This is a followup to the conversation on https://community.ory.sh/t/exposing-more-methods-for-finding-policies/555/

It would be helpful for me to have more nuanced methods for finding policies, in particular I’d like to expose in the Manager interface an explicit method for FindPoliciesForResource.
I can provide a pull request for this for ladon, that is efficient for MySQL/Postgresql.

What feature status if this repo?
I see in commits that sometimes ago repo goes to archive, but after that info is removed from readme. Do you plan to maintain it?
I need to know, to decide which package use , this or casbin

The only way I can get the tests running, is by commenting out connectRDB() in TestMain.

connectRDB() results in the following fatal error: 2017/02/26 13:57:18 Could not start resource: : API error (500): {"message":"invalid environment variable: "}

connectMySQL() also prints the following (non-fatal) error message repeatedly: [mysql] 2017/02/26 14:00:09 packets.go:33: unexpected EOF

My Docker version is: 1.13.1, build 092cba3 (OSX)
I run the test using go test -v . after installing the dependencies using glide install

When I use the manager to interface with sql, the required tables are not getting created.

db, err := sqlx.Open("mysql", "tx81:@tcp(127.0.0.1:3306)/policies")
......
err=db.Ping()
if err == nil {
fmt.Printf("Database is up")
}

warden := ladon.Ladon{
    Manager: manager.NewSQLManager(db, nil),
}

    var pol = &ladon.DefaultPolicy{
        ......
}
err = warden.Manager.Create(pol)
fmt.Printf("%s", err)

The error is printed as "Table 'policies.ladon_policy' doesn't exist".

see ory/hydra#326

For our use case, it would be highly beneficial to be able to send multiple subjects as part of the same request, e.g. "subjects": ["user:peter", "group:admin"] to avoid having to query the API multiple times.

I'm more than happy to provide a PR for this, just wanted to check first of there are any reservations or concerns?

Cheers,
dim

https://github.com/ory/ladon/blob/9fada03c11c183e37c13f581ee6deca8d8e747f9/manager_test_helper.go

Looking at the manager I see the:

	{
		ID:          uuid.New(),
		Description: "description",
		Subjects:    []string{},
		Effect:      AllowAccess,
		Resources:   []string{"foo"},
		Actions:     []string{},
		Conditions:  Conditions{},
	}

Should not the conditions be an array, for example: I may want to evaluate both the CIDR-address and string match on something.

tl;dr; Conditions is plural in the struct but is not a slice...

In the documentation (https://github.com/ory/ladon#persistence) the SQL example shows a database connection created using stdlib's sql.Open, however the ladon/manager/sql NewSQLManager function lists the first argument as db *sqlx.DB. As a result, when a standard *sql.DB is passed in, this error is given:

cannot use ladonDb (type *"database/sql".DB) as type *sqlx.DB in argument to "github.com/ory/ladon/manager/sql".NewSQLManager

Do you want to request a feature or report a bug?
feature

What is the current behavior?
Currently ladon framework does not expose in any way information from isAllowed which policy did allow or deny the request.

What is the expected behavior?
I would expect to be able to have that information available from the framework.

Which version of the software is affected?
not applicable yet

Opening this as an issue to discuss initially potential approaches. My goal would be to be able to have metrics from the framework regarding policy which denied/allowed request.

So one initial idea could be extending ladon with the following piece of code

// LadonMetric is used to pass metrics function ( in this example I will just take policyID and resultof authz ) 
type LadonMetric interface {
	Process(string, string)
}

// Ladon is an implementation of Warden.
type Ladon struct {
	Manager     Manager
	Matcher     matcher
	AuditLogger AuditLogger
	Metrics      LadonMetric
}

// DoPoliciesAllow returns nil if subject s has permission p on resource r with context c for a given policy list or an error otherwise.
// The IsAllowed interface should be preferred since it uses the manager directly. This is a lower level interface for when you don't want to use the ladon manager.
func (l *Ladon) DoPoliciesAllow(r *Request, policies []Policy) (err error) {
	var allowed = false
	var deciders = Policies{}

