Python general permission control module Casbin

Get into the habit of writing together! This is the 9th day of my participation in the "Nuggets Daily New Plan · April Update Challenge", click to view the details of the event .

Introduction

Casbin is a powerful and efficient open source access control framework, and its rights management mechanism supports multiple access control models.

Key features of casbin include:

• Support custom request format, the default request format is {subject, object, action};
• It has two core concepts of access control model model and policy policy;
• Support multi-layer role inheritance in RBAC, not only subjects can have roles, but resources can also have roles;
• Support super users, such as root or Administrator, super users can access arbitrary resources without being restricted by authorization policies;
• Support a variety of built-in operators, such as keyMatch, to facilitate the management of path-based resources, such as /foo/bar can be mapped to /foo*;

Things casbin doesn't do:

• Authentication
  authentication (that is, verifying the user's username and password), casbin is only responsible for access control. There should be other specialized components responsible for identity authentication, and then access control by casbin, the two are in a cooperative relationship;
• Manage user list or role list
  Casbin believes that it is more appropriate to manage user and role lists by the project itself. Casbin assumes that all users, roles, and resources appearing in policies and requests are legal and valid.

Why should I use Casbin?

In so many projects I have done, permission handling is often a headache, and each project has different permission control methods. I have been wondering if there is a general permission control framework that can be applied to various different Permission control, each project can be fully applied with simple modifications, until I accidentally see the casbin library.

At present, I am only trying to use it initially, so I only make a simple usage record here, and record what I use in the project for my own further research and use, which can also be regarded as an example for pythoners who want to use this library.

官方文档地址：casbin.org/docs/zh-CN/…

官方提供了一个非常好的编辑器，可以让我们直接体验和测试 casbin 的权限处理。

我们简单的以官方提供的例子来做一个说明，首先 Policy 里面配置的是权限策略，从权限策略中可以看出用户 alice 拥有角色 data2_admin，而角色 data2_admin 对数据 data2 有 read/write 权限，因此用户 alice 对数据 data2 拥有 read/write，可以看到下面的测试中也是 true。

以上就是我们使用编辑器测试权限的过程，只要搞清楚 RBAC 中权限关系就可以了。

PyCasbin 模块的使用

casbin 支持多种权限模型，我们最常用的是 RBAC，我们就以这种模式为例，来介绍一下在 Python 中怎么来使用。

安装

pip install casbin
复制代码

一个简单的例子

1.初始化一个 enforcer，传入两个参数：模型文件路径和策略文件路径；
模型文件和策略文件都可以到库上下载，访问 gitee，搜索 pycasbin，在 examples 目录下载 rbac_model.conf

import casbin
e = casbin.Enforcer("path/to/model.conf", "path/to/policy.csv")
复制代码

2.在你的代码需要进行访问控制的位置，加入如下钩子；

sub = "alice"  # the user that wants to access a resource.
obj = "data1"  # the resource that is going to be accessed.
act = "read"  # the operation that the user performs on the resource.

if e.enforce(sub, obj, act):
    # permit alice to read data1
    pass
else:
    # deny the request, show an error
    pass
复制代码

pycasbin 本身拥有很多操作方法，因为它支持多种权限模型，所有有些接口是针对特定的模型设计的，但是众多的接口方法就会给用户带来困惑，因此我在这里只总结 RBAC 权限模型中我目前用到的这些接口，后期如果有新的接口使用，再加到文档内

在使用之前我们先分析一下常用的权限处理有哪些？

• 增加角色权限

e.add_policy('super', 'user', 'add')

• 删除角色权限

e.remove_policy('super', 'user', 'add')

• 增加用户权限

e.add_permission_for_user('lisi', 'user', 'add')

• 删除用户指定权限

e.delete_permission_for_user('lisi', 'user', 'add')

• 删除用户所有权限

e.delete_permissions_for_user('zhangsan')

• 查询用户权限

e.get_permissions_for_user('lisi')

• 增加用户角色

e.add_role_for_user('zhangsan', 'admin')

• 删除用户指定角色

e.delete_role_for_user('zhangsan', 'admin')

• 删除用户所有角色

e.delete_roles_for_user('zhangsan', 'admin')

• 查询用户角色

e.get_roles_for_user('zhangsan')

• 删除用户

e.delete_user('zhangsan')

• 删除角色

e.delete_role('admin')

• 删除权限

e.delete_permission('add')

• 判断用户权限

e.enforce('super', 'user', 'add')

权限测试

以上面的示例为例，权限策略如下：

p, data2_admin, data2, read
p, data2_admin, data2, write
p, data1_admin, data1, read
p, data1_admin, data1, write

g, alice, data1_admin
g, bob, data2_admin
复制代码

根据我们的推断用户 alice 对数据 data1 拥有 read 权限，使用 pycasbin 判断权限是否正常：

e.enforce('alice', 'data1', 'read')

# 输出 True
复制代码

The above is the interface we need to use now. The official document tells us that casbin cannot be used for user management and role management. It is recommended that the project itself manage the user list and role list, so we need to create separate user tables and roles. Tables, but used to associate them by foreign keys. Now you only need to create table information. The relationship between roles and users will be managed through casbin.