Closed imochurad closed 3 years ago
@imochurad see: https://casbin.org/docs/en/data-permissions
I am sorry, I have been to the link above, but the APIs that you have mentioned do help much.
For this command:
System.out.println(e.getImplicitPermissionsForUser("alice"));
the output is:
[[role:viewer, context, read]]
There is no mention of c1
and c2
.
@hsluoyz see above ^
What do you expect for output?
Ok, I am using rbac_with_resource_roles_model.conf
for model file and rbac_with_resource_roles_policy.csv
as policy file.
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
p, alice, data1, read
p, bob, data2, write
p, data_group_admin, data_group, write
g, alice, data_group_admin
g2, data1, data_group
g2, data2, data_group
Here is my test:
public static void main(String[] args) {
Enforcer e = new Enforcer(Path.of("src/main/resources/rbac_with_resource_roles_model.conf").toUri().getPath(),
Path.of("src/main/resources/rbac_with_resource_roles_policy.csv").toUri().getPath());
System.out.println(e.getImplicitPermissionsForUser("alice"));
}
The output:
[[alice, data1, read], [data_group_admin, data_group, write]]
How do I retrieve all objects that the user has access to with write
permission? The API above doesn't allow me to do it, it returns all permissions for some reason. I need to loop through the list and then filter it out myself, why not have an API: getObjectsForUserWithPermittedAction("alice", "write");
?
Also, why data1
and data2
is not shown in the response? Clearly, Alice has been given access to those resources transitively through role data_group_admin
, the member of which she is. And, through the "resource group" data_group
?
@imochurad use batchEnforce: https://casbin.org/docs/en/management-api#batchenforce
@hsluoyz could you please point me to the Java API? And, possibly, an example of how it is being used? I would really appreciate it. I am really trying to adopt it, but documentation is lacking details.
@imochurad batchEnforce()
is still not implemented in Java, we will do it soon. See: https://github.com/casbin/jcasbin/issues/187
Conversation moved to: https://github.com/casbin/jcasbin/issues/187
Perhaps I misunderstand, but given, say, 1,000,000 articles to which Alice has permission to read 100, to find out which those 100 are, would I need to pass all 1,000,000 article ids to batchEnforce
?
Edit - never mind, looks like getImplicitPermissionsForUser
will do what I want.
I am checking java API and I do not seem to find a way to fetch all objects of a particular type that a user has access to.
Say, I am implementing an API (not necessarily a REST-based) that is supposed to return a list of all entities the user has read access to.
What jcasbin API call would that be?
I am looking into Enforcer interface and it seems to check whether a user (subject) can do a particular action on the given object.
How do I list all the objects for a user with the given action?
I think RBAC with resource roles is what I want, my
model.conf
:Here,
viewer
role grants read permission to the entity typecontext
.alice
is assignedviewer
role.c1
andc2
objects are of typecontext
. Now, I want toread
allcontexts
for the useralice
. How do I do that?