Reputation: 41
how to implement attribute base access control in python based web application?
i have a web application written in python(django REST framework) , now i want to implement attribute based access control(ABAC) on my web application for authorization , how can i implement ABAC policies on this application (can i use XACML policies(how to implement xacml on python web app ) or is there any other way to write ABAC policies on python and how to implement on my web application ) can i use py-ABAC and how to use it ?
import vakt
from vakt.rules import Eq, Any, StartsWith, And, Greater, Less
policy = vakt.Policy(
123456,
actions=[Eq('fork'), Eq('clone')],
resources=[StartsWith('repos/Google', ci=True)],
subjects=[{'name': Any(), 'stars': And(Greater(50), Less(999))}],
effect=vakt.ALLOW_ACCESS,
context={'referer': Eq('https://github.com')},
description="""
Allow to fork or clone any Google repository for
users that have > 50 and < 999 stars and came from Github
"""
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RulesChecker())
inq = vakt.Inquiry(action='fork',
resource='repos/google/tensorflow',
subject={'name': 'larry', 'stars': 80},
context={'referer': 'https://github.com'})
assert guard.is_allowed(inq)
Or if you prefer Amazon IAM Policies style:
import vakt
from vakt.rules import CIDR
policy = vakt.Policy(
123457,
effect=vakt.ALLOW_ACCESS,
subjects=[r'<[a-zA-Z]+ M[a-z]+>'],
resources=['library:books:<.+>', 'office:magazines:<.+>'],
actions=['<read|get>'],
context={
'ip': CIDR('192.168.0.0/24'),
},
description="""
Allow all readers of the book library whose surnames start with M get and read any book or magazine,
but only when they connect from local library's computer
""",
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RegexChecker())
inq = vakt.Inquiry(action='read',
resource='library:books:Hobbit',
subject='Jim Morrison',
context={'ip': '192.168.0.220'})
assert guard.is_allowed(inq)
Thanks in advance!
Upvotes: 3
Views: 3202
Answers (1)
Reputation: 597
I don't have experience with Py-ABAC, but typically XACML is written in XACML, an XML based language, or using a GUI or language that is compiled into XACML, like ALFA.
Then your Python web app will call the Policy Decision Point (PDP) using REST or SOAP, preferably REST. You could use an HTTP library like requests.
Example JSON:
{"Request":{"AccessSubject":
{"Attribute":
[ {"AttributeId":"user.name","Value":"alice"} ]
},
"Resource":
{"Attribute":
[ {"AttributeId":"resource.objectType","Value":"insurance claim"} ]
},
"Action":
{"Attribute":
[ {"AttributeId":"action-id","Value":"view"}]
}
}
}
Did I mention that it's not exactly advisable (by me at least) to make your own authorization engine (PDP)? There are products that have accomplished externalizing authorization out there...
Use an open source product, like WSO2 or AuthzForce, or buy a product like Axiomatics (full disclosure: I used to work here).
For an entire list of XACML implementations, you can check this list on Wikipedia.
Upvotes: 1
Related Questions
- How to implement role based access control in Flask?
- authorisation REST service in Python
- Implementing access control in django based on role
- Django role based permissions
- ABAC PIP Attributes Request
- How to implement role-based Authorization for Python REST API?
- How to achieve object/record level access control in web2py?
- How to represent RESTful attribute level access control?
- Key based access for the Django Rest Framework
- Django Rest Framework: Permissions based on Object Attributes/Ownership