Pure Python Stateless Tag-Based Authorization Library

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

Stateless Tag-Based Authorization Library

Background

Traditional role-based authorization models are not flexible enough to cover all required use cases. On the other side, full-managed ACLs are too complex for account managers to handle. tagth is a simple and flexible authorization model that can be easily implemented and maintained.

Installation

pip install tagth

Tag-Based Authorization

A lightweight model that is based on three concepts:

  • a principal and its associated tags,
  • a resource and its associated tags,
  • an action.

The model adheres to the following principles:

  • the model is stateless and purely functional, and it has no internal persistence,
  • the model does not interpret the tags or actions, besides the special values,
  • the model produces a binary result: either the action is allowed or not.

Principal and Principal Tags

A Principal is an acting entity. A Principal can be a user, a role, a group, or any other entity that can perform actions.

Principal’s auth tag string looks like a comma-separated list of tags: tag_one, tag_two, tag_three. Each tag should be a string that is a valid Python identifier.

A supertag is a tag that is a prefix of another tag. For example, admin is a supertag of admin_user.

Warning: Matching is based on simple string prefix. This means admin will match admin_user, administrator, and admin123. Ensure your tag naming scheme accounts for this to avoid unintended access.

A principal is said to possess a tag if the tag or its supertag exists in the principal’s auth tag string.

Special values:

  • void (can only access resources with anyone access, see below),
  • root (unlimited access).

Resource and Resource Tags

A Resource is an object that can be accessed by a Principal. A Resource can be a user, a channel, a source asset, an extension, a tenant, a campaign, etc.

A resource tag is a string that is a valid Python identifier. NB: there is no such thing as a supertag for a resource tag.

An action is a string that is a valid Python identifier. A superaction is an action that is a prefix of another action. For example, create is a superaction of create_asset.

Warning: Like tags, action matching is based on simple string prefix. read will match reading and read_all.

Resource auth tag string looks like a comma-separated of colon-separarted pairs of tags and actions: tag_one:read, tag_two:write or multiple actions: tag_one:{read, write}(tags with associated actions).

If the resource auth tag string is empty or contains only whitespace, only the root principal is allowed access.

An action is allowed for a principal if it possesses:

  • a tag that is associated with the action
  • a tag that is associated with the superaction of the action
  • the root tag

Special values:

  • anyone resource tag (any principal is allowed to perform action).
  • all action (all action are allowed).

Access Resolution

The model makes a decision based on the following three values only:

  • the principal’s auth tag string
  • the resource’s auth tag string
  • the action to be performed

The resolution is binary: either the action is allowed or not.

Examples

Basic Usage

from tagth import allowed

# A regular user with basic permissions
principal_tags = 'user, content'
resource_tags = 'content:read, metadata:write'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Multiple actions for a resource
principal_tags = 'user, content'
resource_tags = 'content:{read, write}'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can write content
allowed(principal_tags, resource_tags, 'write')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Root user has unlimited access
principal_tags = 'root'
allowed(principal_tags, resource_tags, 'anything')  # Returns True

# Void user can only access 'anyone' resources
void_tags = 'void'
allowed(void_tags, 'anyone:read', 'read')  # Returns True
allowed(void_tags, 'content:read', 'read')  # Returns False

Supertags and Superactions

# Principal tags can be supertags
principal_tags = 'admin'
resource_tags = 'admin_user:write, admin_content:delete'

# 'admin' is a supertag of 'admin_user' and 'admin_content'
allowed(principal_tags, resource_tags, 'write')  # Returns True
allowed(principal_tags, resource_tags, 'delete')  # Returns True

# Actions can have superactions
principal_tags = 'content'
resource_tags = 'content:create'

# 'create' is a superaction of 'create_asset'
allowed(principal_tags, resource_tags, 'create_asset')  # Returns True

Special Values

# 'anyone' resource tag allows access to all principals
principal_tags = 'basic_user'
resource_tags = 'anyone:read'
allowed(principal_tags, resource_tags, 'read')  # Returns True

# 'all' action allows all actions
principal_tags = 'content'
resource_tags = 'content:all'
allowed(principal_tags, resource_tags, 'read')  # Returns True
allowed(principal_tags, resource_tags, 'write')  # Returns True

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tagth-1.2.5.tar.gz (8.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tagth-1.2.5-py3-none-any.whl (5.4 kB view details)

Uploaded Python 3

File details

Details for the file tagth-1.2.5.tar.gz.

File metadata

  • Download URL: tagth-1.2.5.tar.gz
  • Upload date:
  • Size: 8.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tagth-1.2.5.tar.gz
Algorithm Hash digest
SHA256 9ec7fa5e87c396d2f76ff354d5a601211522cc27aae635cfcd7c72e646949a30
MD5 5b71625ff3f944d90e4bc9b63e67379c
BLAKE2b-256 9dad9bb6529b72e3fd92006b258752ff85917d50e16d2b9e606517cab28c662a

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.5.tar.gz:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tagth-1.2.5-py3-none-any.whl.

File metadata

  • Download URL: tagth-1.2.5-py3-none-any.whl
  • Upload date:
  • Size: 5.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tagth-1.2.5-py3-none-any.whl
Algorithm Hash digest
SHA256 d9d395624c7a614babe196ba1cea4ead06d8afeb4353a4ade899faa2edccbecc
MD5 7f8bfebcd1cb865e22419a26e5d8c815
BLAKE2b-256 677db090c69e53a65232e5199ad90cc6bc11aca88ad60776a75106b0bd7992fc

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.5-py3-none-any.whl:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page