ABAC
What is the ABAC model?
ABAC stands for Attribute-Based Access Control. It allows you to control access by using the attributes (properties) of the subject, object, or action instead of using the string values themselves. You may have heard of a complicated ABAC access control language called XACML. Casbin's ABAC, on the other hand, is much simpler. In Casbin's ABAC, you can use structs or class instances instead of strings for model elements.
Let's take a look at the official ABAC example:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.sub == r.obj.Owner
In the matcher, we use r.obj.Owner instead of r.obj. The r.obj passed in the Enforce() function will be a struct or class instance rather than a string. Casbin will use reflection to retrieve the obj member variable in that struct or class for you.
Here is a definition for the r.obj struct or class:
type testResource struct {
Name string
Owner string
}
If you want to pass parameters to the enforcer through JSON, you need to enable the function with e.EnableAcceptJsonRequest(true).
For example:
e, _ := NewEnforcer("examples/abac_model.conf")
e.EnableAcceptJsonRequest(true)
data1Json := `{ "Name": "data1", "Owner": "bob"}`
ok, _ := e.Enforce("alice", data1Json, "read")
Enabling the function of accepting JSON parameters may result in a performance drop of 1.1 to 1.5 times.
How to use ABAC?
To use ABAC, you need to do two things:
- Specify the attributes in the model matcher.
- Pass in the struct or class instance for the element as an argument to Casbin's
Enforce()function.
Currently, only request elements like r.sub, r.obj, r.act, and so on support ABAC. You cannot use it on policy elements like p.sub because there is no way to define a struct or class in Casbin's policy.
You can use multiple ABAC attributes in a matcher. For example: m = r.sub.Domain == r.obj.Domain.
If you need to use a comma in a policy that conflicts with CSV's separator, you can escape it by surrounding the statement with quotation marks. For example, "keyMatch("bob", r.sub.Role)" will not be split.
Scaling the model for complex and large numbers of ABAC rules
The above implementation of the ABAC model is simple at its core. However, in many cases, the authorization system requires a complex and large number of ABAC rules. To accommodate this requirement, it is recommended to add the rules in the policy instead of the model. This can be done by introducing an eval() functional construct. Hier ist ein Beispiel:
Dies ist die Definition der CONF-Datei, die verwendet wird, um das ABAC-Modell zu definieren.
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub_rule, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = eval(p.sub_rule) && r.obj == p.obj && r.act == p.act
In diesem Beispiel ist p.sub_rule eine Struktur oder Klasse (benutzerdefinierter Typ), die die notwendigen Attribute enthält, die in der Richtlinie verwendet werden sollen.
Dies ist die Richtlinie, die gegen das Modell für die Durchsetzung verwendet wird. Jetzt können Sie die an eval() übergebene Objektinstanz als Parameter verwenden, um bestimmte ABAC-Beschränkungen zu definieren.
p, r.sub.Age > 18, /data1, read
p, r.sub.Age < 60, /data2, write