	// Iterate through all policies
	for _, p := range policies {

               // At the stage of making decision if we allow or not we would call the func defined by interface
		l.Metrics.Process(p.GetID(), strconv.FormatBool(p.AllowAccess()))

              // ...... code removed for readability 

Then within the client app we would create the following

// Client app create custom type matching interface signature from Ladon
type prometheusMetrics struct{}

func (s *prometheusMetrics) Process(policyId string, result string) {
	// dummy print of results
	logger.Printf("yey from %s and %s", policyId, result)
}

	// init warden and pass the custom metrics type
	warden = &ladon.Ladon{
		Metrics: &prometheusMetrics{},
		Manager: manager.NewMemoryManager(),
		AuditLogger: &ladon.AuditLoggerInfo{
			Logger: policyLogs,
		},
	}

From the above we would be able to consume metrics.

I would like to point out this is just first idea so I'm open for input.

And if we get a consent that this would work out - I would be more than happy to do a PR

If I call memory.GetAll(10,0), every time it return different data.

so I think this function should be sort first.

        var keys []string
        m. RLock()  
        start, end := pagination.Index(int(limit), int(offset), len(m.Policies))
	for key, p := range m.Policies {
                keys = append(keys, key)
	}
        sort.Ints(keys)
        var rst []Policies
         for _, key := range keys[start:end] {
                  rst = append(rst, m.Policies[key])
        }
        m. RUnlock()
	return rst, nil

When using the most recent version of ladon (which includes the new StringPairsEqualCondition) in a fork of Hydra, the warden was incorrectly denying requests when given valid contexts.

A sample policy to be tested against:

{
  "description": "Allow account admins full access to account resources.",
  "subjects": [
    "account-admin"
  ],
  "effect": "allow",
  "resources": [
    "rn:accounts:<[A-z0-9_-]+(:.+)?>"
  ],
  "actions": [
    "create", "read", "update", "delete"
  ],
  "conditions": {
    "account-ids": {
      "type": "StringPairsEqualCondition"
    }
  }
}

A sample context to test against:

{
  "resource": "rn:accounts:1",
  "action": "read",
  "subject": "<SUBJECT_WITH_ABOVE_POLICY>",
  "context": {
    "account-ids": [
      ["1", "1"]
    ]
  }
}

I'm wondering if this can be recreated by others. I believe the following line is failing to coerce properly, https://github.com/ory/ladon/blob/master/condition_string_pairs_equal.go#L11.

I am currently using the following implementation for this condition's Fufills function:

func (c *StringPairsEqualCondition) Fulfills(value interface{}, _ *Request) bool {
  pairs, PairsOk := value.([]interface{})

  if PairsOk {
    for _, v := range pairs {
      pair, PairOk := v.([]interface{})
      if !PairOk || (len(pair) != 2) {
        return false
      }

      a, AOk := pair[0].(string)
      b, BOk := pair[1].(string)

      if !AOk || !BOk || (a != b) {
        return false
      }
    }
    return true
  }

  return false
}

It seems Hydra was able to process the type coercion []interface{} but not [][]interface{}. I originally had a similar implementation to the above function's but I had to rework the type coercing to get tests to pass. Now Hydra seems upset :(

Not sure if this is because Hydra is doing something with the input or if it is ladon specific so I created the issue here.

Right now there is no output after successful creation.

First off, huge props to the ory-am team behind Ladon. You guys are putting together a great product and I hope to contribute in the future. I came across Ladon while looking for authentication and authorization solutions for a new product at work. Originally I was considering Hydra, but Oauth seemed too bloated and complicated for the first few versions. We decided to use JWTs for authentication because they're simple and stateless. However, authorization is still up in the air and we're leaning towards Ladon, but we have a few questions before we get cooking and start rolling out tests with Ladon.

How production ready is Ladon in its current state? Are there any big changes planned for Ladon in the next year?

Is containerizing possible with AWS Elasticache persistance? I plan to containerize Ladon and do a little rewriting to store policies in AWS Elasticache instead of the machines/containers memory.

