Перейти к основному контенту

How It Works

В Касбине модель контроля доступа абстрагируется в CONF файл, основанный на метамоделе PERM (политика, эффект, запрос, Matchers). Switching or upgrading the authorization mechanism for a project is as simple as modifying a configuration. Вы можете настроить свою собственную модель контроля доступа, комбинируя доступные модели. Например, вы можете комбинировать роли RBAC и атрибуты ABAC внутри одной модели и поделиться одним набором правил политики.

The PERM model is composed of four foundations: Policy, Effect, Request, and Matchers. These foundations describe the relationship between resources and users.

Запросить

Defines the request parameters. A basic request is a tuple object, requiring at least a subject (accessed entity), object (accessed resource), and action (access method).

Например, определение запроса может выглядеть следующим образом: r={sub,obj,act}

This definition specifies the parameter names and ordering required by the access control matching function.

Политика

Defines the model for the access strategy. It specifies the name and order of the fields in the Policy rule document.

Например: p={sub, obj, act} или p={sub, obj, act, eft}

Note: If eft (policy result) is not defined, the result field in the policy file will not be read, and the matching policy result will be allowed by default.

Матчер

Defines the matching rules for Request and Policy.

For example: m = r.sub == p.sub && r.act == p.act && r.obj == p.obj This simple and common matching rule means that if the requested parameters (entities, resources, and methods) are equal to those found in the policy, then the policy result (p.eft) is returned. Результат стратегии будет сохранен в p.eft.

Эффект

Performs a logical combination judgment on the matching results of Matchers.

Например: e = некоторый (where(p.eft == разрешить))

This statement means that if the matching strategy result p.eft has the result of (some) allow, then the final result is true.

Let's look at another example:

e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

The logical meaning of this example combination is: if there is a strategy that matches the result of allow and no strategy that matches the result of deny, the result is true. In other words, it is true when the matching strategies are all allow. If there is any deny, both are false (more simply, when allow and deny exist at the same time, deny takes precedence).

Самая простая и простая модель в Касбине это ACL. The model CONF for ACL is as follows:

# Определение запроса
[request_definition]
r = sub, obj, act

# Определение политики
[policy_definition]
p = sub, obj, act

# Эффект политики
[policy_effect]
e = как-то (стр. ft == позволять))

# Матчей
[matchers]
м = r. ub == p.sub && r.obj == p.obj && r.act == p.act

An example policy for the ACL model is:

p, alice, data1, чтение
p, bob, data2, запись

This means:

  • alice может читать данные1
  • Боб может записать данные2

We also support multi-line mode by appending '\' in the end:

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj \
  && r.act == p.act

Furthermore, if you are using ABAC, you can try the 'in' operator as shown in the following example for the Casbin golang edition (jCasbin and Node-Casbin are not supported yet):

# Соответствия
[matchers]
м = r.obj == p.obj && r.act == p.act || r.obj в ('data2', 'data3')

But you SHOULD make sure that the length of the array is MORE than 1, otherwise it will cause a panic.

For more operators, you may take a look at govaluate.