You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@teaclave.apache.org by GitBox <gi...@apache.org> on 2020/04/17 02:56:13 UTC

[GitHub] [incubator-teaclave] veotax opened a new issue #265: Switch the access control service to official Casbin-RS

veotax opened a new issue #265: Switch the access control service to official Casbin-RS
URL: https://github.com/apache/incubator-teaclave/issues/265
 
 
   I saw we built a custom access control service here: https://github.com/apache/incubator-teaclave/pull/64 . I found it is actually re-implementing something like Casbin-RS: https://github.com/casbin/casbin-rs . I totally understood it because this PR is done in last November, but Casbin-RS only got primary features (RBAC, ABAC, etc.) done after last December. Actually Casbin supports 8 languages and Rust is the last one that got ready:)
   
   So now I think we are safe to move to Casbin-RS finally because after 5 months' development, it's now ready for production and actively maintained. So teaclave maintainers don't need to take efforts to maintain this part of code.
   
   teaclave model:
   
   https://github.com/apache/incubator-teaclave/blob/c574bd6f9c5f0e8acd6526acd7dafa0dce2a4ec1/mesatee_services/acs/model.conf#L1-L32
   
   Casbin RBAC model:
   
   ```ini
   [request_definition]
   r = sub, obj, act
   
   [policy_definition]
   p = sub, obj, act
   
   [role_definition]
   g = _, _
   
   [policy_effect]
   e = some(where (p.eft == allow))
   
   [matchers]
   m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] uraj commented on issue #265: Switch the access control service to official Casbin-RS

Posted by GitBox <gi...@apache.org>.

uraj commented on issue #265: Switch the access control service to official Casbin-RS
URL: https://github.com/apache/incubator-teaclave/issues/265#issuecomment-615024946
 
 
   Thanks for the info. Indeed, when we implemented our access control subsystem, we referred to Casbin and that's why the format of config file is similar.
   
   However, our model is more powerful. Simply speaking, our rules are Turing-complete. It's more like a home-made logic programming language that resembles Prolog. The resolution engine is written in Python and powered by MesaPy in SGX.
   
   Teaclave faces some unique problems in terms of access control because it is dealing with multi-party trusted computation. I'm no access control expert so the current design and implementation are likely suboptimal. If you are interested in helping make improvements please let us know.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] uraj edited a comment on issue #265: Switch the access control service to official Casbin-RS

Posted by GitBox <gi...@apache.org>.

uraj edited a comment on issue #265: Switch the access control service to official Casbin-RS
URL: https://github.com/apache/incubator-teaclave/issues/265#issuecomment-615024946
 
 
   Thanks for the info. Indeed, when we were implementing our access control subsystem, we referred to Casbin and that's why the format of configuration file is similar.
   
   However, our model is more powerful. Simply speaking, our rules are Turing-complete. It's more like a home-made logic programming language that resembles Prolog. The resolution engine is written in Python and powered by MesaPy in SGX.
   
   Teaclave faces some unique problems in terms of access control because it is dealing with multi-party trusted computation. I'm no access control expert so the current design and implementation are likely suboptimal. If you are interested in helping make improvements please let us know.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org