Skip to main content

An authorization middleware for Flask that supports ACL, RBAC, ABAC, based on Casbin

Project description

flask-authz

Build Status Coverage Status Version PyPI - Wheel Pyversions Download Gitter

flask-authz is an authorization middleware for Flask, it's based on PyCasbin.

Installation

pip install flask-authz

Or clone the repo:

$ git clone https://github.com/pycasbin/flask-authz.git
$ python setup.py install

Module Usage:

from flask import Flask
from flask_authz import CasbinEnforcer
from casbin.persist.adapters import FileAdapter

app = Flask(__name__)
# Set up Casbin model config
app.config['CASBIN_MODEL'] = 'casbinmodel.conf'
# Set headers where owner for enforcement policy should be located
app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'}
# Set up Casbin Adapter
adapter = FileAdapter('rbac_policy.csv')
casbin_enforcer = CasbinEnforcer(app, adapter)

@app.route('/', methods=['GET'])
@casbin_enforcer.enforcer
def get_root():
    return jsonify({'message': 'If you see this you have access'})

@app.route('/manager', methods=['POST'])
@casbin_enforcer.enforcer
@casbin_enforcer.manager
def make_casbin_change(manager):
    # Manager is an casbin.enforcer.Enforcer object to make changes to Casbin
    return jsonify({'message': 'If you see this you have access'})

Example Config This example file can be found in tests/casbin_files

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Example Policy This example file can be found in tests/casbin_files

p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
p, *, /login, *

p, anonymous, /, GET

g, cathy, dataset1_admin

Development

Run unit tests

  1. Fork/Clone repository
  2. Install flask-authz dependencies, and run pytest
pip install -r dev_requirements.txt
pip install -r requirements.txt
pytest

Setup pre-commit checks

pre-commit install

update requirements with pip-tools

# update requirements.txt
pip-compile --no-annotate --no-header --rebuild requirements.in
# sync venv
pip-sync

Manually Bump Version

bumpversion major  # major release
or
bumpversion minor  # minor release
or
bumpversion patch  # hotfix release

Documentation

The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:

  1. subject: the logged-in user name
  2. object: the URL path for the web resource like "dataset1/item1"
  3. action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"

For how to write authorization policy and other details, please refer to the Casbin's documentation.

Getting Help

License

This project is under Apache 2.0 License. See the LICENSE file for the full license text.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for flask-authz, version 2.0.1
Filename, size File type Python version Upload date Hashes
Filename, size flask_authz-2.0.1-py2.py3-none-any.whl (12.0 kB) File type Wheel Python version py2.py3 Upload date Hashes View
Filename, size flask-authz-2.0.1.tar.gz (6.2 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page