Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-761

Clarify RBAC policy evaluation in respect to conflict policy effects

XMLWordPrintable

    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Bug Fix
    • RHDH Documentation 3286

      Description of problem:

      At the moment, we do not mention how our evaluation is currently applied whenever a user is attached to multiple conflicting permission policies. An example would be the following:

      g, group:default/group_a, role:default/allow-role
p, role:default/allow-role, catalog-entity, read, allow

g, group:default/group_b, role:default/deny-role
p, role:default/deny-role, catalog-entity, read, deny

      where the user is a member of both group_a and group_b. In this scenario, we would prioritize the deny over the allow due to the way that we have set up our policy evaluation with the help of Casbin.

      Another scenario might arise in which a user is attached to a basic permission policy and a conditional permission policy. In this case we evaluate the conditional permission policy and apply that over the basic permission policy.

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. <steps>

      Actual results:

      We currently do not document this behavior.

      Expected results:

      We should document this to avoid customer confusion.

      Reproducibility (Always/Intermittent/Only Once):

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

              rhn-support-lhite Lindsay Hite
              rh-ee-pknight Patrick Knight
              RHDH Documentation
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: