ketgo / py-abac Goto Github PK

Hello,

I'm setting up a new environment to use py_abs in.
pip install py-abac[mongo]

It seems that there is a nice separation for

However, SQLAlchemy is still a requirement, coming in from:
https://github.com/ketgo/py-abac/blob/master/py_abac/storage/__init__.py

A common use-case while defining policy is to have conditions on attributes of different elements for a particular policy element. For example, defining policy for allow access when resource id in resource element is the same as the user id in the user element. Such a policy is common when designing user profile applications.

Conditions for collections. Take for example, AllNotIn, the documentation says:

none of the members of attribute value collection are members of "values"

Yet the test is:

https://github.com/ketgo/py-abac/blob/master/tests/test_policy/test_conditions/test_collection.py#L80

    @pytest.mark.parametrize("condition, what, result", [
        ...
        (AllNotIn([2]), [1, 2], True),

Of the 2 values for the attribute value collection (1 and 2), 2 is a member of "values", so the condition should return False.

Hi there,

Great module - I've really enjoyed exploring / testing py-abac so far!

I was wondering if @ketgo / anyone had any thoughts on how to deal with assessing access to lists of resources.

For example, given the standard exemplar Pets API (GET /pets, GET /pets/123), is there a solution that might allow you to restrict the list returned by GET /pets to only contain those pets that belong to the user (as opposed to every pet in the database - potentially 100s or 1000s)?

Beyond getting the entire data set (potentially applying some initial filtering logic) and then assessing access to each entry on the list, I wasn't sure if there was more efficient option.

Any thoughts would be greatly appreciated.

All the best - Jamie.

Hello,

first of all, thanks for creating this, it really helps a lot!

I am currently using py-abac to protect our api endpoints and searching for a way to limit the policies to a specific path.
My current solution is to just perform a regex match on the resource like this.

Endpoint: /v1/user/604g7bh4av2aj54114c14600

Policy

{
        "uid": "2",
        "description": "Allow user to get his own account",
        "effect": "allow",
        "rules": {
            "subject": {
                "$.user_id": {
                    "condition": "RegexMatch",
                    "value": ".*"
                }
            },
            "resource": {
                "$.path": {
                    "condition": "RegexMatch",
                    "value": "^\/v1\/user\/[0-9a-fA-F]{24}$"
                },
                "$.id": {
                    "condition": "EqualsAttribute",
                    "ace": "subject",
                    "path": "$.user_id"
                }
            },
            "action": {
                "$.method": {
                    "condition": "IsIn",
                    "values": [
                        "get"
                    ]
                }
            },
            "context": {}
        },
        "targets": {},
        "priority": 0
    }

Access Request

{
   "subject":{
      "id":"",
      "attributes":{
         "user_id":"604g7bh4av2aj54114c14600",
         "role":"user"
      }
   },
   "resource":{
      "id":"",
      "attributes":{
         "path":"/v1/user/604g7bh4av2aj54114c14600",
         "id":"604g7bh4av2aj54114c14600"
      }
   },
   "action":{
      "id":"",
      "attributes":{
         "method":"get"
      }
   },
   "context":{
      
   }
}

Would the target or context section be better fit to limit this policy only on to this specific api endpoint ?

Some API Endpoints also don't have path parameters with user id's etc, thus we have to perform a database lookup first and then use the owner and member attributes inside the database object to perform the validation.

I need to implement a distributed auth system where policies are defined/ maintained in a central service while decision/ enforcement is delegated. Requests pass thru a central gateway that has access to the IAM system (to authenticate tokens and enrich the request with an ACL and info about the bearer) but not data from the destination system.

py-abac looks particularly nice because policies are succinct and serialisable. I could find/ match applicable policies in our gateway (on say subject and context attributes) and add them to the request and let the backend application enforce them. Best part of all I can use the same library in both places and not require further inter-service communication.

Is this library used in a production application anywhere do you know? Would you welcome pull requests to be able to achieve the above? I'm fairly new to ABAC, but I was thinking either:

• create a new PAP that takes a storage instance and is able to match/ export a list of policies, or
• extend the PDP to do the same

Appreciate your efforts so far... if nothing else it's helped to see how someone else has approached this design in Python :)

And thanks in advance for your thoughts!

How about using json schema and pydantic instead of marshmallow?

https://pydantic-docs.helpmanual.io/usage/schema/

Currently, all the policies within a policy collection are retrieved by storage for evaluation by the guard. We need better retrieval algorithm resulting in more selective queries to the database by the storage. See link for proposed solutions.

In the documentation of py-abac, we have Policy Language [page] )https://py-abac.readthedocs.io/en/latest/policy_language.html#policy-language) which has this one line

A policy composes of uid, description, conditions , targets, effect, and priority fields. The JSON schema is given by

It should be rules instead of conditions , right?