[Vote] Donate Casbin to Apache Foundation

[hsluoyz]

After several days discussion with some Apache members, the draft is almost ready, please vote for donating the Casbin project to Apache Foundation.

Casbin Proposal

Abstract

Casbin is a powerful and efficient open-source access control framework that provides a unified, model-driven approach to authorization. Through its domain-specific language (DSL), Casbin seamlessly integrates ACL, RBAC, and ABAC models, enabling flexible and fine-grained policy management. It delivers high-performance access control enforcement and offers a broad multi-language ecosystem, including Go, Java, Node.js, JavaScript, Python, .NET, C++, and Rust.

Proposal

Casbin is an open-source access control library. The core idea is simple: pull authorization logic out of your code and put it into configuration files/databases.

1. Various access control models

Casbin uses the PERM metamodel (Policy, Effect, Request, Matchers). You write a .conf model file and a policy file, and you get ACL, RBAC, ABAC, ReBAC, or other access control model as required. Changing your permission model is just editing config—no code changes required. You can even mix RBAC roles with ABAC attributes in the same policy.

2. Multi-language support

Casbin has native implementations in 10+ languages—Go, Java, Python, Node.js, Rust, C++, .NET, Ruby, and more—with consistent APIs across all of them. Teams working across different stacks can share a common understanding of how permissions work without hunting for a different authorization solution for each language.

3. Middlewares

Policies can live in memory, files, or dozens of backends (MySQL, PostgreSQL, MongoDB, Redis, etc.) through adapters. Role management integrates with enterprise identity providers like LDAP, Okta, and Auth0. For multi-instance deployments, the Watcher mechanism keeps policies in sync. There's also an online editor for debugging models and policies.

4. Performance

Policy evaluation happens in memory with predictable latency. For large-scale multi-tenant scenarios, filtered loading lets you load only the policies you need instead of the entire set.

Casbin was originally built for cloud-native and microservice architectures. It's now running in production at many internet companies, SaaS products, and internal platforms. We believe bringing Casbin into the Apache Incubator would add valuable diversity to the community.

Background

Casbin is being developed by an open-source community from day one under Apache 2.0 license. The project has been launched in April 2017.

Rationale

Casbin provides a unified authorization and access control abstraction layer that simplifies integrating different access control models and policy backends. In addition, Casbin offers advanced authorization capabilities such as fine-grained policy management, pluggable extensions (adapters, role managers, watchers, effectors), and rich ecosystem tooling for policy editing and administration. Casbin makes it possible to design authorization rules once and apply them consistently across multiple languages, frameworks, and systems.

Initial Goals

• Build a more diverse community and attract external contributors.
• Promote the adoption and integration of Casbin by ensuring its neutrality and sustainability.
• Gather more user feedback and become one of the standard implementations of access control interfaces.

Current Status

Meritocracy

Casbin was developed by Yang Luo in 2017 at Peking University. Zixuan Liu, the maintainer of the Node.js version, joined later, and in 2020 Zihui Liu, the maintainer of the JavaScript version, also joined. Afterwards, a lot of developers have become core contributors. Since it was open-sourced, Casbin has attracted strong interest from both companies and individual developers. We will continue to support new contributors, and those who submit high-quality contributions will be invited to become committers.

Community

Contributors: 152
See: https://github.com/casbin/casbin/graphs/contributors

Users:

• Argo CD: Declarative Continuous Deployment for Kubernetes
• OpenShift: The developer and operations friendly Kubernetes distro
• Apache Pulsar: Distributed pub-sub messaging system
• Apache APISIX: The Cloud-Native API Gateway and AI Gateway
• Casdoor: Identity and Access Management platform
• Harbor: An open source trusted cloud native registry project that stores, signs, and scans content
• Skydive: An open source real-time network topology and protocols analyzer

Core Developers

The core developers are all experienced open-source developers. They have been running the Casbin community for over one year.

Alignment

Casbin works well with Pulsar, APISIX, and many other Apache projects. The codebase of Casbin is already under the Apache License 2.0. The community has been learning and practicing the Apache Way since its establishment.

Known Risks

Project Name

We have checked and consider the name appropriate, and the project is entitled to continue using its current name. The current project lead has registered the “Casbin” trademark and will donate it to the ASF.

Orphan Products

Casbin is already being used by many companies and open-source communities globally. The current developers will continue to improve the project to provide better support for present and future needs.

Inexperience with Open Source

Casbin's core developers are all experienced open source contributors, and its main maintainer Yang Luo has 12 years of open source experience, having worked on a number of open source projects including Nmap, Npcap, Casdoor, and others.

Length of Incubation

Expect to enter incubation in two months and graduate in about two years.