Does Ladon allow policy variables, similar to AWS? If not, how difficult would it be to implement? (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) The goal of policy variables is to avoid the need to create a policy for every new user or resource.

Are there any examples with a REST request endpoint besides the curl script? With my understanding of the codebase, it should be as easy as defining a POST endpoint that implements Warden.

Forgive me if this write up is a little long. I would much rather ask the questions now before I invest several hours into understanding and forking the repo.

Excited to dive deeper into the possibilities of Ladon! Huge thank you to anyone who is happy to respond.

Hi there,
We're using CockroachDB (which is wire-compatible with postgres). Whenever we call sqlmanager.Create(...), we get the error:

2017/10/31 15:58:16 sql: Transaction has already been committed or rolled back

It's a bit hard for us to track down. We think the transaction may be failing / rolled back because of the structure of the prepared statements, but we're not totally sure.

I'll try to test it on postgres here in a few hours.

I am not able to understand what Equals does in this context. Is it a keyword or a type? I am not able to find documentation for it.

It appears to me that the library might be thread-safe if the storage being used is thread-safe, as all of the operations as far as I can tell boil down to static logic and storage manipulations (which at least for the case of sqlx.DB are thread-safe).

I'm not entirely confident in my own assessment though, and wouldn't trust this without some assurance that matching the thread-safety of the storage implementation is an actual design goal (meaning the library will remain thread-safe in the future).

So what is the library's policy on thread-safety?

Currently, the log message shows Listening on http://:4466 which is missing the host. That should be fixed.

Hi y'all! I'd open a PR for this, but I'm genuinely unsure as to what the meaning of the last sentence of this paragraph, taken from the README, is supposed to be:

You will get the best performance with the in-memory manager. The SQL adapters perform about 1000:1 compared to the in-memory solution. Please note that these tests where in laboratory environments with Docker, without an SSD, and single-threaded. You might get better results on your system. We are thinking about introducing It would be possible a simple cache strategy such as LRU with a maximum age to further reduce runtime complexity.

When a policy is not found the return error is 403, but should be 404.

That's happening because on DoPoliciesAllow function, the first validation is to check if exist a policy, when that's always false, the loop exit without any error and the variable allowed stay false, so the return is always ErrRequestDenied, which is the 403.

In this case should return ErrNotFound which is 404, for that only need to check if the policy was found.

I made a fix to that on:
https://github.com/RoValentim/ladon/blob/bf9a39ca71cd959a9e9b2228f88fc54f698f49ed/ladon.go#L63

Since CONTRIBUTING.md ask for first discuss it here, I would like to know if it's possible to create a PR for that, or should I make something more to solve this issue?

Any plans to add a StringLike operator such as used in AWS policies (e.g. http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html)? Would be nice to have something in between StringEqual and Regex-- easier for users and more scalable than RegEx, and also lowers the barriers to porting between AWS and Ladon policies.

http://csrc.nist.gov/projects/ac-policy-igs/big_data_control_access_7-10-2014.pdf

The README seems not up to date.

guard.DefaultGuard seems not in use anymore.

And following would throw compile errors:
var pol := &policy.DefaultPolicy{
var guardian := new(guard.DefaultGuard)
(var and := don't go together)

@aeneasr I had used Ladon to build a role-based access management system. I recently came to know that support for the SQL manager has been dropped. Since my use case involves a small number of policies and it is already productionized, is there any way we can continue using the older version which had support for SQL?

I want to install the version 0.8.0, and not 1.0.0. Is there any way I can modify the makefile to install that specific version of Ladon so that it retains support for SQL?

As the examples suggest I am trying:

	accessRequest := &ladon.Request{
		Subject:  "max",
		Resource: "myrn:some.domain.com:resource:123",
		Action:   "update",
		Context: &ladon.Context{
			"some-arbitrary-key": "the-value-should-be-this",
		},
	}

However the compile complains for &ladon.Context saying that it should be ladon.Context. Am I doing something wrong? I can send a PR to fix the examples if that is the case.

I've been trying Ladon for a small set of subjects and resources and works great, but I'd like to know if it's intended to be used when the number of subjects and resources are around millions. Does this depend on the manager implementation?

