An authorization middleware for Flask that supports ACL, RBAC, ABAC, based on Casbin
Project description
flask-authz
flask-authz is an authorization middleware for Flask, it's based on PyCasbin.
Installation
pip install flask-authz
Or clone the repo:
$ git clone https://github.com/pycasbin/flask-authz.git
$ python setup.py install
Module Usage:
from flask import Flask
from flask_authz import CasbinEnforcer
from casbin.persist.adapters import FileAdapter
app = Flask(__name__)
# Set up Casbin model config
app.config['CASBIN_MODEL'] = 'casbinmodel.conf'
# Set headers where owner for enforcement policy should be located
app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'}
# Add User Audit Logging with user name associated to log
# i.e. `[2020-11-10 12:55:06,060] ERROR in casbin_enforcer: Unauthorized attempt: method: GET resource: /api/v1/item by user: janedoe@example.com`
app.config['CASBIN_USER_NAME_HEADERS'] = {'X-User'}
# Set up Casbin Adapter
adapter = FileAdapter('rbac_policy.csv')
casbin_enforcer = CasbinEnforcer(app, adapter)
@app.route('/', methods=['GET'])
@casbin_enforcer.enforcer
def get_root():
return jsonify({'message': 'If you see this you have access'})
@app.route('/manager', methods=['POST'])
@casbin_enforcer.enforcer
@casbin_enforcer.manager
def make_casbin_change(manager):
# Manager is an casbin.enforcer.Enforcer object to make changes to Casbin
return jsonify({'message': 'If you see this you have access'})
Example Config
This example file can be found in tests/casbin_files
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (p.sub == "*" || g(r.sub, p.sub)) && r.obj == p.obj && (p.act == "*" || r.act == p.act)
Example Policy
This example file can be found in tests/casbin_files
p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
p, *, /login, *
p, anonymous, /, GET
g, cathy, dataset1_admin
Development
Run unit tests
- Fork/Clone repository
- Install flask-authz dependencies, and run
pytest
pip install -r dev_requirements.txt
pip install -r requirements.txt
pytest
Setup pre-commit checks
pre-commit install
update requirements with pip-tools
# update requirements.txt
pip-compile --no-annotate --no-header --rebuild requirements.in
# sync venv
pip-sync
Manually Bump Version
bumpversion major # major release
or
bumpversion minor # minor release
or
bumpversion patch # hotfix release
Documentation
The authorization determines a request based on {subject, object, action}
, which means what subject
can perform what action
on what object
. In this plugin, the meanings are:
subject
: the logged-in user nameobject
: the URL path for the web resource like "dataset1/item1"action
: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"
For how to write authorization policy and other details, please refer to the Casbin's documentation.
Getting Help
License
This project is under Apache 2.0 License. See the LICENSE file for the full license text.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for flask_authz-2.1.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bd29d3c6f2cfd9941b7fb87b7833124a8a512eda9ea67b9a9672f8667a7d6e93 |
|
MD5 | 4af53517fea809459b722eef1cb896c0 |
|
BLAKE2b-256 | 068c90d9389b8736b8948db33cda95301b8f87dd13a5f89c5cd9008b8351f9fa |