Homogenous Developers

Casbin developers come from a variety of backgrounds and contribute to the Casbin project for different usage scenarios.

Reliance on Salaried Developers

Most core contributors to Casbin are not salaried for their work on the project; they contribute in their spare time out of personal interest and commitment to open source. Some new contributors may receive modest financial support through community beginner programs, but this is limited and optional. Going forward, we plan to attract more contributors from diverse organizations and backgrounds to further distribute responsibility and reduce any potential dependency on a small group of individuals.

Relationships with Other Apache Products

Casbin can be integrated with Apache projects to provide unified authorization:

• Pulsar: Apache Pulsar uses Casbin to implement RBAC authorization on tenants, namespaces, and topics.
• APISIX: Apache APISIX provides the `authz-casbin` plugin to enforce ACL/RBAC/ABAC policies on API requests.

An Excessive Fascination with the Apache Brand

We believe that the Apache Way and its neutrality, which goes beyond branding alone, will help the development of Casbin. As a fundamental function of software, authorization is better served by a community-driven foundational library. In the long run, a neutral organization is more beneficial to the community than a single company.

Documentation

The document of Casbin is hosted at https://casbin.org/. And Casbin’s document is self-contained, all its current and historical versions could be found at https://github.com/casbin/casbin-website-v2.

Initial Source

The project currently holds several GitHub organizations:

• https://github.com/casbin
• https://github.com/jcasbin
• https://github.com/casbin-cpp
• https://github.com/node-casbin
• https://github.com/casbin-net
• https://github.com/casbin-rs

Source and Intellectual Property Submission Plan

External Dependencies

go-licenses report ./...
github.com/bmatcuk/doublestar/v4,https://github.com/bmatcuk/doublestar/blob/v4.6.1/LICENSE,**MIT**
github.com/casbin/casbin/v2,https://github.com/casbin/casbin/blob/HEAD/LICENSE,**Apache-2.0**
github.com/casbin/govaluate,https://github.com/casbin/govaluate/blob/v1.3.0/LICENSE,**MIT**
github.com/golang/mock/gomock,https://github.com/golang/mock/blob/v1.4.4/LICENSE,**Apache-2.0**
github.com/google/uuid,https://github.com/google/uuid/blob/v1.6.0/LICENSE,**BSD-3-Clause**

Cryptography

N/A

Required Resources

Mailing Lists

• private@casbin.apache.org
• dev@casbin.apache.org
• commits@casbin.apache.org
• issues@casbin.apache.org
• build@casbin.apache.org

Subversion Directory

N/A

Git Repositories

From https://github.com/casbin/casbin

• https://gitbox.apache.org/asf/repos/casbin

• https://github.com/apache/casbin

• https://github.com/apache/jcasbin

• https://github.com/apache/node-casbin

• https://github.com/apache/pycasbin

• https://github.com/apache/Casbin.NET

• https://github.com/apache/casbin-rs

• https://github.com/apache/casbin.js

• https://github.com/apache/casbin-editor

• https://github.com/apache/casbin-website

Issue Tracking

The community would like to continue using GitHub Issues.

Other Resources

The community has already chosen GitHub actions as continuous integration tools.

Initial Committers

• Yang Luo [hsluoyz AT gmail dot com, Peking University]
• Zixuan Liu [nodeces AT gmail dot com, AscentStream]
• Zihui Liu [kingiw AT hotmail dot com, Tencent]
• Xianhe Tang [sagilio AT outlook dot com, Xiaomi]
• Hongyang Shi [928357057 AT qq dot com, Baidu]
• Hanyang Xia [xiahanyang AT 126 dot com, SenseTime]
• Xiangwen Meng [cit117 AT me dot com, BaiTaste]

Sponsors

Champion

• Zili Chen [tison AT apache dot org]

Nominated Mentors

• Zili Chen [tison AT apache dot org]

• Huajie Wang [benjobs AT apache dot org]

• Hulk Lin [hulk AT apache dot org]

• Jerry Shao [jshao AT apache dot org]

• Hao Ding [xuanwo AT apache dot org]

Sponsor Entity

We expect the Apache Incubator to sponsor this project.

The vote is for All Initial Committers:

@hsluoyz
@nodece
@kingiw
@sagilio
@shy1st
@Xhy-5000
@xiaobeiswift

Voters can either respond "agree, yes, +1", "disagree, no, -1", or "abstain".

[nodece]

+1

[sagilio]

+1

[hsluoyz]

+1

[Xhy-5000]

+1

[kingiw]

+1

[xiaobeiswift]

+1

[shy-1st]

+1

[Greatz08]

+1