Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] - Domain manager rebuild() infinite loop? #1027

Open
kizjig opened this issue Jun 7, 2022 · 6 comments · May be fixed by #1029
Open

[Bug] - Domain manager rebuild() infinite loop? #1027

kizjig opened this issue Jun 7, 2022 · 6 comments · May be fixed by #1029
Assignees
@hsluoyz
Labels
bug 💵 Funded on Issuehunt This issue has been funded on Issuehunt
Projects
Casbin Easy Tasks for Beginners/Stude...

Comments

@kizjig
Copy link

kizjig commented Jun 7, 2022
edited by issuehunt-oss bot

Issuehunt badges

Want to prioritise this issue? Try:

issuehunt-to-marktext

Describe the bug
When adding a domain matching function to the default RoleManager, it triggers a rebuild call of the internal DomainManager, this function never seems to finishing executing on a large dataset. Internally it seems to be trying to "AddLinks" forever.

** Model - HRBAC with ABAC**

[request_definition]
r = sub, tenant, perm, act, eft

[policy_definition]
p = sub, tenant, perm, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = (g(r.sub, p.sub, r.tenant) && keyMatch4(r.tenant, p.tenant) && r.perm == p.perm && regexMatch(r.act, p.act))

** Policy data **
Here's a small sample of some of the policy data showing permissions with actions grouped under roles. And wildcarding on the role_superuser1 grouping so it can work across X tenants. Typically the policy dataset is ~45000 database rows.

For example user id 7073 is a super user and can do anything across any tenant. Where as user 65716 is just a creator for tenant 753.

p,role_superuser1,tenant/{id},tenant,(^view$)|(^manage$),allow,
p,role_superuser1,tenant/{id},dashboard,login,allow,
p,role_superuser1,tenant/{id},model_upload_max_size,large,allow,
p,role_superuser1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_superuser1,tenant/{id},invite,(^create$)|(^delete$)|(^edit$)|(^view$),allow,
p,role_superuser1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_superuser1,tenant/{id},desktop,login,allow,
p,role_presenter1,tenant/{id},dashboard,login,deny,
p,role_presenter1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},dashboard,login,allow,
p,role_creator1,tenant/{id},invite,(^create$)|(^edit$)|(^view$),allow,
p,role_creator1,tenant/{id},tenant,view,allow,
p,role_creator1,tenant/{id},model_upload_max_size,medium,allow,
p,role_creator1,tenant/{id},presentation,(^local$)|(^remote$),allow,
p,role_creator1,tenant/{id},library,(^create$)|(^edit$)|(^view$)|(^delete$),allow,
p,role_creator1,tenant/{id},desktop,login,allow,
g,7073,role_superuser1,tenant/*,,,
g,7073,role_presenter1,tenant/34,,,
p,7073,tenant/1,tenant,manage,allow,
g,65716,role_creator1,tenant/753,,,
p,65716,tenant/753,tenant,manage,allow,

I can email/private message a copy of the full policy dataset for bug replication.

To Reproduce
Steps to reproduce the behavior:

  1. Go to load the data into an enforcer
  2. Setup the default role manager with a domain matching function roleManager.AddDomainMatchingFunc("KeyMatch", util.KeyMatch)
  3. Notice that the function never exits.

Expected behavior
No infinite loop/long running behaviour

Desktop (please complete the following information):

  • OS: MacOS 12.1
  • Golang v1.18
  • Version Casbin v2.47.1

Additional context
If I load this dataset with an older version of Casbin v2.31.4 I don't have this infinite loop problem, but my Enforce calls against the model and policy data set are extremely slow, ~ 10-12seconds. Similar to what's reported in this issue: #1004

IssueHunt Summary

Backers (Total: $200.00)

Submitted pull Requests

Become a backer now!

Or submit a pull request to get the deposits!

Tips
@kizjig kizjig added the bug label Jun 7, 2022
@casbin-bot
Copy link
Member

@tangyang9464 @closetool @sagilio

@issuehunt-oss
Copy link

issuehunt-oss bot commented Jun 7, 2022

@numajig has funded $200.00 to this issue.

@issuehunt-oss issuehunt-oss bot added the 💵 Funded on Issuehunt This issue has been funded on Issuehunt label Jun 7, 2022
@hsluoyz
Copy link
Member

hsluoyz commented Jun 7, 2022

@tangyang9464 @imp2002 @seriouszyx @JalinWang

@tangyang9464
Copy link
Member

@abichinger Is there any way we can improve performance? Does the FastAC solution you mentioned apply?

@JalinWang
Copy link
Member

JalinWang commented Jun 7, 2022
edited

Here is my code for reproduction.

func main() {
	e, err := casbin.NewEnforcer("model.conf", "policies.csv")

	if err != nil {
		println(err.Error())
	}

	e.AddNamedDomainMatchingFunc("g", "keyMatch4", util.KeyMatch4)

	println("done")
}

@abichinger
Copy link
Member

abichinger commented Jun 7, 2022
edited

@tangyang9464 Yes, I think this solution should apply.

I'm going to create a PR for this.

@abichinger abichinger linked a pull request Jun 7, 2022 that will close this issue
Open
@casbin casbin deleted a comment from FoeverA0 Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
bug 💵 Funded on Issuehunt This issue has been funded on Issuehunt
Projects
Casbin Easy Tasks for Beginners/Stude...
Casbin Easy Tasks
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add IPatternFuncs abichinger/casbin
6 participants
@hsluoyz @abichinger @JalinWang @tangyang9464 @kizjig @casbin-bot