ketgo / py-abac Goto Github PK
View Code? Open in Web Editor NEWPython Attribute Based Access Control (ABAC)
Home Page: https://py-abac.readthedocs.io/
License: Apache License 2.0
Python Attribute Based Access Control (ABAC)
Home Page: https://py-abac.readthedocs.io/
License: Apache License 2.0
Hello,
I'm setting up a new environment to use py_abs in.
pip install py-abac[mongo]
It seems that there is a nice separation for
However, SQLAlchemy is still a requirement, coming in from:
https://github.com/ketgo/py-abac/blob/master/py_abac/storage/__init__.py
A common use-case while defining policy is to have conditions on attributes of different elements for a particular policy element. For example, defining policy for allow access when resource id in resource element is the same as the user id in the user element. Such a policy is common when designing user profile applications.
Conditions for collections. Take for example, AllNotIn
, the documentation says:
none of the members of attribute value collection are members of "values"
Yet the test is:
@pytest.mark.parametrize("condition, what, result", [
...
(AllNotIn([2]), [1, 2], True),
Of the 2 values for the attribute value collection (1
and 2
), 2
is a member of "values", so the condition should return False
.
Hi there,
Great module - I've really enjoyed exploring / testing py-abac so far!
I was wondering if @ketgo / anyone had any thoughts on how to deal with assessing access to lists of resources.
For example, given the standard exemplar Pets API (GET /pets, GET /pets/123), is there a solution that might allow you to restrict the list returned by GET /pets to only contain those pets that belong to the user (as opposed to every pet in the database - potentially 100s or 1000s)?
Beyond getting the entire data set (potentially applying some initial filtering logic) and then assessing access to each entry on the list, I wasn't sure if there was more efficient option.
Any thoughts would be greatly appreciated.
All the best - Jamie.
Hello,
first of all, thanks for creating this, it really helps a lot!
I am currently using py-abac to protect our api endpoints and searching for a way to limit the policies to a specific path.
My current solution is to just perform a regex match on the resource like this.
Endpoint: /v1/user/604g7bh4av2aj54114c14600
Policy
{
"uid": "2",
"description": "Allow user to get his own account",
"effect": "allow",
"rules": {
"subject": {
"$.user_id": {
"condition": "RegexMatch",
"value": ".*"
}
},
"resource": {
"$.path": {
"condition": "RegexMatch",
"value": "^\/v1\/user\/[0-9a-fA-F]{24}$"
},
"$.id": {
"condition": "EqualsAttribute",
"ace": "subject",
"path": "$.user_id"
}
},
"action": {
"$.method": {
"condition": "IsIn",
"values": [
"get"
]
}
},
"context": {}
},
"targets": {},
"priority": 0
}
Access Request
{
"subject":{
"id":"",
"attributes":{
"user_id":"604g7bh4av2aj54114c14600",
"role":"user"
}
},
"resource":{
"id":"",
"attributes":{
"path":"/v1/user/604g7bh4av2aj54114c14600",
"id":"604g7bh4av2aj54114c14600"
}
},
"action":{
"id":"",
"attributes":{
"method":"get"
}
},
"context":{
}
}
Would the target or context section be better fit to limit this policy only on to this specific api endpoint ?
Some API Endpoints also don't have path parameters with user id's etc, thus we have to perform a database lookup first and then use the owner and member attributes inside the database object to perform the validation.
I need to implement a distributed auth system where policies are defined/ maintained in a central service while decision/ enforcement is delegated. Requests pass thru a central gateway that has access to the IAM system (to authenticate tokens and enrich the request with an ACL and info about the bearer) but not data from the destination system.
py-abac looks particularly nice because policies are succinct and serialisable. I could find/ match applicable policies in our gateway (on say subject and context attributes) and add them to the request and let the backend application enforce them. Best part of all I can use the same library in both places and not require further inter-service communication.
Is this library used in a production application anywhere do you know? Would you welcome pull requests to be able to achieve the above? I'm fairly new to ABAC, but I was thinking either:
Appreciate your efforts so far... if nothing else it's helped to see how someone else has approached this design in Python :)
And thanks in advance for your thoughts!
How about using json schema and pydantic instead of marshmallow?
Currently, all the policies within a policy collection are retrieved by storage for evaluation by the guard. We need better retrieval algorithm resulting in more selective queries to the database by the storage. See link for proposed solutions.
In the documentation of py-abac, we have Policy Language
[page] )https://py-abac.readthedocs.io/en/latest/policy_language.html#policy-language) which has this one line
A policy composes of uid, description, conditions , targets, effect, and priority fields. The JSON schema is given by
It should be rules
instead of conditions
, right?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.