Retrieve all objects for subject with particular action

[imochurad]

I am checking java API and I do not seem to find a way to fetch all objects of a particular type that a user has access to.

Say, I am implementing an API (not necessarily a REST-based) that is supposed to return a list of all entities the user has read access to.

What jcasbin API call would that be?

I am looking into Enforcer interface and it seems to check whether a user (subject) can do a particular action on the given object.

How do I list all the objects for a user with the given action?

I think RBAC with resource roles is what I want, my model.conf:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act

p, role:viewer, context, read
g, alice, role:viewer
g2, c1, context
g2, c2, context

Here, viewer role grants read permission to the entity type context. alice is assigned viewer role. c1 and c2 objects are of type context. Now, I want to read all contexts for the user alice. How do I do that?

[hsluoyz]

@imochurad see: https://casbin.org/docs/en/data-permissions

[imochurad]

I am sorry, I have been to the link above, but the APIs that you have mentioned do help much.

For this command:

 System.out.println(e.getImplicitPermissionsForUser("alice"));

the output is:

[[role:viewer, context, read]]

There is no mention of c1 and c2.

[imochurad]

@hsluoyz see above ^

[hsluoyz]

What do you expect for output?

[imochurad]

Ok, I am using rbac_with_resource_roles_model.conf for model file and rbac_with_resource_roles_policy.csv as policy file.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act

p, alice, data1, read
p, bob, data2, write
p, data_group_admin, data_group, write

g, alice, data_group_admin
g2, data1, data_group
g2, data2, data_group

Here is my test:

    public static void main(String[] args) {
        Enforcer e = new Enforcer(Path.of("src/main/resources/rbac_with_resource_roles_model.conf").toUri().getPath(),
                Path.of("src/main/resources/rbac_with_resource_roles_policy.csv").toUri().getPath());
        System.out.println(e.getImplicitPermissionsForUser("alice"));
    }

The output:

[[alice, data1, read], [data_group_admin, data_group, write]]

1. How do I retrieve all objects that the user has access to with write permission? The API above doesn't allow me to do it, it returns all permissions for some reason. I need to loop through the list and then filter it out myself, why not have an API: getObjectsForUserWithPermittedAction("alice", "write"); ?

2. Also, why data1 and data2 is not shown in the response? Clearly, Alice has been given access to those resources transitively through role data_group_admin, the member of which she is. And, through the "resource group" data_group?

[hsluoyz]

@imochurad use batchEnforce: https://casbin.org/docs/en/management-api#batchenforce

[imochurad]

@hsluoyz could you please point me to the Java API? And, possibly, an example of how it is being used? I would really appreciate it. I am really trying to adopt it, but documentation is lacking details.

[hsluoyz]

@imochurad batchEnforce() is still not implemented in Java, we will do it soon. See: https://github.com/casbin/jcasbin/issues/187

[hsluoyz]

Conversation moved to: https://github.com/casbin/jcasbin/issues/187

[Mahoney]

Perhaps I misunderstand, but given, say, 1,000,000 articles to which Alice has permission to read 100, to find out which those 100 are, would I need to pass all 1,000,000 article ids to batchEnforce?

Edit - never mind, looks like getImplicitPermissionsForUser will do what I want.