Authorization primitives for Flametrench: relational tuples and exact-match check(). Spec-conformant; no rewrite rules in v0.1.

Navigation

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: NDC Digital, LLC
  • Tags flametrench , authorization , authz , relational-tuples , zanzibar
  • Requires: Python >=3.11
  • Provides-Extra: dev , postgres
Classifiers
Report project as malware

Project description

flametrench-authz

CI

Python SDK for the Flametrench authorization specification: relational tuples and exact-match check(). Exact-match is the default — no implicit rewriting at the API boundary (ADR 0001). v0.2 adds opt-in rewrite rules (ADR 0007) — computed_userset (role implication) and tuple_to_userset (parent-child inheritance) — for adopters who want hierarchies. Group expansion remains deferred.

The same fixture corpus that gates @flametrench/authz (Node), flametrench/authz (PHP), and dev.flametrench:authz (Java) runs here. Cross-language interop is enforced by the test suite.

Status: v0.2.0 (stable). Includes ShareStore (ADR 0012) and Postgres-backed adapters (PostgresTupleStore, PostgresShareStore). Per ADR 0013 the Postgres adapters cooperate with adopter-side outer transactions via savepoints when nested (psycopg3 connection.transaction() handles this automatically).

from flametrench_authz import InMemoryTupleStore
from flametrench_ids import generate

store = InMemoryTupleStore()
alice = generate("usr")
project_42 = generate("org")[4:]  # bare hex for app-owned objects

store.create_tuple(
    subject_type="usr",
    subject_id=alice,
    relation="editor",
    object_type="proj",
    object_id=project_42,
)

result = store.check(
    subject_type="usr",
    subject_id=alice,
    relation="editor",
    object_type="proj",
    object_id=project_42,
)
assert result.allowed is True

Installation

pip install flametrench-authz

Requires Python 3.11+. Depends on flametrench-ids for tup_ id generation.

Spec invariants enforced

  • Exact-match check() — returns true iff a tuple with the exact 5-tuple natural key exists. No derivation; admin does NOT imply editor.
  • Uniqueness — duplicate creation of the same (subject_type, subject_id, relation, object_type, object_id) raises DuplicateTupleError.
  • Format — relations match ^[a-z_]{2,32}$; object types match ^[a-z]{2,6}$. Violations raise InvalidFormatError.
  • Empty-set rejectioncheck_any() with an empty relations array raises EmptyRelationSetError rather than silently returning false.

Conformance

pytest

Runs the same authorization fixture corpus — check.json, check-any.json, uniqueness.json, format.json — that gates the Node and PHP SDKs.

License

Apache-2.0. See LICENSE and NOTICE.

Copyright 2026 NDC Digital, LLC.

Project details

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: NDC Digital, LLC
  • Tags flametrench , authorization , authz , relational-tuples , zanzibar
  • Requires: Python >=3.11
  • Provides-Extra: dev , postgres
Classifiers

Release history Release notifications | RSS feed

This version

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

flametrench_authz-0.3.0.tar.gz (32.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

flametrench_authz-0.3.0-py3-none-any.whl (28.1 kB view details)

Uploaded Python 3

File details

Details for the file flametrench_authz-0.3.0.tar.gz.

File metadata

  • Download URL: flametrench_authz-0.3.0.tar.gz
  • Upload date:
  • Size: 32.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for flametrench_authz-0.3.0.tar.gz
Algorithm Hash digest
SHA256 70fab3db42719662e999cc2e2d299c6809aa2af3739fa3ccddbe35eec900a780
MD5 79a9aa1b927e9b2daf21bc68e7c1defa
BLAKE2b-256 0b4721a5db9a4224a1f711513ff5a6c800000a41914d06eb204ab92376cd0dc2

See more details on using hashes here.

Provenance

The following attestation bundles were made for flametrench_authz-0.3.0.tar.gz:

Publisher: publish.yml on flametrench/authz-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file flametrench_authz-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for flametrench_authz-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 efa2c2d3331c9d0384cd8635428862cd9a95666953fc28eeff62209a57e62ade
MD5 73b8521766f30556b3b44675bde18ab1
BLAKE2b-256 7ef3302606c60be1679184071f0fe7f1d2eeeb5e51b7af2c61c9ef29bdd7f858

See more details on using hashes here.

Provenance

The following attestation bundles were made for flametrench_authz-0.3.0-py3-none-any.whl:

Publisher: publish.yml on flametrench/authz-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page