I recently found Casbin while searching for help with managing Access Control List-type permissions for a multi-million user base where the policies need to be updatable in real-time. It looks like a great fit for the business logic I want to implement, but the suggested persistence patterns around loading filtered policies / Watchers is a little unintuitive.
For a standard client-facing API server, my initial thought process would be something like: initialize an enforcer with a db adapter (Mongo or Postgres) on app startup - when a user makes a request for a resource, set a Filter for policies related to that user/resource and call enforcer.LoadFilteredPolicy(filter) before doing the actual enforcer.enforce() check(s). That way, whenever my database gets updated with a policy change (by a separate enforcer), the next enforcer.LoadFilteredPolicy() call will pick it up, no?
Are there some big performance implications I'm missing? I'm a bit confused by the the need for all of the Watcher-based synchronization if I can just fetch the relevant policy lines that I care about from the database for each API request. Nearly every workload I can imagine for Casbin would be skewed super read-heavy, so generous indexing seems appropriate and performant.
Highlighting any gaps in my understanding would be much appreciated! The project looks great overall.
I recently found Casbin while searching for help with managing Access Control List-type permissions for a multi-million user base where the policies need to be updatable in real-time. It looks like a great fit for the business logic I want to implement, but the suggested persistence patterns around loading filtered policies / Watchers is a little unintuitive.
For a standard client-facing API server, my initial thought process would be something like: initialize an enforcer with a db adapter (Mongo or Postgres) on app startup - when a user makes a request for a resource, set a Filter for policies related to that user/resource and call enforcer.LoadFilteredPolicy(filter) before doing the actual enforcer.enforce() check(s). That way, whenever my database gets updated with a policy change (by a separate enforcer), the next enforcer.LoadFilteredPolicy() call will pick it up, no?
Are there some big performance implications I'm missing? I'm a bit confused by the the need for all of the Watcher-based synchronization if I can just fetch the relevant policy lines that I care about from the database for each API request. Nearly every workload I can imagine for Casbin would be skewed super read-heavy, so generous indexing seems appropriate and performant.
Highlighting any gaps in my understanding would be much appreciated! The project looks great overall.