Google Summer of Code 2021 - Final Report - Casbin

Organiztion:- Casbin

Projects

• Middleware for Kubernetes :- K8s-authz
• Middleware for Envoy :- Envoy-authz

Mentors

• Yang Luo
• ZiXuan Liu

Student

• Ashish Malik

Project Information:-

Casbin is an open-source Authorization Library which supports access control models like ACL, RBAC, ABAC for Golang, Python, C/C++ and for many other languages. It provides support for enforcing authorization based on various access control models. There are many casbin plugins which support different tools. Kubernetes being one of the biggest project in Go didn’t have this support. So, this project is about developing a Casbin plugin for Kubernetes, which would authorize the users based upon the roles/policies defined in the Casbin policy file to access certain pods or clusters.

Work Done

Pre-community Bonding Period :-

I started contributing to this project even before the results were announced. So, I researched on how to validate requests in k8s cluster and then started reading the official k8s docs of Dynamic Admission Controllers. There are 2 different types of Admissions Controllers which are MutatingAdmissionWebhook and ValidatingAdmissionWebhook. For our project’s use case, I had to choose the later as the Admissions Controller. So, this webhook would work in such a way that whenever any user/client would perform any operation on the pods, this webhook would validate that request using Casbin and then allow/deny the user based on that. Basically, the validation logic would be based on Casbin enforcer.

During this phase, I created the base structure of project from scratch. I used the Casbin RBAC API to check the permission of user on the Request.

Merged PRs:- #3

Community Bonding Period :-

In this phase, I wrote the main logic for validating the requests. I had to fix some bugs from the previous merged code. Once the majority of the work was done I then started writing the Readme and also designed a logo for the middleware. After that, I had to write a detailed documentation for the usage of our middleware. Also the previous code was using v1beta1 version of k8s API, which had been deprecated since 2019. So, I then had to migrate those APIs to v1.

Merged PRs:- #4, #225

Phase-1 :-

During this phase, I wrote some tests to check the policy validation. I had to setup the CI for those tests and also for checking the lint and the code quality. The lints were failing initially, so first I had to fix those first and then move to semantic release of the package. I then had to fix the coverall badge which was not rendering properly. Earlier the middleware only worked for the requests made to the pods. So, I then extended it’s support to all k8s resources and sub-resources, which means any type of request made to the k8s would have to get validated by casbin before going forward.

The project was complete by this time and it could be used in production grade k8s cluster.

Merged PRs:- #6, #8, #11,#14,#246

Final Phase :-

Since the kubernetes Middleware was ready, I started working on Envoy-authz. It is a middleware of Envoy which performs external authorization through casbin. This proxy would be deployed on any type of envoy-based service meshes like Istio. The client would make a http request and the envoyproxy would then send that grpc server. The grpc server would then authorize the request based on casbin policies and the decision making takes place. The implemented grpc server was based on protocol buffer from external_auth.proto. Once the coding part was done, I then started writing the docs and Readme for this project.

Merged PRs:- #2, #5, #261

Future Work

The past few months were really amazing and I learnt a lot during this period. I would be maintaining these projects in future since I gave a lot of time working on it. I would also like to mentor students who would be working on Cloud Native projects of Casbin. I would still contribute to Casbin after GSoC.

Closure

I would like to thank Yang Luo, for his excellent mentoring and for choosing me for this organisation. The things I learnt during this period would really help me in the future. I am thankful to all other members of Casbin who helped me during the Journey.

One worthwhile task carried to a successful conclusion is better than 50 half-finished tasks. -B.C. Forbes