Add an authorization mechanism based on Casbin

[hsluoyz]

Hi, I'm the author of Casbin. It is a Go authorization library that supports access control models like ACL, RBAC, ABAC. It's already used in some large systems, mostly web frameworks. See details here: https://github.com/casbin/casbin

I noticed that semaphore still lacks an authorization mechanism, and there's demand for it (see: #344). (Thanks to @matejkramny for pointing it out for me:)) I think a RBAC-based authorization will fit in our scenario. About our scenario, Casbin can provide:

1. roles can be global or within a tenant (aka project). So the platform owner can have a global admin role, and the project owner will have a local admin role, which only works inside his project.
2. roles can be cascaded. e.g. admin role can be a member of template admin and task admin roles. So admin role will have all the permissions that are assigned to template admin and task admin.
3. support permission groups (like roles). This is useful when you want to group the permissions.
4. the permission granting and user-role mapping can be persisted in files or database (MySQL, NoSQL, etc), support for other DBs can be added if needed.

So what do you think? I can make PR if it's OK. Thanks!

@matejkramny @strangeman

[fernandezvara]

That can be a really good addition to the project. Not having roles limits using semaphone in some environments like mine.

I would like to help in its implementation, while I don't know much about casbin right now.

[hsluoyz]

Hi @fernandezvara ,

Thanks for willing to help:)

You can get a rough image of Casbin at the README.md here: https://github.com/casbin/casbin

The model syntax is here: https://github.com/casbin/casbin/blob/master/Model.md

Please contact me at the Gitter if you have any questions or want to discuss with me:) I really doesn't have much knowledge of semaphore.

[itxx00]

+1

[strangeman]

Looks interesting for me. I plan to play with Casbin during this week. @hsluoyz, I contact you in the case of problems.

[twhiston]

@strangeman - was there any outcome to this? If not I will close it in favour of a more generic ticket for abstracting authentication mechanisms, as we also have a need to support keycloak etc....

[strangeman]

@twhiston nope, I didn't reach any progress in this. We need to think about more rich authentification and authorization mechanisms.