Support Casbin as the authorization backend

[hsluoyz]

Hi, Casbin is an authorization library that supports models like ACL, RBAC, ABAC.

Related to RBAC, Casbin has several advantages:

1. roles can be cascaded, aka roles can have roles.
2. support resource roles, so users have their roles and resource have their roles too. role = group here.
3. the permission assignments (or policy in Casbin's language) can be persisted in files or database (MySQL and Cassandra).

And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.

Casbin can provide more flexibility and security than the current ACL. I can make PR if needed. Let me know if there's any question:) Thanks.

[npiganeau]

Hi, thanks for your interest in Hexya. I had a look at Casbin and it seems like a pretty good lib.

However, I'm not sure that this is really needed for Hexya. Hexya is framework for writing business applications with a focus on quick development. This is largely inspired from Odoo. Unlike frameworks like ruby-on-rails or buffalo we impose many things in the framework to the business developers that will use it, from the way to define and override models to the way objects are rendered client side.

The same applies for security where the concept is imposed to keep the resulting application consistent (we aim at building complex ERP with this framework). This security concept is centered around the models (because that's where the sensitive data of a business live), with method execution and field access limited to defined group lists. And the ability to define rules to filter allowed data from within the same model.

So I'm not sure how would a library like Casbin fit in this concept since we do not intend to give more options to our developers than what is described above (and in the doc/security.adoc file).

Nevertheless, if you think the contrary, do not hesitate to make a PR with a proposal.

[hsluoyz]

Hi @npiganeau ,

I have seen: https://github.com/hexya-erp/hexya/blob/master/doc/security.adoc, and found that there're lots of things overlapping with what Casbin can do. For example:

Permissions are granted or denied to groups

Besides allow and deny, Casbin also supports allow-override and deny-override.

security.AdminGroup are allowed to execute a method.

Casbin supports root role and root user too.

All = Read | Write | Unlink

Permissions like read, write, unlink, all. In Casbin, you can define * as all, and (read)|(write) for read and write. It supports regex.

Groups can inherit from other groups and get access to these groups permissions.

Casbin supports nested roles without level limitation too.

security.GroupEveryone

Casbin can use * to represent everyone.

Global rules and group rules (rules restricted to specific groups versus groups applying to all users) are used quite differently:

Casbin supports allow-override, deny-override, at-least-one-allow-and-no-deny, first-rule-apply. It covers the current subtractive and additive integration modes.

So I think the code in models/security can be mostly refactored to Casbin model and rules. So it can be easily changed later. Since hexya may not update the security model in short terms nor provided to users, I think it can be regarded as code refactoring work, and hexya developers are freed from the authorization related coding and maintaining work so they can focus on the main objective of ERP modeling:)