search

apache / incubator-teaclave

Apache Teaclave (incubating) is an open source universal secure computing platform, making computation on privacy-sensitive data safe and simple.
https://teaclave.apache.org
Apache License 2.0
757 stars 159 forks source link

Enabling access control service #700

Closed henrysun007 closed 1 year ago

henrysun007 commented 1 year ago

Motivation & problem statement

The access service is not used by any other services. The python engine (MesaPy) it uses is not maintained any more. Teaclave is moving towards Confidentail VM and the ported services should be determined.

Proposed solution

I reviewd all the access control code in the managment and frontend services and found that most of the access control patterns are attribute-based, like checking the user ID against the owner ID of the object, e.g., task, file and function. Three years ago, someone suggested using casbin-rs as the engine in #265 . Casbin is powerful and supports ABAC. We can use it to do most of the access control. For more complicated access control, we can keep the enforcer hard-coded as it is now.

Please feel free to comment, thanks.

@mssun @uraj

hsluoyz commented 1 year ago

Hi @henrysun007 , I am from Casbin team. We are happy to see this and it's really a good move to migrate to Casbin considering that https://github.com/casbin/casbin-rs is already feature-matured for years and suitable for production use now. What are next steps then? We can also provide help in this process if needed.

henrysun007 commented 1 year ago

@hsluoyz I did some modifications to the crate to run inside SGX enclave. The code is on https://github.com/mesatee/casbin-rs/tree/teaclave-sgx. Feel free to comment. Thanks.