DEV Community

0xsmrpn
0xsmrpn

Posted on

How to use casbin authorization in your rust web-app [Part - 1]

Casbin is a mature and easy-to-use permission control library in rust.

What is Casbin?

Casbin is a permission control library based on Go language developed by Dr. Luo Yang. It supports common access control models such as ACL, RBAC, ABAC, etc.
Casbin-rs is a Rust port of the project, which has higher speed and memory security than the Go language version.

What Casbin does -
  • Casbin's configuration file consists of two parts, one is the Configuration file (can be understood as the model configuration file), which configures the model (Model) selection, group (Group) configuration, defines the request (Request) and policy (Policy) structure and the configuration of the matcher (Matcher), which will be described later. The other is the container for the policy (Policy), which can be a csv file or a database (MySQL/PostgreSQl). Policies in the container are derived from the configuration of the Model.
  • Support multi-layer role inheritance in RBAC, not only subjects can have roles, resources can also have roles.
  • Support super users, such as root or Administrator, super users can access any resources without being restricted by authorization policies.
  • Support a variety of built-in operators, such as keyMatch, to facilitate the management of path-based resources, such as /book/1 can be mapped to /book/:id
What Casbin does not do -
  • For identity authentication (that is, to verify the user's user name and password), casbin is only responsible for access control. There should be other specialized components responsible for identity authentication, and then access control by casbin. The two are in a cooperative relationship.
  • Manage user lists or role lists. Casbin believes that it is more appropriate to manage the user and role list by the project itself. Users usually have their passwords, but Casbin's design idea is not to use it as a container for storing passwords. Instead, it stores the mapping relationship between users and roles in the RBAC scheme.
A model configuration -
// model.conf
# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
Enter fullscreen mode Exit fullscreen mode

This is a model definition file, where sub represents the user, obj is the resource to be accessed, and act the operation performed on the resource.
When using casbin in a web app, sub corresponds to the username, obj corresponds to the URL Path accessed, and act represents a HTTP method (GET/POST/PUT/DELETE etc).

Here, request_definition tells us what constitutes a request. policy_definition is the same as in request. policy_effect tells us when the rule is valid.
The job of the Matcher is to return a boolean value when the request and the policy satisfy a certain relation.

If we want to add a super administrator, it can perform any operation, we can write:

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root"
Enter fullscreen mode Exit fullscreen mode

It is clearly visible here that m is true when the request subject is root , i.e., it has all the possible permissions.

Policy configuration
p, alice, data1, read
p, bob, data2, write
Enter fullscreen mode Exit fullscreen mode

This literally translates to - alice can read from data1, and bob can write to data2.

The Casbin Rust ecosystem

Casbin-RS : Currently supports all features supported by Casbin Go version and is under active development

At present, Casbin Rust is developing steadily. The currently supported components are:

Casbin Diesel Adaper : Adapter developed using the diesel ORM library, suppors MySQL/PostgreSQL/SQLite
Casbin Actix-web Middleware : Actix-web is the fastest web-framework. Casbin supports Actix middleware and automatically manages permissions for requests
Casbin Actix-web Actor : Casbin is re-encapsulated under the Actix framework, which is convenient for use in Actix-web and encapsulates common functions
Casbin Sqlx Adapter : Supports fully asynchronous database middleware with better performance, based on Sqlx. Support MySQL/PostgreSQL

Casbin official website
Casbin Forum
Casbin also supports other languages ​​besides Go and Rust: Javascript, PHP, Python, C#(.NET), C++, Java etc

In the next blog, i.e., Part 2, we will talk more about the casbin auth model that we will be using in our project.

And don't forget to star our repositories on Github.

Top comments (0)