wklken
commented
2 years ago - 是否使用 ABAC 来实现?
- RBAC 的核心在于
角色-权限管理, 问题在于角色爆炸, 如何存储并管理? - 是否支持角色继承, 互斥等?
参考下Casbin的实现
Closed wklken closed 2 years ago
wklken
commented
2 years ago 角色-权限管理, 问题在于角色爆炸, 如何存储并管理?参考下Casbin的实现
hsluoyz
commented
2 years ago Hi @wklken , I am from Casbin team. We are glad to see BK has any possibility to adopt Casbin as RBAC engine. Previously, we had good cooperation with Tencent projects like TKEStack: https://github.com/tkestack/tke/search?q=casbin . Casbin has a good support for role hierarchy. I hope Casbin can also be a great help for the BlueKing case. If you are interested, can you join my WeChat: MTU4MTA1NDI2Mzc= (base64) to have further discussion?
wklken
commented
2 years ago Hi @wklken , I am from Casbin team. We are glad to see BK has any possibility to adopt Casbin as RBAC engine. Previously, we had good cooperation with Tencent projects like TKEStack: https://github.com/tkestack/tke/search?q=casbin . Casbin has a good support for role hierarchy. I hope Casbin can also be a great help for the BlueKing case. If you are interested, can you join my WeChat: MTU4MTA1NDI2Mzc= (base64) to have further discussion?
Hi @hsluoyz
Casbin is a great authorization library, the previous BK-IAM version was built on Casbin with SQL adaptor but encountered some problems(product/performance), so we have a current version based on ABAC, but it's not so easy to integrate with BK-IAM(the concepts of ABAC, the expression), so we want to support RBAC.
The difference is, BK-IAM is a centralized service, and it supports hundreds of system to integrate with, and each system may have 1 million policies.
Thanks for your advice, we will do some research on RBAC and Casbin, will contact you later for some help when we got a proposal.
wklken
commented
2 years ago CLOSE
将会基于现有 ABAC 的模型, 改造实现 RBAC, 在原先基于属性授权/少量实例授权的基础上, 支持百万级的资源实例通过 RBAC 方式进行对接, 提供相关的接口, 降低整体的接入成本.
需要从产品角度+技术角度, 评估 RBAC 接入
基于现有 ABAC 实现, 还是并行实现一套旁路?