search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.4k stars 464 forks source link

tenant feature is not working using transitivity #18

Closed zamrokk closed 5 years ago

zamrokk commented 5 years ago

Giving this model (user groups, resource groups and tenants enabled), and this policies :

Model:
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : p.p: sub, obj, act, dom
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : r.r: sub, obj, act, dom
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : e.e: some(where (p_eft == allow))
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : g.g: _, _, _
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : g.g2: _, _, _
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : m.m: g(r_sub, p_sub) && r_dom == p_dom && g2(r_obj, p_obj) && r_act == p_act
2019-04-02 09:52:12.062  INFO 28508 --- [           main] org.casbin.jcasbin                       : Policy:
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : p: sub, obj, act, dom: [[alice, data1, read, domain1], [bob, data2, write, domain1], [data2_admin, data2, read, domain1], [data2_admin, data2, write, domain1], [data2_admin, datagroup, read, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : g: _, _, _: [[alice, data2_admin, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : g2: _, _, _: [[data3, datagroup, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : Role links for: g
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data2_admin < 
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::alice < domain1::data2_admin
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : Role links for: g2
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data2_admin < 
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data3 < domain1::datagroup
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::alice < domain1::data2_admin
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::datagroup <

when asking if alice can read data3 on domain 1, it says no. alice belongs to group data2_admin and data3 belongs to datagroup. a policy says that data2_admin can read on datagroup on domain 1 ... so ? why it does not work ?

2019-04-02 09:56:03.406  INFO 28508 --- [nio-8080-exec-6] org.casbin.jcasbin                       : Request: alice, data3, read, domain1 ---> false

ps : this example was working when not using tenant feature pps : btw, I don not understand why logs are showing users and user groups on g2 group here Role links for: g2 ... that should concern only resources and group resources pps : these are parameters coming from debug : {r_sub=alice, p_act=read, p_dom=domain1, r_act=read, r_dom=domain1, p_sub=data2_admin, r_obj=data3, p_obj=datagroup} where result from expression gives false

r: alice, data3, read, domain1
p: data2_admin, datagroup, read, domain1
hsluoyz commented 5 years ago

Hi @zamrokk , can you paste your model and policy in raw text? Like how we did in other issues. The logs are actually not very easy to read.

zamrokk commented 5 years ago 
[request_definition]
r = sub, obj, act, dom

[policy_definition]
p = sub, obj, act, dom

[role_definition]
g = _, _, _
g2 = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.dom == p.dom && g2(r.obj, p.obj) && r.act == p.act
p, alice, data1,   read, domain1
--
p, bob, data2, write, domain1
p, data2_admin, data2, read, domain1
p, data2_admin, data2, write, domain1
g, alice, data2_admin, domain1
g2, data3, datagroup, domain1
p, data2_admin, datagroup, read, domain1

I set the domain as the last index

hsluoyz commented 5 years ago

Hi @zamrokk , your matcher's g and g2 function should have domain as the 3rd argument, as you define them as _, _, _

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && g2(r.obj, p.obj, r.dom) && r.act == p.act