Anton
Reputation: 485
casbin nested resources (resource groups) config, not RBAC
I need to write a casbin config to implement user roles and nested resources (objects) in a node.js application.
For users RBAC works well, propagating allowed rules from roles down to users.
For resources (objects) I need a different policy:
If obj X in in group Y and Y is in group Z, user must have ALLOW access to X AND Y AND Z. In other words, object and object groups apply additional restrictions on top of their parents.
At the same time, if a user has DENY access on X, no parent (Y or Z) ALLOW rules apply. This is easily implemented with RBAC's
[policy_effect]
e = !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) ...
Do I need custom matchers? Really need help to get started on this task.
Upvotes: 0
Views: 941
Answers (0)
Related Questions
- How to add RBAC roles to a Controller for a different kind of resource in Kubebuilder
- Allow access to subset of K8 resources
- RBAC nested permissions
- how to set casbin conf if I want to use rabc with resource roles at the same time match the restful api
- How to create Casbin model and policy for roles and resources that belongs to folders?
- Creating new CRD resource with cluster-admin role
- Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
- How to refer to all subresources in a Role definition?
- Is it possible to set resource to all with Kubernetes RBAC?
- Kubernetes RBAC apiGroup field in RoleBinding and ClusterRoleBinding