rg2011 opened a new issue, #12974: URL: https://github.com/apache/apisix/issues/12974
### Current Behavior Using the authz-casbin plugin in more than one route causes the casbin model created by each plugin, to be overwritten by the latest enforcer created. All enforcers share the same model. This was reported as an issue upstream in the lua-casbin lib in https://github.com/casbin/lua-casbin/issues/152 and has been fixed in release v1.46.0 (https://github.com/casbin/lua-casbin/releases/tag/v1.46.0) I woud kindly ask for apisix to update its dependencies on the lua-casbin library. ### Expected Behavior It should be possible to use separate casbin models and policies in separate routes, without the enforcers conflicting with each other. ### Error Logs This issue usually causes the following error log, when there is more than one route with its own `authz-casbin` plugin: ``` 2026/02/04 21:44:37 [error] 33#33: *6413 [lua] openid-casbin.lua:460: phase_func(): casbin enforce error: ...cal/apisix//deps/share/lua/5.1/src/main/CoreEnforcer.lua:407: invalid request size, client: 10.131.0.2, server: _, request: "GET /schema/app/echo.html HTTP/1.1", host: "**ofuscated**" ``` ### Steps to Reproduce Create two routes with separate authz-casbin policies and different models: ``` routes: - id: route1 uri: /cate/* plugins: authz-casbin: model: |- [request_definition] r = path, method [policy_definition] p = path, method, eft [policy_effect] e = some(where (p.eft == allow)) && !some(where (p.eft == deny)) [matchers] m = regexMatch(r.path, p.path) && keyMatch(r.method, p.method) policy: |- p, ^/cate/sample/gen_label_no, POST, allow p, ^/cate/sample/.*/[print|reprint], PUT, allow - id: route2 uri: /* plugins: authz-casbin: model: |- [request_definition] r = user, path, method [policy_definition] p = role, path, method [role_definition] g = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = (g(r.user, p.role) || keyMatch(r.user, p.role)) && regexMatch(r.path, p.path) && keyMatch(r.method, p.method) policy: |- p, *, ^/$, GET p, *, ^/portal, GET p, *, ^/admin, GET p, sys-admin, *, * g, sys-admin, guests ``` ### Environment - APISIX version (run `apisix version`): `3.14.1` - Operating system (run `uname -a`): docker image (`Linux dev-apisix-0 5.14.0-427.96.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 22 07:09:04 EDT 2025 x86_64 GNU/Linux`) - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): `openresty/1.27.1.2` - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): running in standalone mode - APISIX Dashboard version, if relevant: - - Plugin runner version, for issues related to plugin runners: - - LuaRocks version, for installation issues (run `luarocks --version`): - -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
