Casbin — Flexible Policy-Based Access Control Framework

Introduction

Casbin is an open-source authorization library that decouples access control logic from application code. By separating the access model definition from policy rules, it lets teams modify permissions without changing source code, supporting everything from simple ACLs to attribute-based policies.

What Casbin Does

• Enforces authorization decisions based on configurable access control models
• Supports ACL, RBAC, ABAC, and custom hybrid models via PERM metamodel
• Provides adapters for storing policies in databases, files, or external services
• Offers role hierarchy and multi-tenancy through role managers
• Ships client libraries for Go, Java, Node.js, Python, .NET, Rust, and PHP

Architecture Overview

Casbin uses a PERM (Policy, Effect, Request, Matchers) metamodel where the model file defines request format, policy structure, matching rules, and effect aggregation. At runtime, the enforcer loads the model and policies, then evaluates each request against the matcher expression to produce an allow or deny decision. Adapters handle persistence, while watchers enable policy synchronization across distributed instances.

Self-Hosting & Configuration

• Add the Casbin library for your language via its package manager
• Define a model.conf file specifying request definition, policy definition, matchers, and effect
• Store policies in CSV files, databases (MySQL, PostgreSQL), or cloud services via adapters
• Use the Casbin editor at casbin.org/editor to test and validate model configurations
• Enable policy caching and watcher-based synchronization for multi-node deployments

Key Features

• Language-agnostic model definition works identically across all supported runtimes
• Priority-based and deny-override policy effects for complex rule evaluation
• Built-in RBAC with resource roles and multi-level role inheritance
• Hundreds of community-maintained adapters for policy storage backends
• Management API for runtime policy and role modification without restarts

Comparison with Similar Tools

• OPA (Open Policy Agent) — general-purpose policy engine using Rego; Casbin is lighter and embeds directly in application code
• Cerbos — cloud-native PDP with YAML policies; Casbin offers more model flexibility with PERM
• SpiceDB — Zanzibar-inspired relationship-based auth; Casbin handles broader model types beyond relationships
• Keycloak — full identity provider with RBAC; Casbin focuses purely on authorization logic without authentication

FAQ

Q: Does Casbin handle authentication? A: No, Casbin only handles authorization. It assumes the identity has already been verified by an authentication system.

Q: Can I change policies at runtime? A: Yes, the management API allows adding, removing, and updating policies without restarting the application.

Q: How does performance scale with many policies? A: Casbin uses efficient matching algorithms and supports filtered policy loading, handling millions of rules with sub-millisecond enforcement.

Q: Is there a GUI for managing policies? A: Casdoor (a separate project) provides a web UI for managing Casbin policies and users.

Sources

• https://github.com/casbin/casbin
• https://casbin.org/docs/overview