[HN Gopher] Casbin: An authorization library that supports authz...
___________________________________________________________________
Casbin: An authorization library that supports authz models like
ACL, RBAC, ABAC
Author : hsluoyz
Score : 49 points
Date : 2021-04-25 17:25 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| toxik wrote:
| I wish people would stop saying authz instead of authorization.
| motohagiography wrote:
| Since it tends to be used in the same sentence as
| authentication, and the differeces are both subtle and hugely
| important, the visual Z vs. N is helpful, and even pronouncing
| it is helpful to maintain the distinction.
|
| They are so easy to conflate that it can create a lot of
| confusion whereby a semantic difference quickly becomes a
| category error.
| rrdharan wrote:
| "Permission" vs "identity" while not perfect is at least more
| distinguishable...
| motohagiography wrote:
| I'd tend to agree, though since they are terms of art that
| are technical concepts instead of business level permission
| and identity, we haven't been able to do much better in the
| field. IDPs, RPs, PDP/PEP's define them a bit more as
| architectural terms, but the security field has a
| convention of creating stupid and unnecessary abstractions.
|
| The reason is twofold. The first is that the field claims
| origin in compartmentalized military intelligence culture
| where code words were used to manage compartmentalization,
| and in-effect, maintain a necessary level of ignorance
| between projects, which is as tediously bureaucratic and
| immensely irritating as it sounds. The second is the
| business runs on stories, so if you can abstract a dynamic
| into a new quirky name, you can claim to have discovered
| it.
|
| So yes we should have better words for things, but being
| better at what we do would risk solving a problem that too
| many people make a living managing, and so, here we are. An
| industry of internet duct cleaners.
| Ideabile wrote:
| Usually I'm not a detractor, but recently we evaluated Casbin and
| I would not recommend anybody to use it.
| tonyhb wrote:
| Agree. I ended up going with https://www.openpolicyagent.org/ -
| it's way, way, way easier to use and integrate with. Policies
| read better. They're easier to write. They're individually unit
| testable. The API for OPA is better. Generally I'd recommend
| OPA over casbin in a heartbeat.
| 1cvmask wrote:
| What other solutions did you look at?
| _skhan_ wrote:
| Can you enumerate why no one should use it?
| gerbyzation wrote:
| We gave it a try, but got rid of it because we couldn't make it
| perform well for our usecase. This was quite specific to the
| implementation and matcher that we used (pycasbin +
| keyMatcher), having just a few thousand rules ruined our API
| response times.
| TameAntelope wrote:
| I also evaluated it and implemented an ABAC system for our
| Node.js app with Casbin in a day. The tooling wasn't perfect
| and I probably took a shortcut or two, but I didn't see any red
| flags that'd actively make me recommend others not use it, so
| I'm interested in what you found.
| Ideabile wrote:
| Some factors where merely psychological, such a mistrust due to
| misleading partners listed in the website that should use the
| lib.
|
| For instance one logo is the one of SpaceX, which sadly is just
| a user group, nothing official. Another mention is Google which
| I didn't find any relevant code that gives a hint that Casbin
| is used by Google in production.
|
| Someone mentions shortcuts in codes; well didn't got the time
| to find back all the notes.
|
| But we find several bugs mainly in the implementations that
| lead us to look somewhere else.
|
| We end-up with CASL.
|
| That doesn't mean that I don't like to use Casbin, but already
| cost me to much time of debugging.
|
| But let me leave with a disclaimer for a later me:
|
| Code mutates like nature does, what it might be true today
| might be false tomorrow and viceversa, and if you got the time
| to improve it, just use it.
|
| Don't get bend by this merely opinion and just investigate and
| form your own, and always give a second chance, because times
| changes everything, and sometimes nothing changes.
| FooBarWidget wrote:
| I had a look at Casbin in the past, in search of a Go equivalent
| of Ruby's CanCanCan. But Casbin looks way too complicated to use.
| So in the end I wrote my own unreusable, poor man's version of
| CanCanCan in Go specifically for use in my app (with lots of
| boilerplate and duplication because Go has no generics).
|
| Does anybody else have a better experience with Casbin, or have
| recommendations on a CanCanCan-like alternative for Go?
| prpl wrote:
| I would like to know who uses this and how. It seems like
| deploying Ory Keto would be much better for web applications less
| you really need this like for a desktop application or something.
| edoceo wrote:
| I tried this too. lots of flexibility (that we never needed. then
| had to fiddle with DB adapters, docs weren't great so had to step
| with debugger to sort it.
|
| its a neat design, its a nice promise but more of a reference for
| building the tightly integrated RBAC (or whatever) that you need.
| TechBro8615 wrote:
| It seems there are a number of emerging solutions to this
| problem. Casbin, Ory, and Keycloak come to mind. Has anyone tried
| multiple of them? I guess the nature of the beast is you probably
| only use one...
|
| My main concern is stability, e.g. will this project be around in
| three years, and if not, is it grokkable and stable enough that
| the community could understand and maintain it?
|
| We ended up rolling our own authn (kind of regrettable, but at
| least gives us some predictability and one less thing to update)
| but have not yet implemented authz.
|
| Would be curious to hear from anyone who's recently chosen
| between these options (or others) and is happy with their choice.
| kcolford wrote:
| Keycloak isn't really for authorization. It's an openid connect
| provider so it really does authentication (identifying who the
| user is). Maybe they've been adding features to make it better
| or you can shoehorn some authorization into the jwt token that
| your app uses, but that's generally not a great way to use it.
| dashtiarian wrote:
| Keycloak is developed by Red Hat and is the safest bet (with
| the best documentation)
| unixhero wrote:
| And works really well!!!
| wkrause wrote:
| We used Casbin at my previous company where we needed to
| implement RBAC on top of our API that was written in Go. What we
| liked about it was that it could be embedded directly in our main
| application without needing to administer an external system. It
| also helped that we were using Postgres and redis as part of our
| stack as the casbin plugins for those tools made policy storage
| and enforcer updates dead simple across our API nodes.
| motohagiography wrote:
| This looks appealing as a framework for using in IAM for
| applications with federated auth. Given historic legacy
| alterantives are lower level policy frameworks like
| RADIUS/TACACS, SAML, XACML and UMA2, what are the objections to
| Casbin?
|
| A library you can build into your application for doing policy
| AuthZ without having to deal with a centralized policy
| repository, while moving AuthN to your IAM gateway is a huge deal
| in enterprise envirionments.
___________________________________________________________________
(page generated 2021-04-25 23:00 UTC)