Hackerchai Rust Blog

Writing for Rust Developemt

September 18, 2020

GSoC 2020 结题报告 - Casbin Rust

GSoC Final Report - Casbin-RS

Personal Details

  • First/Last Name: Yi sheng Chai

  • Email: hackerchai.com@gmail.com

  • School/University: Chongqing University

  • Location: Chongqing, China

  • Timezone: China Standard Time (CST), UTC+8

  • Github Profile: https://github.com/hackerchai

Project Details

Overview

Casbin-RS is now ready for production

Casbin-RS aims at building reliable and high-performance library supporting various model access control for Rust projects. In the past months, I have developed Casbin Sqlx Adapter to support fully Async with Casbin Database Adapter, which gives developers an alternative in database adapter selection as well as a more high-performance adapter.

In addition, now all the components of Casbin-RS have intergrated with Github Action CI and Auto-Release support.

Casbin-RS is now ready for Actix-web Development

Actix-web is the the most popular Rust web framework at present. It is also known as the fastest web framework. With powerful extractors and extensible features, we can build rust-web application easily. In the past months, I am working on how to intergration Casbin with Actix-web together.

With Casbin Actix-web Middleware, It will provide a basic middleware to reads username(from other AuthN middleware), request path, request method from an user request and sends enforce request (subject, domain, object, action) to casbin enforcer for authorization. The middleware wll block the request if enforcer denied the request. We can automatically handle request with authorization control with this.

With Casbin Actix-web Actor, we can wrap casbin into an actor for a safer and easier way to call in request handle. In the actix system, actors are objects which encapsulate state and behavior and run within the Actor System provided by the actix library. We build this actor for basic CRUD operation of casbin instance

Casbin Actix-web Real World App is a fully functional demo which intergrated with Actix-web, Casbin Actix-web Middleware , Casbin Actix-web Actor, Diesel, Casbin Diesel Adaper. It is basically an Anonymous Forum which has admin-user system. With the intergration of casbin, it can authorize the requests and add policies when new user registered. This app provides a set of RESTful API using JWT authentication. This can be seen as an example for developers to use casbin with actix-web.

The work I have done

My Weekly Development Report can be seen here.

Casbin Sqlx Adapter

All the commits made by me: commit-list, this repo is mainly maintained by me.

  • Basic Api Implemntation
  • Test Module For Functions
  • Multi-Databse support: Including MySQL/PostgreSQL
  • Fully Async Support
  • CI/CD Intergrations: Github Actions
  • Auto-Release: Github Actions
  • Database Environment Setupt: Docker
  • Document Writing

Casbin Actix-web Middleware

All the commits made by me: commit-list, this repo is mainly maintained by me.

  • Basic Function Implementation
  • Test Module For Middleware
  • Support for AuthN Middleware Intergration
  • Support Domain Model and Domian-less Model
  • Support Get/Set Enforcer for Flexible Demand
  • CI/CD Intergrations: Github Actions
  • Auto-Release: Github Actions
  • Document Writing

Casbin Actix-web Actor

All the commits made by me: commit-list, this repo is mainly maintained by me.

  • Basic Casbin Function Implementation
  • Test Module for Actor Runtime
  • Support Actix Supervisor: Auto-Restart Feature
  • Support Get/Set Enforcer for Flexible Dem,and
  • CI/CD Intergrations: Github Actions
  • Auto-Release: Github Actions
  • Document Writing

Casbin Actix-web Real World App

All the commits made by me: commit-list, this module is mainly maintained by me.

  • Basic Restful API Implementation using Actix-web: Anonymous Forum
  • Intergration with Casbin Actix-web Middleware and Casbin Actix-web Actor
  • User JWT Authentication Middleware Implementation
  • Database Design and Migration Implement
  • Casbin Configuration and Structure Design
  • URL White-list for Casbin AuthZ Middleware and JWT AuthN Middleware
  • Preset Policy Databse Initial Implementation
  • CI/CD Intergrations: Github Actions
  • Document Writing

Casbin Diesel Adaper

All the commits made by me: commit-list

  • Code Refactor and Optimization
  • Database Environment Setup Improvement
  • CI/CD Intergrations: Github Actions
  • Auto-Release: Github Actions
  • Document Writing Improvement
  • Daily Maintenance and Upgrade

Casbin Official Website

All the commits made by me: commit-list

  • Casbin-Rs Actix Middleware & Actor Documentation

Challenges and Difficulties

  1. RwLock deadlock problem

    When developing the middleware and actor, I have to use RwLock to wrap casbin instance to avoid Rust lifetime issue, they are all set and passed the Unit-Tests. But when I was developing the real-world-app, I encountered several Rwlock Deadlock problems, with my mentor's help, finally I successfully solve the problem by manually dropping the RwLock in case of middleware long-term holding the write lock.

