from Hacker News

Casbin: An authorization library that supports authz models like ACL, RBAC, ABAC

by hsluoyz on 4/25/21, 5:25 PM with 29 comments

  • by FooBarWidget on 4/25/21, 6:47 PM

    I had a look at Casbin in the past, in search of a Go equivalent of Ruby's CanCanCan. But Casbin looks way too complicated to use. So in the end I wrote my own unreusable, poor man's version of CanCanCan in Go specifically for use in my app (with lots of boilerplate and duplication because Go has no generics).

    Does anybody else have a better experience with Casbin, or have recommendations on a CanCanCan-like alternative for Go?

  • by Ideabile on 4/25/21, 6:43 PM

    Usually I’m not a detractor, but recently we evaluated Casbin and I would not recommend anybody to use it.

  • by prpl on 4/25/21, 6:48 PM

    I would like to know who uses this and how. It seems like deploying Ory Keto would be much better for web applications less you really need this like for a desktop application or something.

  • by lmeyerov on 4/25/21, 11:50 PM

    We're actively evaluating this, particular b/c: Open, dynamic acl+rbc = modern google-docs-style policies for regular webapps, postgres adapters = no change in operations (vs keycloak, orly, ..). That's been a fairly unique combo. However, we're still doing our own eval because we saw concerning issues in the gh around perf+correctness, and it's not obvious how to use it.

    Curious on other experiences / alternatives. Ex: We're trying to keep the CMS parts of our stack especially boring, so django/postgres/casbin is surprisingly tight, while DB backing of a user's/org's custom ACL/RBAC sharing rules in say OPA seems more like a science project (despite looking like a great project when zoomed out), based on the docs (https://www.openpolicyagent.org/docs/latest/external-data/)

    The casbin<>db integration decision was pretty wise, vs the continuing trend of policy engines bringing their own infra, and thus 'the tail wagging the dog'. I'd love to see someone figuring out RBAC/ABAC+ACLs as DB-native ~RLS, instead of having to introduce an extra moving piece of infra for every DB query, when the DB is right there!

  • by edoceo on 4/25/21, 6:50 PM

    I tried this too. lots of flexibility (that we never needed. then had to fiddle with DB adapters, docs weren't great so had to step with debugger to sort it.

    its a neat design, its a nice promise but more of a reference for building the tightly integrated RBAC (or whatever) that you need.

  • by TechBro8615 on 4/25/21, 6:51 PM

    It seems there are a number of emerging solutions to this problem. Casbin, Ory, and Keycloak come to mind. Has anyone tried multiple of them? I guess the nature of the beast is you probably only use one...

    My main concern is stability, e.g. will this project be around in three years, and if not, is it grokkable and stable enough that the community could understand and maintain it?

    We ended up rolling our own authn (kind of regrettable, but at least gives us some predictability and one less thing to update) but have not yet implemented authz.

    Would be curious to hear from anyone who's recently chosen between these options (or others) and is happy with their choice.

  • by obiwanpallav1 on 4/26/21, 5:09 AM

    I had a nice experience in building a multi tenant system in which RBAC was done by Openpolicy Agent(OPA)[0].

    Our data model was N Level hierarchies of entities for each tenant and these hierarchies followed inheritance for roles.

    We made some policies in OPA and the membership data was present in the DB which was sent to OPA at startup. Then any diff made in membership was subsequently also sent to the OPA as well.

    [0] https://www.openpolicyagent.org/docs/latest/

  • by wkrause on 4/25/21, 9:09 PM

    We used Casbin at my previous company where we needed to implement RBAC on top of our API that was written in Go. What we liked about it was that it could be embedded directly in our main application without needing to administer an external system. It also helped that we were using Postgres and redis as part of our stack as the casbin plugins for those tools made policy storage and enforcer updates dead simple across our API nodes.

  • by motohagiography on 4/25/21, 6:59 PM

    This looks appealing as a framework for using in IAM for applications with federated auth. Given historic legacy alterantives are lower level policy frameworks like RADIUS/TACACS, SAML, XACML and UMA2, what are the objections to Casbin?

    A library you can build into your application for doing policy AuthZ without having to deal with a centralized policy repository, while moving AuthN to your IAM gateway is a huge deal in enterprise envirionments.

  • by toxik on 4/25/21, 7:07 PM

    I wish people would stop saying authz instead of authorization.

  • by lahoda-xyz on 4/26/21, 5:06 AM

    graphs solve all these problems