SoFunction
Updated on 2024-11-18

Python Privilege Control Module Casbin

synopsis

Casbin is a powerful and efficient open source access control framework with a permission management mechanism that supports multiple access control models.

Key features of casbin include:

  • Support customizing the format of the request, the default request format is {subject, object, action};
  • With two core concepts of access control model model and policy policy;
  • Supports multiple levels of role inheritance in RBAC, so that not only subjects can have roles, but resources can also have roles;
  • Supports super users, such as root or Administrator, who can access any resource regardless of the authorization policy;
  • Supports a variety of built-in operators, such as keyMatch, to facilitate the management of path-based resources, such as /foo/bar can be mapped to /foo*;

casbin doesn't do things:

  • authenticate
    authentication (i.e., verifying the user's username and password), casbin is only responsible for access control. There should be other specialized components responsible for authentication, then casbin for access control, the two are complementary relationship;
  • Manage a list of users or a list of roles
    casbin believes that it is more appropriate for the project itself to manage the list of users and roles. casbin assumes that all users, roles, and resources appearing in policies and requests are legitimate and valid.

Why should I use Casbin?

In so many projects I do, permission handling is often a headache, and each project has a different way of controlling permissions, I have been wondering if there is a universal permission control framework that can be applied to a variety of different permissions control, each project as long as you do a simple modification can be fully applicable until inadvertently see casbin this library.

At the moment, I'm just trying to use it initially, so I'm just going to make a brief usage note here to document what I'm using in my project for my own continued research and use, and also to give pythoners who want to use this library an example of how to do so.

Official Documentation Address

A very nice editor is officially provided, which allows us to directly experience and test casbin's permission handling.

We simply take the official example to do an illustration, first of all Policy inside the configuration is the permission policy, from the permission policy you can see that the user alice owns the role data2_admin, and the role data2_admin has read/write permissions on data2, so the user alice has read/write rights on data2, you can see that the following test is also true. read/write to data2, so user alice has read/write rights to data2, which is also true in the following test.

This is how we test permissions using the editor, just figure out the permission relationships in RBAC.

Using the PyCasbin Module

casbin supports a variety of permission models. The one we use most often is RBAC, so let's take that as an example of how to use it in Python.

Installation:

pip install casbin

(for) instance

1. Initialize an enforcer, passing in two parameters: the model file path and the policy file path;
Both the model file and the policy file can be downloaded from the repository by visiting gitee, searching for pycasbin, and downloading rbac_model.conf from the examples directory

import casbin
e = ("path/to/", "path/to/")

2. Add the following hooks to the locations where your code needs to be access controlled;

sub = "alice"  # the user that wants to access a resource.
obj = "data1"  # the resource that is going to be accessed.
act = "read"  # the operation that the user performs on the resource.

if (sub, obj, act):
    # permit alice to read data1
    pass
else:
    # deny the request, show an error
    pass

pycasbin itself has a lot of methods, because it supports a variety of permission models, all some interfaces are designed for specific models, but many interface methods will bring confusion to the user, so I'm here only to summarize the RBAC permission model I currently use these interfaces, later if there are new interfaces to use, and then add to the document

Before we use it let's analyze what are the common permission handling?

Add role permissions:

e.add_policy('super', 'user', 'add')

Delete role permissions:

e.remove_policy('super', 'user', 'add')

Add user permissions:

e.add_permission_for_user('lisi', 'user', 'add')

Deletes user-specified permissions:

e.delete_permission_for_user('lisi', 'user', 'add')

Delete all privileges of the user:

e.delete_permissions_for_user('zhangsan')

Queries user privileges:

e.get_permissions_for_user('lisi')

Add user roles:

e.add_role_for_user('zhangsan', 'admin')

Deletes the user's assigned role:

e.delete_role_for_user('zhangsan', 'admin')

Delete all roles for the user:

e.delete_roles_for_user('zhangsan', 'admin')

Queries the user role:

e.get_roles_for_user('zhangsan')

Delete the user:

e.delete_user('zhangsan')

Delete the role:

e.delete_role('admin')

Delete permissions:

e.delete_permission('add')

Determining User Privileges

('super', 'user', 'add')

permission test

Taking the above example, the permission policy is as follows:

p, data2_admin, data2, read
p, data2_admin, data2, write
p, data1_admin, data1, read
p, data1_admin, data1, write
g, alice, data1_admin
g, bob, data2_admin

Based on our inference that user alice has read access to data1, use pycasbin to determine if the access is normal:

('alice', 'data1', 'read')
# exports True

This is the interface we need to use now, in the official documentation tells us that casbin can not be used to do user management and role management, it is recommended that the project itself to manage the list of users and roles, so we need to create a separate table of users and roles, but before it is through the way of foreign keys will be associated with them, now only need to create a good table information on the line, the relationship between roles and users The relationship between roles and users will be managed through casbin.

To this article on the Python privilege control module Casbin article is introduced to this , more related Python Casbin content please search my previous posts or continue to browse the following related articles I hope you will support me more in the future !