For instance one logo is the one of SpaceX, which sadly is just a user group, nothing official. Another mention is Google which I didn’t find any relevant code that gives a hint that Casbin is used by Google in production.
Someone mentions shortcuts in codes; well didn’t got the time to find back all the notes.
But we find several bugs mainly in the implementations that lead us to look somewhere else.
We end-up with CASL.
That doesn’t mean that I don’t like to use Casbin, but already cost me to much time of debugging.
But let me leave with a disclaimer for a later me:
Code mutates like nature does, what it might be true today might be false tomorrow and viceversa, and if you got the time to improve it, just use it.
Don’t get bend by this merely opinion and just investigate and form your own, and always give a second chance, because times changes everything, and sometimes nothing changes.
My main concern is stability, e.g. will this project be around in three years, and if not, is it grokkable and stable enough that the community could understand and maintain it?
We ended up rolling our own authn (kind of regrettable, but at least gives us some predictability and one less thing to update) but have not yet implemented authz.
Would be curious to hear from anyone who's recently chosen between these options (or others) and is happy with their choice.
They are so easy to conflate that it can create a lot of confusion whereby a semantic difference quickly becomes a category error.
Auth-oriz-ation
Auth-entic-ation
You give one glance to the middle of the word and it's clear. Maybe an ergonomic argument could be made like the case of internationalization/i18n and localization/l10n
I think the price is too steep though, for auth[NZ] and [il]1[08]n. Maybe I'm just old and curmudgeonly.
Our data model was N Level hierarchies of entities for each tenant and these hierarchies followed inheritance for roles.
We made some policies in OPA and the membership data was present in the DB which was sent to OPA at startup. Then any diff made in membership was subsequently also sent to the OPA as well.
Does anybody else have a better experience with Casbin, or have recommendations on a CanCanCan-like alternative for Go?
In terms of my experience so far it was a bit tricky at first but once I grasped the concept it became easy to integrate.
Most of the blogs with examples I found were in Chinese and the documentation is sometimes confusing to read, so you may need to overcome that part.
A few weeks ago I learned about Oso[1] which looks really nice but I haven’t tried it yet. They publish some nice posts about the subject in their academy[2]
Curious on other experiences / alternatives. Ex: We're trying to keep the CMS parts of our stack especially boring, so django/postgres/casbin is surprisingly tight, while DB backing of a user's/org's custom ACL/RBAC sharing rules in say OPA seems more like a science project (despite looking like a great project when zoomed out), based on the docs (https://www.openpolicyagent.org/docs/latest/external-data/)
The casbin<>db integration decision was pretty wise, vs the continuing trend of policy engines bringing their own infra, and thus 'the tail wagging the dog'. I'd love to see someone figuring out RBAC/ABAC+ACLs as DB-native ~RLS, instead of having to introduce an extra moving piece of infra for every DB query, when the DB is right there!
its a neat design, its a nice promise but more of a reference for building the tightly integrated RBAC (or whatever) that you need.
A library you can build into your application for doing policy AuthZ without having to deal with a centralized policy repository, while moving AuthN to your IAM gateway is a huge deal in enterprise envirionments.