Hi!
Is scylladb supported?

Apart from appending a custom condition in ladon.conditionFactories, to create a custom condition, a function defining the condition is required. Where is this function defined? Is the file containing this function definition supposed to contain package ladon?
I am not able to include package ladon in the local file. The error message says: can't load package: package .: found packages ladon (arrayEqualsCondition.go) and main (loadPolicies.go) in /Users/tx81/Documents/Shared/PLM_UAM. How is this conflict resolved and how are custom conditions generally defined? The docs are a bit sparse on this one.

In the service I'm implementing, I'd like to log which policy allowed the request.

From the following comment, I understand that it is currently not possible:

Would you agree if I contribute a FindMatchingPolicy() on the manager interface? Or do you have a better idea?

Thanks!

how about an intro post on the GopherAcademy December blog post series?

https://docs.google.com/spreadsheets/d/1H0rj7TJo0t8GWyNdGwEc6bGcDj6UgJUN42JtAtbPMrk/edit?usp=sharing

I've been following this and your other auth related projects with curiosity lately. Can't wait to see what comes of them.

Brian

Could someone commit the existing and completed backends to the master branch?

I know that ladon library is inspired by AWS IAM, but i want to learn the reason why we need effect field in Policy struct .

I use AWS IAM daily, but i don't think there are some functions relative to effect field, if i want to deny a request, i just need to remove that policy, em ...... Am i right ?

I'm really interested in adopting ladon as the authorization framework for an API that I am developing in Golang. I'd like to be able to make access control decisions based on not only users and groups permitted to do something, but also if users contain a specific attribute. For example consider the following policy:

{
  "description": "Allow all District Managers to create, update, and delete articles under any conditions.",
  "subjects": ["users: <(user.position == 'District Manager')>"],
  "actions" : ["<create|update|delete>"],
  "effect": "allow",
  "resources": [
    "resources:articles:<.*>",
  ],
}

The subjects in this case can map to all of the users who have an attribute (e.g. position) that is equal to "District Manager".

Is there an easy way to achieve this style of policy definition in ladon already? If not, would you consider adding something like this?

I'm running into several issues when un/marshaling YAML (with "gopkg.in/yaml.v2")

For example, the conditions don't get marshaled at all, and unmarshaling fails with an error like value of type map[interface {}]interface {} is not assignable to type ladon.Condition

I'm a true beginner in Go, but if there's someone to guide me through, I'd be delighted to contribute the necessary changes — unless you consider it out of scope, in which case, we can close this issue :)

Note: It works fine as JSON ;)

package main

import (
  "github.com/ory/ladon"
  "gopkg.in/yaml.v2"
)

func main() {
  var out = []*ladon.DefaultPolicy{
    {
      ID:          "1",
      Description: "description",
      Subjects:    []string{"user"},
      Effect:      ladon.AllowAccess,
      Resources:   []string{"articles:<[0-9]+>"},
      Actions:     []string{"create", "update"},
      Conditions:  ladon.Conditions{
        "owner": &ladon.EqualsSubjectCondition{},
      },
    },
    {
      Effect:     ladon.DenyAccess,
      Conditions: make(ladon.Conditions),
    },
  }
  yamlData, err := yaml.Marshal(out)
  if err != nil {
    panic(err)
  }
  println(string(yamlData))

  var asYAML []*ladon.DefaultPolicy
  if err := yaml.Unmarshal(yamlData, &asYAML); err != nil {
    panic(err)
  }
}

Take a multi-tenanted scenario, with multiple spaces(or projects) per tenant.
If i have the following policy defined

{
  "description": "Sample policy.",
  "subjects": ["users:<peter|ken>", "users:maria", "groups:admins"],
  "actions" : ["delete", "<create|update>"],
  "effect": "allow",
  "resources": [
    "resources:myorg.com:organizations:dummyorg:spaces:testspace:<.+>"
  ]
}

and the following request comes in

{
  "subject": "users:peter",
  "action" : "delete",
  "resource": "resources:myorg.com:organizations:dummyorg:spaces:testspace:resource123",
}

Is ladon able to verify that resource123 actually sits under organizations:dummyorg and spaces:testspace ?

https://github.com/tarantool/tarantool

We build stuff for an emerging cloud infrastructure. It’s security, zero trust, hardcore bullet proof engineering. It’s Golang, K8S, React, Hashicorp etc. - no more buzzwords! Check out our open positions, just open an issue and go ahead, make our day. We believe that great engineering deserves to be paid accordingly.

