Pure Python Stateless Tag-Based Authorization Library
Project description
Stateless Tag-Based Authorization Library
Background
Traditional role-based authorization models are not flexible enough to cover all required use cases. On the other side, full-managed ACLs are too complex for account managers to handle. tagth is a simple and flexible authorization model that can be easily implemented and maintained.
Tag-Based Authorization
A lightweight model that is based on three concepts:
- a principal and its associated tags,
- a resource and its associated tags,
- an action.
The model adheres to the following principles:
- the model is stateless and purely functional, and it has no internal persistence,
- the model does not interpret the tags or actions, besides the special values,
- the model produces a binary result: either the action is allowed or not.
Principal and Principal Tags
A Principal is an acting entity. A Principal can be a user, a role, a group, or any other entity that can perform actions.
Principal’s auth tag string looks like a comma-separated list of tags: tag_one, tag_two, tag_three. Each tag should be a string that is a valid Python identifier.
A supertag is a tag that is a prefix of another tag. For example, admin is a supertag of admin_user.
A principal is said to possess a tag if the tag or its supertag exists in the principal’s auth tag string.
Special values:
void(can only access resources withanyoneaccess, see below),root(unlimited access).
Resource and Resource Tags
A Resource is an object that can be accessed by a Principal. A Resource can be a user, a channel, a source asset, an extension, a tenant, a campaign, etc.
A resource tag is a string that is a valid Python identifier. NB: there is no such thing as a supertag for a resource tag.
An action is a string that is a valid Python identifier. A superaction is an action that is a prefix of another action. For example, create is a superaction of create_asset.
Resource auth tag string looks like a comma-separated of colon-separarted pairs of tags and actions: tag_one:read, tag_two:write or multiple actions: tag_one:{read, write}(tags with associated actions).
An action is allowed for a principal if it possesses:
- a tag that is associated with the action
- a tag that is associated with the superaction of the action
- the
roottag
Special values:
anyoneresource tag (any principal is allowed to perform action).allaction (all action are allowed).
Access Resolution
The model makes a decision based on the following three values only:
- the principal’s auth tag string
- the resource’s auth tag string
- the action to be performed
The resolution is binary: either the action is allowed or not.
Examples
Basic Usage
from tagth import allowed
# A regular user with basic permissions
principal_tags = 'user, content'
resource_tags = 'content:read, metadata:write'
# Check if user can read content
allowed(principal_tags, resource_tags, 'read') # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete') # Returns False
# Multiple actions for a resource
principal_tags = 'user, content'
resource_tags = 'content:{read, write}'
# Check if user can read content
allowed(principal_tags, resource_tags, 'read') # Returns True
# Check if user can write content
allowed(principal_tags, resource_tags, 'write') # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete') # Returns False
# Root user has unlimited access
principal_tags = 'root'
allowed(principal_tags, resource_tags, 'anything') # Returns True
# Void user can only access 'anyone' resources
void_tags = 'void'
allowed(void_tags, 'anyone:read', 'read') # Returns True
allowed(void_tags, 'content:read', 'read') # Returns False
Supertags and Superactions
# Principal tags can be supertags
principal_tags = 'admin'
resource_tags = 'admin_user:write, admin_content:delete'
# 'admin' is a supertag of 'admin_user' and 'admin_content'
allowed(principal_tags, resource_tags, 'write') # Returns True
allowed(principal_tags, resource_tags, 'delete') # Returns True
# Actions can have superactions
principal_tags = 'content'
resource_tags = 'content:create'
# 'create' is a superaction of 'create_asset'
allowed(principal_tags, resource_tags, 'create_asset') # Returns True
Special Values
# 'anyone' resource tag allows access to all principals
principal_tags = 'basic_user'
resource_tags = 'anyone:read'
allowed(principal_tags, resource_tags, 'read') # Returns True
# 'all' action allows all actions
principal_tags = 'content'
resource_tags = 'content:all'
allowed(principal_tags, resource_tags, 'read') # Returns True
allowed(principal_tags, resource_tags, 'write') # Returns True
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tagth-1.2.1.tar.gz.
File metadata
- Download URL: tagth-1.2.1.tar.gz
- Upload date:
- Size: 38.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40259509afe398a8ce1f6887a330b3674004a7f3d9531819c74281a78e17d3f9
|
|
| MD5 |
e0127b35947bee4713ca15118b999fb0
|
|
| BLAKE2b-256 |
3a1e3831205cc278e1f323b3e8fcac47e5ba659edd82c0f95f086763b15e439f
|
File details
Details for the file tagth-1.2.1-py3-none-any.whl.
File metadata
- Download URL: tagth-1.2.1-py3-none-any.whl
- Upload date:
- Size: 5.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d16f7f443462ab84ade05e6d3d35acd1b5df589b8b8bd95deae0f6da679fd2dd
|
|
| MD5 |
5a41758ac932805596433e530208a7c0
|
|
| BLAKE2b-256 |
7ab5971d258b72c0ba93a7396a061e1ece1d75a1091b255e2720583102a1565a
|
