Casbin is a mature and easy-to-use permission control library in rust.
Casbin is a permission control library based on Go language developed by Dr. Luo Yang. It supports common access control models such as ACL, RBAC, ABAC, etc.
Casbin-rs is a Rust port of the project, which has higher speed and memory security than the Go language version.
- Casbin's configuration file consists of two parts, one is the Configuration file (can be understood as the model configuration file), which configures the model (Model) selection, group (Group) configuration, defines the request (Request) and policy (Policy) structure and the configuration of the matcher (Matcher), which will be described later. The other is the container for the policy (Policy), which can be a csv file or a database (MySQL/PostgreSQl). Policies in the container are derived from the configuration of the Model.
- Support multi-layer role inheritance in RBAC, not only subjects can have roles, resources can also have roles.
- Support super users, such as root or Administrator, super users can access any resources without being restricted by authorization policies.
- Support a variety of built-in operators, such as keyMatch, to facilitate the management of path-based resources, such as /book/1 can be mapped to /book/:id
- For identity authentication (that is, to verify the user's user name and password), casbin is only responsible for access control. There should be other specialized components responsible for identity authentication, and then access control by casbin. The two are in a cooperative relationship.
- Manage user lists or role lists. Casbin believes that it is more appropriate to manage the user and role list by the project itself. Users usually have their passwords, but Casbin's design idea is not to use it as a container for storing passwords. Instead, it stores the mapping relationship between users and roles in the RBAC scheme.
// model.conf # Request definition [request_definition] r = sub, obj, act # Policy definition [policy_definition] p = sub, obj, act # Policy effect [policy_effect] e = some(where (p.eft == allow)) # Matchers [matchers] m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
This is a model definition file, where
sub represents the user,
obj is the resource to be accessed, and
act the operation performed on the resource.
When using casbin in a web app,
sub corresponds to the username,
obj corresponds to the URL Path accessed, and
act represents a HTTP method (GET/POST/PUT/DELETE etc).
request_definition tells us what constitutes a request.
policy_definition is the same as in request.
policy_effect tells us when the rule is valid.
The job of the Matcher is to return a boolean value when the request and the policy satisfy a certain relation.
If we want to add a super administrator, it can perform any operation, we can write:
[matchers] m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root"
It is clearly visible here that
m is true when the request subject is
root , i.e., it has all the possible permissions.
p, alice, data1, read p, bob, data2, write
This literally translates to -
Casbin-RS : Currently supports all features supported by Casbin Go version and is under active development
At present, Casbin Rust is developing steadily. The currently supported components are:
Casbin Diesel Adaper : Adapter developed using the diesel ORM library, suppors MySQL/PostgreSQL/SQLite
Casbin Actix-web Middleware : Actix-web is the fastest web-framework. Casbin supports Actix middleware and automatically manages permissions for requests
Casbin Actix-web Actor : Casbin is re-encapsulated under the Actix framework, which is convenient for use in Actix-web and encapsulates common functions
Casbin Sqlx Adapter : Supports fully asynchronous database middleware with better performance, based on Sqlx. Support MySQL/PostgreSQL
In the next blog, i.e., Part 2, we will talk more about the casbin auth model that we will be using in our project.
And don't forget to star our repositories on Github.