Back to home

The Definitive Guide to Casbin Authorization Control From Basics to Mastery

84 min read

In today's complex application systems, access control remains a critical concern. This guide will help you understand Casbin's configuration system through practical examples of different access control models.

I. Casbin Core Concepts

1.1 Access Control Model Comparison

Model Type Suitable Scale Management Complexity Flexibility Performance Typical Use Case
ACL Small Projects Low Low High Personal Blog Systems
RBAC Medium Projects Medium Medium Medium Enterprise Management
ABAC Large Projects High High Medium Financial Applications
Domain RBAC Multi-tenant High High Medium SaaS Platforms

1.2 Core Configuration Files

File Purpose Format Required
model.conf Define access control model CONF
policy.csv Store permission rules CSV
rbac_model.conf RBAC specific model CONF
custom_function.go Custom matching functions Go

II. ACL Model Configuration

2.1 Basic Model Configuration

# acl_model.conf - Basic ACL model configuration
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && regexMatch(r.act, p.act)

2.2 ACL Policy Configuration Example

# acl_policy.csv - Permission rules configuration
# Format: p, subject, object, action
p, alice, /data1, GET
p, alice, /data1, POST
p, bob, /data2, GET
p, bob, /data2, POST

2.3 ACL Permission Decision Matrix

User Resource Path Request Method Allowed Reason
alice /data1 GET Explicitly allowed
alice /data2 GET No permission
bob /data2 GET Explicitly allowed
bob /data1 POST No permission

III. RBAC Model Configuration

3.1 RBAC Model Configuration

# rbac_model.conf - RBAC model configuration
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

3.2 RBAC Policy Configuration

# rbac_policy.csv - Role permission configuration
# Role definitions
p, admin, /*, GET|POST|PUT|DELETE
p, developer, /projects/*, GET|POST
p, viewer, /projects/*, GET

# User role mappings
g, alice, admin
g, bob, developer
g, charlie, viewer

3.3 RBAC Role Permission Matrix

Role Resource Scope GET POST PUT DELETE
admin /*
developer /projects/*
viewer /projects/*

IV. ABAC Model Configuration

4.1 ABAC Model Configuration

# abac_model.conf - ABAC model configuration
[request_definition]
r = sub, obj, act, dept

[policy_definition]
p = sub, obj, act, dept

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.dept == p.dept && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

4.2 ABAC Policy Configuration

# abac_policy.csv - Attribute-based permission rules
# Format: p, role, resource, action, department
p, employee, /reports, GET|POST, sales
p, manager, /reports, GET|POST|DELETE, sales
p, employee, /reports, GET|POST, engineering
p, manager, /reports, GET|POST|DELETE, engineering

4.3 ABAC Permission Evaluation Matrix

User Role Department Report Action Allowed Condition
employee sales GET report Department match
manager sales DELETE report Role permission
employee marketing GET report Department mismatch

V. Domain RBAC Configuration

5.1 Domain RBAC Model Configuration

# domain_rbac_model.conf
[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

5.2 Domain RBAC Policy Configuration

# domain_rbac_policy.csv
# Tenant A permissions
p, admin, tenantA, /data/*, GET|POST|PUT|DELETE
p, user, tenantA, /data/*, GET|POST

# Tenant B permissions
p, admin, tenantB, /data/*, GET|POST|PUT|DELETE
p, user, tenantB, /data/*, GET

# User role mappings
g, alice, admin, tenantA
g, bob, user, tenantA
g, charlie, admin, tenantB

5.3 Multi-tenant Permission Matrix

Tenant User Role Resource Scope GET POST PUT DELETE
tenantA alice admin /data/*
tenantA bob user /data/*
tenantB charlie admin /data/*

VI. Performance Optimization

6.1 Cache Configuration Parameters

Parameter Description Default Recommended
enableCache Enable caching No
cacheCapacity Cache capacity 10000 Based on memory
cacheTTL Cache TTL 24h Based on needs

6.2 Optimization Impact Comparison

Optimization Before QPS After QPS Improvement Memory Impact
Enable cache 5000 15000 200% +50MB
Batch policy loading 2000 8000 300% +20MB
Async policy update 3000 9000 200% +10MB

VII. Common Issues and Solutions

7.1 Configuration Troubleshooting Guide

Issue Possible Cause Solution Prevention
Permission check failure Model config error Check matcher syntax Unit testing
Performance degradation Too many policies Enable caching Monitoring
Rule conflicts Duplicate policies Clean redundant rules Rule auditing

7.2 Performance Tuning Recommendations

Optimization Area Measures Difficulty Impact
Cache optimization Adjust cache params Low Significant
Policy optimization Merge similar rules Medium Moderate
Model optimization Simplify matchers High Significant

VIII. Best Practices

8.1 Model Selection Guide

System Characteristic Recommended Model Reason Considerations
Users < 100 ACL Simple, direct Maintenance cost
Users < 1000 RBAC Role management Role design
Complex business rules ABAC Flexible control Performance impact
Multi-tenant architecture Domain RBAC Tenant isolation Config complexity

8.2 Operations Management Recommendations

Operation Frequency Priority Implementation
Config backup Daily High Automated backup
Performance monitoring Real-time High Alerts system
Rule auditing Weekly Medium Manual review
Load testing Monthly Medium Automated tests

References

  1. Casbin Official Documentation
  2. Enterprise Permission System Design
  3. Microservice Security Architecture Practices

Don't forget to star and share if you found this guide helpful!