  2. Sqlx compile-time checking and CI issues

    Sqlx-rs uses the compile-time check which forces me to set the database environment up while compiling. When it comes to the CI, it becomes a little difficult for my first time of working with Github Actions. So I have to set up the database docker for the compile time-check. But here is the good news: Sqlx officially announced it will use sqlx-cli to avoid compile-time checking. When the feature comes to stable, I will try to port this feature to our Sqlx Adapter.

After GSoC

I will definitely continue contributing to Casbin, there are still a lot to do in the future:

  • Implement new data structure for casbin-rs: For now, out data structure is tree, which causes the usage of lock and makes it hard to support multi-thread processing. In the future, maybe we can use index tree to solve this problem.
  • Implement RPC version of casbin-rs

September 18, 2020

Rust下成熟好用的权限控制库

什么是Casbin-rs

Casbin是罗杨博士主导开发的基于 Go 语言的权限控制库。它支持 ACL, RBAC, ABAC 等常用的访问控制模型。

Casbin-rs则是 Rust 语言下的移植, 相比 Go 语言版本有更高的速度和内存安全保障。

Casbin 做了什么

  1. Casbin 的配置文件由两部分组成, 一个是 Configuration 文件(可以理解为模型配置文件), 配置了模型( Model )选用,分组( Group )配置,定义请求( Request )和策略( Policy )结构,再有就是匹配器( Matcher )的配置,这些在后文由叙述。另外一个就是策略( Policy )的盛放容器, 这个可以是 csv 文件,也可以是数据库( MySQL/PostgreSQl )。容器中的 Policies 都衍生于 Model 的配置
  2. 支持 RBAC 中的多层角色继承,不止主体可以有角色,资源也可以具有角色
  3. 支持超级用户,如 root 或 Administrator,超级用户可以不受授权策略的约束访问任意资源
  4. 支持多种内置的操作符,如 keyMatch,方便对路径式的资源进行管理,如 /book/1 可以映射到 /book/:id

Casbin 不做什么

  1. 身份认证 authentication(即验证用户的用户名、密码),casbin 只负责访问控制。应该有其他专门的组件负责身份认证,然后由 casbin 进行访问控制,二者是相互配合的关系。
  2. 管理用户列表或角色列表。Casbin 认为由项目自身来管理用户、角色列表更为合适,用户通常有他们的密码,但是 Casbin 的设计思想并不是把 它作为一个存储密码的容器。而是存储 RBAC 方案中用户和角色之间的映射关系。

一个例子

模型配置

// model.conf
# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

这是一个模型定义文件, 其中sub代表访问资源的用户, obj表示要访问的资源, act表示对资源执行的操作。如果在 Web 的情形中,可以理解为,sub 对应用户名,obj 对应访问的 URL Path,act 代表 HTTP 动作(GET/POST/PUT).

在这里,Request Definition 告诉我们请求是什么构成,一共三个。Policy Defination 有什么构成,和前面的同理。Policy Effect 告诉我们什么时候规则是有效的,而 Matcher 告诉我们当请求和策略满足一定关系才可以返回真(允许操作)。如上,意思就很明白。

如果我们要加入一个超级管理员,它可以执行任何操作,可以这样写:

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root"

策略配置

p, alice, data1, read
p, bob, data2, write

上述的配合上文的模型配置表达的意思就是,alice 可以读 data1,bob 可以写 data2

Casbin Rust 生态

主仓库:

Casbin-RS: 目前支持所有 Casbin Go 版本支持的特性,正在活跃开发中

目前 Casbin Rust 正稳步发展中,目前支持的组件有:

  • Casbin Diesel Adaper: 使用 Rust 目前最火的 ORM 类库开发的适配器,支持 MySQL/PostgreSQL/SQLite
  • Casbin Actix-web Middleware: Rust 最由名气的 Web 框架当属 Actix-web,性能霸榜。Casbin 支持 Actix 中间件,自动为请求进行权限管理
  • Casbin Actix-web Actor: Actix 框架下对 Casbin 进行二次封装,方便在 Actix-web 中使用,封装了常用函数
  • Casbin Sqlx Adapter: 支持完全异步的数据库中间件,性能更好,基于 Sqlx 。支持 MySQL/PostgreSQL

基于 Actix-web 开发,使用 Casbin 中间件鉴权, 使用 JWT 用户授权的例子:

此外 Casbin 拥有强大的文档支持和社区依托:

最后希望各位看官走过路过,别忘了给一个 Star 支持一下我们的开发

文章同步发于Hackerchai IT Blog - Rust下成熟好用的权限控制库