Pure Python Stateless Tag-Based Authorization Library

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

Stateless Tag-Based Authorization Library

Background

Traditional role-based authorization models are not flexible enough to cover all required use cases. On the other side, full-managed ACLs are too complex for account managers to handle. tagth is a simple and flexible authorization model that can be easily implemented and maintained.

Installation

pip install tagth

Tag-Based Authorization

A lightweight model that is based on three concepts:

  • a principal and its associated tags,
  • a resource and its associated tags,
  • an action.

The model adheres to the following principles:

  • the model is stateless and purely functional, and it has no internal persistence,
  • the model does not interpret the tags or actions, besides the special values,
  • the model produces a binary result: either the action is allowed or not.

Principal and Principal Tags

A Principal is an acting entity. A Principal can be a user, a role, a group, or any other entity that can perform actions.

Principal’s auth tag string looks like a comma-separated list of tags: tag_one, tag_two, tag_three. Each tag should be a string that is a valid Python identifier.

A supertag is a tag that is a prefix of another tag. For example, admin is a supertag of admin_user.

Warning: Matching is based on simple string prefix. This means admin will match admin_user, administrator, and admin123. Ensure your tag naming scheme accounts for this to avoid unintended access.

A principal is said to possess a tag if the tag or its supertag exists in the principal’s auth tag string.

Special values:

  • void (can only access resources with anyone access, see below),
  • root (unlimited access).

Resource and Resource Tags

A Resource is an object that can be accessed by a Principal. A Resource can be a user, a channel, a source asset, an extension, a tenant, a campaign, etc.

A resource tag is a string that is a valid Python identifier. NB: there is no such thing as a supertag for a resource tag.

An action is a string that is a valid Python identifier. A superaction is an action that is a prefix of another action. For example, create is a superaction of create_asset.

Warning: Like tags, action matching is based on simple string prefix. read will match reading and read_all.

Resource auth tag string looks like a comma-separated of colon-separarted pairs of tags and actions: tag_one:read, tag_two:write or multiple actions: tag_one:{read, write}(tags with associated actions).

If the resource auth tag string is empty or contains only whitespace, only the root principal is allowed access.

An action is allowed for a principal if it possesses:

  • a tag that is associated with the action
  • a tag that is associated with the superaction of the action
  • the root tag

Special values:

  • anyone resource tag (any principal is allowed to perform action).
  • all action (all action are allowed).

Access Resolution

The model makes a decision based on the following three values only:

  • the principal’s auth tag string
  • the resource’s auth tag string
  • the action to be performed

The resolution is binary: either the action is allowed or not.

Examples

Basic Usage

from tagth import allowed

# A regular user with basic permissions
principal_tags = 'user, content'
resource_tags = 'content:read, metadata:write'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Multiple actions for a resource
principal_tags = 'user, content'
resource_tags = 'content:{read, write}'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can write content
allowed(principal_tags, resource_tags, 'write')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Root user has unlimited access
principal_tags = 'root'
allowed(principal_tags, resource_tags, 'anything')  # Returns True

# Void user can only access 'anyone' resources
void_tags = 'void'
allowed(void_tags, 'anyone:read', 'read')  # Returns True
allowed(void_tags, 'content:read', 'read')  # Returns False

Supertags and Superactions

# Principal tags can be supertags
principal_tags = 'admin'
resource_tags = 'admin_user:write, admin_content:delete'

# 'admin' is a supertag of 'admin_user' and 'admin_content'
allowed(principal_tags, resource_tags, 'write')  # Returns True
allowed(principal_tags, resource_tags, 'delete')  # Returns True

# Actions can have superactions
principal_tags = 'content'
resource_tags = 'content:create'

# 'create' is a superaction of 'create_asset'
allowed(principal_tags, resource_tags, 'create_asset')  # Returns True

Special Values

# 'anyone' resource tag allows access to all principals
principal_tags = 'basic_user'
resource_tags = 'anyone:read'
allowed(principal_tags, resource_tags, 'read')  # Returns True

# 'all' action allows all actions
principal_tags = 'content'
resource_tags = 'content:all'
allowed(principal_tags, resource_tags, 'read')  # Returns True
allowed(principal_tags, resource_tags, 'write')  # Returns True

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tagth-1.2.6.tar.gz (8.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tagth-1.2.6-py3-none-any.whl (5.4 kB view details)

Uploaded Python 3

File details

Details for the file tagth-1.2.6.tar.gz.

File metadata

  • Download URL: tagth-1.2.6.tar.gz
  • Upload date:
  • Size: 8.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tagth-1.2.6.tar.gz
Algorithm Hash digest
SHA256 a3ee1b0c58c86cb130f7269f85f6161dec287444a31d5902d99e9a54b3b5f2aa
MD5 4a12472213e93e04e2eaf2b96df61370
BLAKE2b-256 825c366b9522bd758ca088fd2af063ae0c03fb111281061138206fa70c48474e

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.6.tar.gz:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tagth-1.2.6-py3-none-any.whl.

File metadata

  • Download URL: tagth-1.2.6-py3-none-any.whl
  • Upload date:
  • Size: 5.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tagth-1.2.6-py3-none-any.whl
Algorithm Hash digest
SHA256 c89fc08ce43f0a0d8cfd9340ee80392a6324a398e225b92143952df5733d2086
MD5 a318f279965a3fe36f68220a826c096c
BLAKE2b-256 1540fd07f8b83851cf19afe5209b8eed1d4cf8430cc31aed7fbd644480f2eeab

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.6-py3-none-any.whl:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page