CharlesPhilippeLabbe commented on PR #1694:
URL: https://github.com/apache/casbin/pull/1694#issuecomment-4067538382
THis doesn't answer my original question, now does it?
In my question both models are pretty much the same. And copilot seem to
have evaluated only the model.
The problem in my original question is more about how the policy file is
structured.
In the first option, the routes are defined as policies with allow/deny
rules. Then the policies are assigned directly to the roles
```
p, perm:proxy:crashes, /proxy/{name}/crashes, GET, allow
p, block:proxy:crashes, /proxy/{name}/crashes, GET, deny
#roles
g, role:proxy:viewer, perm:proxy:read, *
g, role:proxy:viewer, block:proxy:crashes, *
```
In the second option, routes are defined as resource groups (g2) and
policies define access the the resources:
```
p, role:proxy:viewer, perm:proxy:read, allow, *
p, role:proxy:viewer, perm:proxy:crashes, deny, *
#resouces
g2, /proxy/{name}/*, perm:proxy:read, GET
g2, /proxy/{name}/*, perm:proxy:write, POST
g2, /proxy/{name}/crashes, perm:proxy:crashes, GET
```
The second option is nice because we don't have to duplicate the policies
for each resources. One that allows access and the other that deny access.
Which looks a bit more IAM-like
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
