Use the copy method to get the casbin `Model` for every request (#21145)

Signed-off-by: SimFG <bang.fu@zilliz.com> Signed-off-by: SimFG <bang.fu@zilliz.com>
2022-12-12 16:41:21 +08:00 · 2022-12-12 16:41:21 +08:00 · 0be9ba11d0
parent cc8cc985e6
commit 0be9ba11d0
1 changed files with 6 additions and 3 deletions
--- a/internal/proxy/privilege_interceptor.go
+++ b/internal/proxy/privilege_interceptor.go
@ -40,12 +40,14 @@ m = r.sub == p.sub && globMatch(r.obj, p.obj) && globMatch(r.act, p.act) || r.su
 `
 )

+var templateModel = getPolicyModel(ModelStr)
+
 func getPolicyModel(modelString string) model.Model {
-	model, err := model.NewModelFromString(modelString)
+	m, err := model.NewModelFromString(modelString)
 	if err != nil {
 		log.Panic("NewModelFromString fail", zap.String("model", ModelStr), zap.Error(err))
 	}
-	return model
+	return m
 }

 // UnaryServerInterceptor returns a new unary server interceptors that performs per-request privilege access.
@ -103,7 +105,8 @@ func PrivilegeInterceptor(ctx context.Context, req interface{}) (context.Context
 	policy := fmt.Sprintf("[%s]", policyInfo)
 	b := []byte(policy)
 	a := jsonadapter.NewAdapter(&b)
-	casbinModel := getPolicyModel(ModelStr)
+	// the `templateModel` object isn't safe in the concurrent situation
+	casbinModel := templateModel.Copy()
 	e, err := casbin.NewEnforcer(casbinModel, a)
 	if err != nil {
 		log.Error("NewEnforcer fail", zap.String("policy", policy), zap.Error(err))