apicrud.access¶
access.py
Access control
Definitions:
principal: a user or role
membership: parent resource type for privacy sharing
model: database model name (e.g. Person)
resource: resource type (e.g. person)
rbac: role-based access control (defined in rbac.yaml)
role: a group name (e.g. admin or list-<id>-<level>)
privacy: sharing options as defined in rbac.yaml (e.g. secret [default], public, invitee, member, manager)
actions: crudlghij (create, read, update, del, list, guest/member, host/manager, invitee, join)
In rbac.yaml, define the RBAC policies for each principal/resource combination. That file will be parsed into a singleton variable upon initial startup. This implementation implements RBAC similar to that of kubernetes or AWS IAM, with the added capability of a simple privacy permission within each object (database record) which creates an implied ACL for read-only access by members of the object’s group.
Group names currently used are:
admin
user
pending
person
<resource>-<id>-<privacy>
These are defined in session_auth.py’s account_login() method.
created 20-may-2019 by richb@instantlinux.net refactored 6-mar-2020
Classes
|
Role-based access control |
-
class
apicrud.access.
AccessControl
(policy_file=None, model=None)¶ Role-based access control
- Parameters
policy_file (str) – name of the yaml definitions file
model (obj) – a model to be validated for permissions
-
load_rbac
(filename)¶ Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()
- Parameters
filename (str) – filename containing RBAC definitions
-
rbac_permissions
(query=None, owner_uid=None, membership=None, id=None, privacy=None)¶ Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies
- Parameters
query (obj) – an existing record (takes precedence over owner_uid)
owner_uid (str) – owner-uid of a record
membership (str) – resource type which defines membership privacy
id (str) – the resource ID if membership is set
- Returns
actions available to principal
- Return type
set
-
with_filter
(query, access='r')¶ Apply RBAC and privacy to a query
- Parameters
query (obj) – a resource query in SQLalchemy
access (str) – one of lrwcd (list, read, write, create, delete)
- Returns
updated SQLalchemy query with filter applied
- Return type
obj
TODO restrictions on contact-read by list-id
-
with_permission
(access, query=None, new_uid=None, membership=None, id=None)¶ Evaluate permission to access an object identified by an open query or new uid. Pass in at least one of the query/uid/eid params
- Parameters
access (str) – one of lrwcd (list, read, write, create, delete)
query (obj) – a resource query by id in SQLalchemy
new_uid (str) – user id of a new record
membership (str) – resource type which defines membership privacy
id (str) – resource ID
- Returns
True if access allowed
- Return type
bool