You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@teaclave.apache.org by He Sun <no...@github.com.INVALID> on 2023/06/14 10:31:55 UTC
[apache/incubator-teaclave] Enabling access control service (Issue #700)
<!--
Thank you for suggesting an idea to make Teaclave better.
Please fill in as much of the template below as you're able.
-->
### Motivation & problem statement
<!--
Provide a clear and concise description of what the problem is.
-->
The access service is not used by any other services. The python engine (MesaPy) it uses is not maintained any more. Teaclave is moving towards Confidentail VM and the ported services should be determined.
### Proposed solution
<!--
Provide a clear and concise description of what you want to happen.
-->
I reviewd all the access control code in the managment and frontend services and found that most of the access control patterns are attribute-based, like checking the user ID against the owner ID of the object, e.g., task, file and function. Three years ago, someone suggested using [casbin-rs](https://github.com/casbin/casbin-rs) as the engine in #265 . Casbin is powerful and supports ABAC. We can use it to do most of the access control. For more complicated access control, we can keep the enforcer hard-coded as it is now.
Please feel free to comment, thanks.
@mssun @uraj
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/700
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave] Enabling access control service (Issue #700)
Posted by hsluoyz <no...@github.com.INVALID>.
Hi @henrysun007 , I am from Casbin team. We are happy to see this and it's really a good move to migrate to Casbin considering that https://github.com/casbin/casbin-rs is already feature-matured for years and suitable for production use now. What are next steps then? We can also provide help in this process if needed.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/700#issuecomment-1596675484
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave] Enabling access control service (Issue #700)
Posted by He Sun <no...@github.com.INVALID>.
Closed #700 as completed via #704.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/700#event-9749794755
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave] Enabling access control service (Issue #700)
Posted by He Sun <no...@github.com.INVALID>.
@hsluoyz I did some modifications to the crate to run inside SGX enclave. The code is on https://github.com/mesatee/casbin-rs/tree/teaclave-sgx. Feel free to comment. Thanks.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/700#issuecomment-1617198983
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>