Lightweight, framework agnostic, context based RBAC authorization library
Project description
Authoritah - Framework Agnostic Python RBAC Library
Authoritah is a Python RBAC library. It is designed to be framework agnostic, in the sense that it is not coupled with any Web framework or ORM library. In addition, Authoritah provides a highly granular role system using a unique approach of context-based role resolution.
Compatibility
We test Authoritah on Python 3.5, 3.6, 3.7 and Pypy 3. It is possible that older versions of Authoritah will work with Python 2.7 as well, but Python versions below 3.5 are not supported.
Installation
The easiest way to install Authoritah is via pip:
pip install authoritah
Overview & Terminology
The following terms are common in many authorization frameworks, but can have specific meaning in authoritah so it is important to clarify them first:
Identities
In simple terms, an identity is a user - an entity using the system (be it a person, a machine authenticating with an API key, a default "anonymous" user, etc.) Identities can have roles - in authoritah, an identity's roles are usually in relation to a given context object, although identities can have default roles as well.
In authoritah you are not expected to use a specific structure for identity objects - they are opaque as far as the library is concerned, and are only passed around between different callables you provide.
Roles
A role is given to an identity, and defines a set of permissions - actions that the user is allowed to perform on an object or in the system.
An identity can have more than one role (for example a user may be both a hiring_manager and a content_editor). In addition, roles can inherit permissions from one or more other roles (for example, a content_editor can inherit from content_viewer).
Unlike many other authorization frameworks, in authoritah roles are not global (although they can be), but are derived from context - for example a user may be a content_editor for all articles, or may be a content_editor only for the articles they created, and content_viewer for all other articles.
Permissions
Permissions, simply put, are "rights granted to a given identity based on its roles". For example, someone with a content_editor role have the article_edit, article_publish and article_unpublish permissions.
Implementing authorization checks in a system normally involves checking whether the user has one or more permissions granted to them before proceeding with an action.
Strict Mode:
The Authorizer class may be instantiated with strict=True (defaults to False).
Strict mode can raise exceptions in two cases:
- If is_allowed is called for a permission not defined in any of the roles defined.
- If a role in the identity provided to is_allowed is not defined
This is useful to check if one forgot to add a role or permission.
Context Objects
The context object is the object on which the operation is performed. For example, when editing an article the context object is the article. As mentioned, in authoritah context objects have a more central role than with many other authorization frameworks - they are taken into account when deciding the user's role.
Quick Start
The following is a quick start guide to applying authorization to your code using authoritah.
We'll follow an example of an imaginary, simplified content management system with 3 objects: articles, comments and users.
1. Define Roles and Permissions
As with any RBAC system, it is recommended to start with defining some roles and what permissions they grant. With Authoritah, it is recommended to think of roles in relation to objects in the system.
You can define your roles and permissions in a configuration file - a YAML
or
JSON
, or even a Python dict
:
---
viewer:
- article_list
- article_view
- comment_list
- comment_view
- user_create
user:
parents: [ 'viewer' ]
grants:
- comment_create
- comment_upvote
contributor:
parents: [ 'user' ]
grants:
- article_create
content_admin:
- comment_edit
- comment_delete
- article_edit
- article_delete
user_admin:
- user_edit
- user_delete
super_admin:
parents:
- contributor
- content_admin
- user_admin
Some things to notice:
- Each
role
is designated by a unique key (or name), and defines, optionally, a list of permissions (grants
). - Roles can inherit permissions from other roles. This is done by providing
a list of inherited roles as
parents
. - As a shortcut, you can define a role by simply providing the list of
permissions it grants, skipping the
grants
key. This format works nicely for roles not inheriting from any other role.
Most importantly, roles are defined in a very granular way following an approach of least possible access. The right way to think of permissions in authoritah is to consider whether someone with the given role should have a given permission under all circumstances or only in specific contexts.
In our example, a contributor
can create any article, but cannot delete
any article - only their own articles. Later, we will see how to use dynamic
role resolution to elevate a specific user to content_admin
for specific
contexts, so they can edit and delete their own articles.
2. Initialize an Authorizer and hook in identity management
Everything you will do with authoritah begins with creating an an
Authorizer
object. Assuming we read our roles & permissions configuration
from a YAML file named authorization.yml
, here is how this is done:
import yaml
from authoritah import Authorizer
with open('authorization.yml') as f:
roles = yaml.safe_load(f)
authz = Authorizer(permissions=roles)
Since authoritah is not bound to any authentication or identity management implementation, you will need to tell your Authorizer how to get an identity object, and how to get a list of roles from this object.
