Home
Published on

Casbin OpenResty Example

A simple example of OpenResty application with RBAC using Casbin (Lua)

This is a very simple example of an application using the OpenResty stack with RBAC authorization using Casbin. This is a sample so it isn't secure or anything but it is more of an example template to help integrate Casbin in your OR applications.

The full source code is at casbin-openresty-example.

Installing Casbin

If you haven't installed OpenResty yet, you can do that here. This assumes that your installation is at /usr/bin/openresty, if not you may need to change the relative paths accordingly.

You also need to install LuaRocks first if you haven't, you can do so by:

wget https://luarocks.org/releases/luarocks-3.3.1.tar.gz
tar zxpf luarocks-3.3.1.tar.gz
cd luarocks-3.3.1

./configure --prefix=/usr/local/openresty/luajit \
--with-lua=/usr/local/openresty/luajit/ \
--lua-suffix=jit-2.1.0-beta3 \
--with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1

sudo make
sudo make install

And then to install the dependencies - GCC and PCRE:

sudo apt update
sudo apt install gcc libpcre3 libpcre3-dev

Finally, you can install the latest released version of Casbin by:

sudo /usr/local/openresty/luajit/bin/luarocks install casbin

This should install Casbin (Lua) and all it's dependencies.

Creating example Casbin model file and policy file

We will use the basic RBAC model and policy files for this example. So, creating a example directory by:

mkdir example

And creating a rbac_model.conf in the example directory with the following model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Also, creating a rbac_policy.csv in the example directory with the following policy:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

Creating nginx.conf

Then, we will create 3 more directories in the project - conf, logs and lua by:

mkdir conf logs lua

Then in the conf directory create a nginx.conf config file for the Nginx server by:

vim conf/nginx.conf

which will contain this:

worker_processes 1;

events {
    worker_connections 1024;
}

http {
	init_by_lua_block {
        local Enforcer = require("casbin")

    	-- Initialize a new enforcer at server start
        e = Enforcer:new("example/rbac_model.conf", "example/rbac_policy.csv")
    }
    lua_package_path "$prefix/lua/?.lua;;";

    server {
        listen 8080 reuseport;

        location / {
            default_type text/plain;
            content_by_lua_block {

            }
        }
    }
}

Here the block init_by_lua_block will run only at the server start (or reload) which is:

local Enforcer = require("casbin")

-- Initialize a new enforcer at server start
e = Enforcer:new("example/rbac_model.conf", "example/rbac_policy.csv")

Here, we create a new Casbin Enforcer e which is defined globally.

Creating app.lua

Then we create a lua file as app.lua by:

vim lua/app.lua

which will contain this:

local M = {}

function M.check(e)
    local req = ngx.var.request_uri
    for usr, obj, act in req:gmatch("/(%w+)%?obj=(%w+)&act=(%w+)") do

  		-- If pattern matches, shows the request and enforce result
    	ngx.say("Request:\t", "User:"..usr.."\t", "Object:"..obj.."\t", "Action:"..act)
    	ngx.say("Result = ", e:enforce(usr, obj, act))
    	break
	end
end

return M

and add the following code in content_by_lua_block to nginx.conf:

local app = require("app")
-- Check at every request
app.check(e)

Usage

You can then start the server by:

sudo openresty -p $PWD/

And fetch the page with

curl http://127.0.0.1:8080/

So what this does is, when you send request with curl http://127.0.0.1:8080/alice?obj=data1&act=read, it will match usr = alice, obj = data1 and act = read and send the parameters to e:enforce(usr, obj, act) which will return the enforce result.

For example, if you send a curl request as:

curl http://127.0.0.1:8080/alice?obj=data2&act=read

Since, alice has a role as data2_admin, it can acces the data2 object with read and write actions as defined in policy. So this will output in:

Request:  User:alice  Object:data2  Action:read
Result = true

And if you send the curl request as:

curl http://127.0.0.1:8080/bob?obj=data1&act=write

Since bob has no policy in data1 object, it will output in:

Request:  User:bob  Object:data1  Action:write
Result = false

The full source code is at casbin-openresty-example.