2024 was the year AI agents moved from demos to production. The Model Context Protocol (MCP) has been adopted by Google, OpenAI, Microsoft, and many others, and the way applications talk to external services is changing. That shift brings a new set of authorization challenges we at Casbin have been working on.
This post explains how to design and implement RBAC with the Casbin library. For SaaS platforms with resource hierarchies and roles that inherit permissions, Casbin is a performant option.
APISIX is a high-performance, scalable, cloud-native API gateway built on Nginx and etcd, and an Apache Software Foundation project. It ships with many plugins for authentication, monitoring, routing, and more. Plugins are hot-reloaded without restarts, so you can change behavior on the fly.
When you need authorization beyond simple checks, the authz-casbin plugin can help. It is an APISIX plugin built on Lua Casbin that enforces flexible authorization using models such as ACL, RBAC, and ABAC. Casbin is an authorization library (originally in Go, now ported to many languages); Lua Casbin is the Lua port. We proposed the plugin in the APISIX repo (#4674); after review and improvements, it was merged (#4710).
We are pleased to announce that Casbin’s founder, Yang Luo, was named a Google Open Source Peer Bonus winner for his work on Casbin, Npcap, and Nmap in 2019 Q3.
We have moved Casbin’s documentation from GitHub Wiki to the Docs section of this site, powered by Docusaurus. You get better Markdown rendering, full-text search, versioning, and translation.
We have ported Casbin to Node.js: node-Casbin.
People often ask whether Casbin can run as a service instead of a library. The answer is yes. We have launched Casbin Server as a concrete Access Control as a Service solution.