The simplest way to do this would be to use two decorator methods of the
Authorizer
object we just created: authz.identity_provider
and
authz.default_role_provider
:
@authz.identity_provider
def get_current_user(request):
"""This function returns the current authenticated user object
"""
return request.user
@authz.default_role_provider
def get_user_roles(user, context=None):
"""Get roles for the current user.
This function should always accept an identity object (as returned
by the defined identity provider) and return either a list of roles,
a string representing a single role, or None for a user with no roles.
Note that this function also receives the current context object. It
may be used, if needed, to infer roles - but this is usually not
recommended.
"""
return user.roles
In most cases these two functions should be very simple - they are just "glue" that integrates your existing code with authoritah.
3. Define Context-Specific Role Resolution
If your system does not require any dynamic role resolution (e.g. permissions are global and are not related to context objects in your case), you can skip this phase and use authoritah like you would use any other RBAC library.
However, in most cases you would like to give users additional roles based on the object they are accessing - the context object.
This is done using the authz.context_role_provider
decorator. This decorator
should be used to decorate classes, specifying how we should get the roles when
the context object is of a certain type.
Assume that our CRM has an ORM or entity class that represents an article:
class Article:
title = None
content = None
created_by = None
You can now use a decorator to tell Authoritah that article_user_roles
is the
role provider for objects of type Article
, or any subtype of it:
@authz.role_provider(Article)
def article_user_roles(user, article):
if user.id == article.created_by:
return ['content_admin']
return []
Thus, we have told our authorizer to call article_user_roles
whenever the
context object is an Article
object. The list of roles returned by this
callable will be appended to the list of existing global roles the user already
has. This way, we know that if the user is the creator of the article, they
should get permissions as if they have the content_admin
role (meaning they
can edit or delete this specific article).
Another way of doing this will be to use the class_role_provider
annotation
on the context object class, providing it a method name on the same class to
use as a context role provider:
@authz.class_role_provider('user_roles')
class ProtectedArticle(Article):
def user_roles(self, user):
if user.id == self.created_by:
return ['content_admin']
return []
Note that this case will work only for objects of ProtectedArticle
, not the
original Article
base class. However, it will work for any class inheriting
from ProtectedArticle
.
4. Apply Authorization Checks in Your Code
Last but very important, start checking for permissions before you perform some operations in your code.
There are two common ways to do this. One is explicit:
def modify_article(article_id, data):
"""Assume this is your Web framework's handler for article editing
"""
article = DB.article.get(article_id)
if not authz.is_allowed('article_edit', article):
return 'You are not allowed to edit this article', 403
# ... proceed to update the article
The other is using a decorator, which works well for object methods where the object is our context object. Let's update our class definition from before:
@authz.class_role_provider('user_roles')
class ProtectedArticle(Article):
@authz.require('article_edit')
def modify(self, new_data):
# ... proceed to modify my own attributes
pass
def user_roles(self, user):
if user.id == self.created_by:
return ['content_admin']
return []
In the example above, if the user doesn't have the article_edit
permission,
calling modify()
will raise an authoritah.NotAuthorized
exception, which
you will then need to catch and handle.
Background: Why Context-Based Role Resolution?
In most RBAC / ACL frameworks, each user is given one or more pre-defined roles, which in turn decide their permissions to perform operations on various objects. This works well in many cases, but falls short when static permissions are not enough to decide whether a user should be allowed to perform an operation.
For example, in a content management system a user may be have an "editor" role granting them permission to edit articles. This works well in a "flat" system where all editors can edit all articles.
But what if we want users to only be able to edit articles that they created? Or what if we want users to be able to designate specific editors for an article? Granting a global "editor" role here is just not enough.
Existing Solutions: Post-Hoc Assertions
Most current RBAC libraries tackle this problem by adding dynamic assertion capabilities on top of static roles and permissions. They allow developers to specify additional assertion callables per granted permission. Once a user is granted permission to take an action based on their role, additional assertions are executed, essentially checking if the permission should still be granted, given the user and a context object (in our example the article being edited).
Unfortunately, this has a few major drawbacks:
- Writing custom assertions quickly becomes cumbersome as permissions become more granular and the number of permissions in the system grows.
- This model forces an approach of granting roles with the maximal permissions. Narrowing down permissions to only apply in specific contexts is an afterthought.
Enter A New Approach: Context-Based Role Resolution
With authoritah, a user's role is not static but changes based on the context object. Essentially, instead of asking "what is this user's role?", we ask "what is the user's role given this object?". Once the role is dynamically decided, it is very easy to grant or deny permission to perform an action without any need of additional assertions.
In addition, it advocates a process where minimal permissions are granted through each role initially. In the right context, a user may have additional permissions through additional roles assigned to them.
This, in our opinion, reduces the risk of permissions leakage as it encourages a more granular and limited approach to granting permissions.
License
Copyright (c) 2017 Shoppimon LTD
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.