given access to those resources transitively through role data_group_admin, the member of which she is. And, through the “resource group” data_group?

0reactions

Mahoneycommented, Jul 27, 2022

Perhaps I misunderstand, but given, say, 1,000,000 articles to which Alice has permission to read 100, to find out which those 100 are, would I need to pass all 1,000,000 article ids to batchEnforce?

Edit - never mind, looks like getImplicitPermissionsForUser will do what I want.