search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.38k stars 461 forks source link

Fatal error when using group with domain model #251

Closed doctormacky closed 2 years ago

doctormacky commented 2 years ago

Issue description:

casbin will return g2 xxxxx group policy after we added a new policy and then try to load all g2 policy again.

Return following polices when call getNamedGroupingPolicy("g2") at the first time.

Step to reproduce

  1. model 
    
[request_definition]
r = sub, dom, obj, act

[policy_definition] p = sub, dom, obj, act

[roledefinition] g = , g2 = , ,

[policy_effect] e = some(where (p.eft == allow))

[matchers] m = (g(r.sub, p.sub) || g2(r.sub, p.sub, r.dom)) && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

2. store type: db2

3.  initial g2 policys

[[super_inventory_admin, inventory_admin, SOS], [super_compliance_admin, compliance_admin, SOS], [super_inventory_admin, inventory_admin, ARMADA:ace], [super_compliance_admin, compliance_admin, ARMADA:ace], [macky, inventory_admin, SOS]]


4. after added a new g policy  `g   macky  super_compliance_admin`

5. query the g2 policy again and the result is

[[super_inventory_admin, inventory_admin, SOS], [super_compliance_admin, compliance_admin, SOS], [super_inventory_admin, inventory_admin, ARMADA:ace], [super_compliance_admin, compliance_admin, ARMADA:ace], [g2, macky, inventory_admin, SOS]]



You can see that the last policy is not showing as expected.  we  should remove g2 in the last policy.
casbin-bot commented 2 years ago

@tangyang9464 @seriouszyx @elfisworking @fangzhengjin

doctormacky commented 2 years ago

Anyone here can help ? This really impact our project.

seriouszyx commented 2 years ago

I wrote a unit test as below and encountered no problems. Is there any inconsistency between this test and your situation?

Model:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _,_
g2 = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub) || g2(r.sub, p.sub, r.dom)) && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

Policy:

g2, super_inventory_admin, inventory_admin, SOS
g2, super_compliance_admin, compliance_admin, SOS
g2, super_inventory_admin, inventory_admin, ARMADA:ace
g2, super_compliance_admin, compliance_admin, ARMADA:ace
g2, macky, inventory_admin, SOS

Test:

public class IssueTest {
    @Test
    public void testIssue251() {
        Enforcer e = new Enforcer("examples/issue251.conf", "examples/issue251.csv");
        System.out.println(e.getNamedGroupingPolicy("g2"));
        System.out.println(e.getGroupingPolicy());
        e.addGroupingPolicy("macky", "super_compliance_admin");
        System.out.println(e.getNamedGroupingPolicy("g2"));
        System.out.println(e.getGroupingPolicy());
    }
}

output:

[[super_inventory_admin, inventory_admin, SOS], [super_compliance_admin, compliance_admin, SOS], [super_inventory_admin, inventory_admin, ARMADA:ace], [super_compliance_admin, compliance_admin, ARMADA:ace], [macky, inventory_admin, SOS]]
[]
[[super_inventory_admin, inventory_admin, SOS], [super_compliance_admin, compliance_admin, SOS], [super_inventory_admin, inventory_admin, ARMADA:ace], [super_compliance_admin, compliance_admin, ARMADA:ace], [macky, inventory_admin, SOS]]
[[macky, super_compliance_admin]]
doctormacky commented 2 years ago

Thanks for you quick response. Yes, there are some difference.

  1. A you mentioned before, group with domain model can not work with the defualt group manager, we need use GroupRoleManager as you mentioned here
  2. The second is that we are using data base instead of file adapter, but maybe we can have test with file adapter first ?
doctormacky commented 2 years ago

Another interesting case is that some new added g2 policy will show g2 xxxxx whenn I tried to print the policy by engine.getModel().printPolicy();

Like following:

2021-12-22 20:20:15.898  INFO 8666 --- [TaskScheduler-1] org.casbin.jcasbin                       : g2: _, _, _: [[super_inventory_admin, inventory_admin, SOS], [super_compliance_admin, compliance_admin, SOS], [super_inventory_admin, inventory_admin, ARMADA:ace], [super_compliance_admin, compliance_admin, ARMADA:ace], [g2, macky, inventory_admin, bluemix], [g2, macky, compliance_admin, ARMADA:ace], [g2, macky, compliance_admin, SOS], [macky, inventory_admin, ARMADA:ace], [macky, inventory_admin, SOS]]

Could you help help to investigate it ? thanks.

seriouszyx commented 2 years ago

Sorry, I can not reproduce these bugs. Could you please extract a unit test so that we can position it? For example, use file storage first to determine whether the bug was caused by jCasbin or by adapter.

doctormacky commented 2 years ago

Sorry, I can not reproduce these bugs. Could you please extract a unit test so that we can position it? For example, use file storage first to determine whether the bug was caused by jCasbin or by adapter.

Thanks, I think the FileAdapter can not reproduce it due to some un-implemented functions in this adapter.
I believe that this issue caused by some error logic when add new g2 group policy in the group role manager.

By the way, those g2 group policy in database are showing as expected. Could you please let me know the mechanism on the adding new g2 group policy (what happen in casbin including the group role manager, model, and also the database).

doctormacky commented 2 years ago

Anyone Can help ? I am 100 percent sure that this is is a fatal error when using group role with domain model.
When we try to add some new g2 policies. then, those new added policies in model will show like g2 xxxxxx, we should hide g2. I would suggest you guys to drop this model before fix it. as it's a fatal error.

doctormacky commented 2 years ago

@sagilio

doctormacky commented 2 years ago

I would like to close this issue since this issue caused by a shawdow copy of the policy. sorry for the disturbe.