apicrud.AccessControl

class apicrud.AccessControl(policy_file=None, model=None)

Role-based access control

Definitions:

  • principal: a user or role

  • membership: parent resource type for privacy sharing

  • model: database model name (e.g. Person)

  • resource: resource type (e.g. person)

  • rbac: role-based access control (defined in rbac.yaml)

  • role: a group name (e.g. admin or list-<id>-<level>)

  • privacy: sharing options as defined in rbac.yaml (e.g. secret [default], public, invitee, member, manager)

  • actions: crudlghij (create, read, update, del, list, guest/member, host/manager, invitee, join)

In rbac.yaml, define the RBAC policies for each principal/resource combination. That file will be parsed into a singleton variable upon initial startup. This implementation implements RBAC similar to that of kubernetes or AWS IAM, with the added capability of a simple privacy permission within each object (database record) which creates an implied ACL for read-only access by members of the object’s group.

Group names currently used are:

  • admin

  • user

  • pending (new-account confirmation)

  • pendingtotp

  • person

  • <resource>-<id>-<privacy>

These are defined in session_auth.py’s account_login() method.

Parameters
  • policy_file (str) – name of the yaml definitions file

  • model (obj) – a model to be validated for permissions

__init__(policy_file=None, model=None)

Initialize self. See help(type(self)) for accurate signature.

Methods

__init__([policy_file, model])

Initialize self.

apikey_create()

Generate an API key - a 41-byte string.

apikey_hash(secret)

Generate a hash value from the secret :param secret: secret key :type secret: str

apikey_verify(key_id, secret)

Verify an API key

load_rbac(filename)

Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()

rbac_permissions([query, owner_uid, …])

Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies

with_filter(query[, access])

Apply RBAC and privacy to a query

with_permission(access[, query, new_uid, …])

Evaluate permission to access an object identified by an open query or new uid.

apikey_create()

Generate an API key - a 41-byte string. First 8 characters (48 bits) are an access key ID prefix; last 32 characters (192 bits) are the secret key.

Returns: tuple

key ID (str) - public portion of key secret (str) - secret portion hashvalue (str) - hash value for database

static apikey_hash(secret)

Generate a hash value from the secret :param secret: secret key :type secret: str

apikey_verify(key_id, secret)

Verify an API key

Parameters
  • key_id (str) – the public key_id at time of generation

  • secret (str) – the unhashed secret

Returns: tuple

uid (str): User ID if valid scopes (list): list of scope IDs

load_rbac(filename)

Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()

Parameters

filename (str) – filename containing RBAC definitions

rbac_permissions(query=None, owner_uid=None, membership=None, id=None, privacy=None)

Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies

Parameters
  • query (obj) – an existing record (takes precedence over owner_uid)

  • owner_uid (str) – owner-uid of a record

  • membership (str) – resource type which defines membership privacy

  • id (str) – the resource ID if membership is set

Returns

actions available to principal

Return type

set

with_filter(query, access='r')

Apply RBAC and privacy to a query

Parameters
  • query (obj) – a resource query in SQLalchemy

  • access (str) – one of lrwcd (list, read, write, create, delete)

Returns

updated SQLalchemy query with filter applied

Return type

obj

TODO restrictions on contact-read by list-id

with_permission(access, query=None, new_uid=None, membership=None, id=None)

Evaluate permission to access an object identified by an open query or new uid. Pass in at least one of the query/uid/eid params

Parameters
  • access (str) – one of lrwcd (list, read, write, create, delete)

  • query (obj) – a resource query by id in SQLalchemy

  • new_uid (str) – user id of a new record

  • membership (str) – resource type which defines membership privacy

  • id (str) – resource ID

Returns

True if access allowed

Return type

bool