apicrud.AccessControl¶
-
class
apicrud.
AccessControl
(policy_file=None, model=None)¶ Role-based access control
Definitions:
principal: a user or role
membership: parent resource type for privacy sharing
model: database model name (e.g. Person)
resource: resource type (e.g. person)
rbac: role-based access control (defined in rbac.yaml)
role: a group name (e.g. admin or list-<id>-<level>)
privacy: sharing options as defined in rbac.yaml (e.g. secret [default], public, invitee, member, manager)
actions: crudlghij (create, read, update, del, list, guest/member, host/manager, invitee, join)
In rbac.yaml, define the RBAC policies for each principal/resource combination. That file will be parsed into a singleton variable upon initial startup. This implementation implements RBAC similar to that of kubernetes or AWS IAM, with the added capability of a simple privacy permission within each object (database record) which creates an implied ACL for read-only access by members of the object’s group.
Group names currently used are:
admin
user
pending (new-account confirmation)
pendingtotp
person
<resource>-<id>-<privacy>
These are defined in session_auth.py’s account_login() method.
- Parameters
policy_file (str) – name of the yaml definitions file
model (obj) – a model to be validated for permissions
-
__init__
(policy_file=None, model=None)¶ Initialize self. See help(type(self)) for accurate signature.
Methods
__init__
([policy_file, model])Initialize self.
Generate an API key - a 41-byte string.
apikey_hash
(secret)Generate a hash value from the secret :param secret: secret key :type secret: str
apikey_verify
(key_id, secret)Verify an API key
load_rbac
(filename)Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()
rbac_permissions
([query, owner_uid, …])Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies
with_filter
(query[, access])Apply RBAC and privacy to a query
with_permission
(access[, query, new_uid, …])Evaluate permission to access an object identified by an open query or new uid.
-
apikey_create
()¶ Generate an API key - a 41-byte string. First 8 characters (48 bits) are an access key ID prefix; last 32 characters (192 bits) are the secret key.
- Returns: tuple
key ID (str) - public portion of key secret (str) - secret portion hashvalue (str) - hash value for database
-
static
apikey_hash
(secret)¶ Generate a hash value from the secret :param secret: secret key :type secret: str
-
apikey_verify
(key_id, secret)¶ Verify an API key
- Parameters
key_id (str) – the public key_id at time of generation
secret (str) – the unhashed secret
- Returns: tuple
uid (str): User ID if valid scopes (list): list of scope IDs
-
load_rbac
(filename)¶ Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()
- Parameters
filename (str) – filename containing RBAC definitions
-
rbac_permissions
(query=None, owner_uid=None, membership=None, id=None, privacy=None)¶ Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies
- Parameters
query (obj) – an existing record (takes precedence over owner_uid)
owner_uid (str) – owner-uid of a record
membership (str) – resource type which defines membership privacy
id (str) – the resource ID if membership is set
- Returns
actions available to principal
- Return type
set
-
with_filter
(query, access='r')¶ Apply RBAC and privacy to a query
- Parameters
query (obj) – a resource query in SQLalchemy
access (str) – one of lrwcd (list, read, write, create, delete)
- Returns
updated SQLalchemy query with filter applied
- Return type
obj
TODO restrictions on contact-read by list-id
-
with_permission
(access, query=None, new_uid=None, membership=None, id=None)¶ Evaluate permission to access an object identified by an open query or new uid. Pass in at least one of the query/uid/eid params
- Parameters
access (str) – one of lrwcd (list, read, write, create, delete)
query (obj) – a resource query by id in SQLalchemy
new_uid (str) – user id of a new record
membership (str) – resource type which defines membership privacy
id (str) – resource ID
- Returns
True if access allowed
- Return type
bool