Rewrite RBAC without Casbin?

[IniZio]

Background

Initially we chose casbin because it provides the most flexibility in terms of authorization model.

Why Casbin might not be best solution

Confusing model

After using in project, the dynamic model syntax especially policy_matcher is actually confusing.

We might argue that the dynamic model is useful for projects that are at prototype stage. The problem is this library does not offer any way to migrate according to model changes. For example you cannot add another column in policy.

Bad performance

If we put the model aside, Casbin is no different from simply querying for object + subject + action (+ domain) and then return effect.

Policy matcher makes it impossible to perform pagination or filtering, since the matcher itself will be parsed into golang code and executed on each record.

The only thing people need to customize is inheritance, which seems better resolved by adding a table.

Also searching for all roles is not done with recursive query since they need to consider compatitablity among non-db adaptors.

Cannot be used in listing

It is fine to get each record, run enforce request on it. This however is not performant to apply on record listing.

One possible way to have per-record access control would be:

1. User has a table which needs access control e.g. file
2. User adds a JSON column 'access'

   {
   "view": ["user_id1", "role_id1", "role_id2"]
   }

3. User provides a webhook for RBAC to update permissions
4. When list the table, list of roles associated to user is fetched and user write their own query to match if the ids overlap with 'access'

[hsluoyz]

For example you cannot add another column in policy.

You can add another column at last (after other columns).

It is fine to get each record, run enforce request on it. This however is not performant to apply on record listing.

See: https://casbin.org/docs/en/rbac#how-to-query-implicit-roles-or-permissions