-- More of a question

Was there a fundamental problem or limitation with the Ladon framework that forced the Keto server to replace it with the OPA Rego system? Or, was it just a question of easier achieving the desired goals with OPA?

I want to use the Ladon framework in a somewhat specialized way and was wondering if I am wasting my time because there's some major issue with it. The Keto issue that raised the first problem with Ladon cited an issue with fast writes to the policy creations caused conflicts, can this be (by myself obviously) resolved by implementing an appropriate ladon.Manager?s

You import the testing package in the manager_test_helper.go file

As a result any program which is using the flag standard package and depends on the ladon library with produce many extra flags:

-test.bench string
        regular expression to select benchmarks to run
-test.benchmem
        print memory allocations for benchmarks
-test.benchtime duration
        approximate run time for each benchmark (default 1s)
-test.blockprofile string
        write a goroutine blocking profile to the named file after execution

Please slip the testing code from the production one

I came across a peculiar issue with Ladon. One of the resources I used was name "Product:<.*>" It worked fine. But on renaming the resource to "product:<.*> ", the resource is not getting appended to the resources array. All other variations like "product:attributeGroup:<.*> ", "product:attributeGroup:attribute" work fine and get appended to the resources array. But on trying to insert"product:<.*> " with a lowercase "p" alone, it fails.
There is an issue if action name is "create" as well. It is only for these particular cases that it fails.
Is this a known bug? Is there a fix?

ladon manager/sql uses new Postgres 9.5 upsert feature: 'ON CONFLICT DO NOTHING'.

e.g.:
INSERT INTO ladon_policy (id, description, effect, conditions) VALUES (?, ?, ?, ?) ON CONFLICT DO NOTHING

Because of this we can't bootstrap Hydra with the temporary root client - we use Postgres 9.3 in production and are unable to upgrade in the near-term.

Is there a workaround?
Or could the insert statements that use this feature be amended to make them more database/version agnostic?

The how to section could contain:

• How to implement attributes
• Copy docs from https://ory.gitbooks.io/hydra/content/access-control.html#conditions-&-context

I want to use ladon to perform authorization for an app developed as a set of microservices.

I will have an Authorization service which allows administrators to configure access policies for each user. However, I want to be able to check whether the user is allowed to perform a certain action on a certain resource within each service. In my case, I want to be able to get the policies for a subject or subjects in my API gateway and then encode them into JSON and pass them along with the requests to other services.

It would be nice if the manager contains a method where we can look up all the policies for a given subject.

Another use-case is if we want to use ladon to implement RBAC. We would have a subject called role:some-role, for example. We also want to provide an interface where administrators can edit all the permissions for a given role. In this use-case, it'd be really helpful if we could ask the manager to give us all the policies where subject equals role:some-role.

ory/hydra#350

I'd like to build a IAM system using ory/ladon, but i meet some questions while writing code.

• The ladon is inspired by AWS IAM policies, so do you think it is suitable to add Name field to Policy struct? In AWS IAM, the Name field is required while add a policy.

• I has no idea that how to get the set of policies for different accounts, and i can't find a situation to use GetAll method. Do i need to save relationship of policies and users in DB ?

Hi, I was thinking about adding some more fields to the policies. For example, I may want to trace the origins of a specific policy: when was the policy created, and who created it. What is your opinion about adding these fields?

Thanks

Quick question: this project was archived and then unarchived. Was this deliberate and we should take this as a sign that ladon should not be used, or was it an accident and ladon is "safe" for use? Thanks in advance.

The travic ci build only runs a single test in the compiler package. Also at coveralls only 1 source file is listed.

https://coveralls.io/builds/20802709