Pure Python Stateless Tag-Based Authorization Library

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Project links
Meta
Report project as malware

Project description

Stateless Tag-Based Authorization Library

Background

Traditional role-based authorization models are not flexible enough to cover all required use cases. On the other side, full-managed ACLs are too complex for account managers to handle. tagth is a simple and flexible authorization model that can be easily implemented and maintained.

Installation

pip install tagth

Tag-Based Authorization

A lightweight model that is based on three concepts:

  • a principal and its associated tags,
  • a resource and its associated tags,
  • an action.

The model adheres to the following principles:

  • the model is stateless and purely functional, and it has no internal persistence,
  • the model does not interpret the tags or actions, besides the special values,
  • the model produces a binary result: either the action is allowed or not.

Principal and Principal Tags

A Principal is an acting entity. A Principal can be a user, a role, a group, or any other entity that can perform actions.

Principal’s auth tag string looks like a comma-separated list of tags: tag_one, tag_two, tag_three. Each tag should be a string that is a valid Python identifier.

A supertag is a tag that is a prefix of another tag. For example, admin is a supertag of admin_user.

A principal is said to possess a tag if the tag or its supertag exists in the principal’s auth tag string.

Special values:

  • void (can only access resources with anyone access, see below),
  • root (unlimited access).

Resource and Resource Tags

A Resource is an object that can be accessed by a Principal. A Resource can be a user, a channel, a source asset, an extension, a tenant, a campaign, etc.

A resource tag is a string that is a valid Python identifier. NB: there is no such thing as a supertag for a resource tag.

An action is a string that is a valid Python identifier. A superaction is an action that is a prefix of another action. For example, create is a superaction of create_asset.

Resource auth tag string looks like a comma-separated of colon-separarted pairs of tags and actions: tag_one:read, tag_two:write or multiple actions: tag_one:{read, write}(tags with associated actions).

If the resource auth tag string is empty or contains only whitespace, only the root principal is allowed access.

An action is allowed for a principal if it possesses:

  • a tag that is associated with the action
  • a tag that is associated with the superaction of the action
  • the root tag

Special values:

  • anyone resource tag (any principal is allowed to perform action).
  • all action (all action are allowed).

Access Resolution

The model makes a decision based on the following three values only:

  • the principal’s auth tag string
  • the resource’s auth tag string
  • the action to be performed

The resolution is binary: either the action is allowed or not.

Examples

Basic Usage

from tagth import allowed

# A regular user with basic permissions
principal_tags = 'user, content'
resource_tags = 'content:read, metadata:write'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Multiple actions for a resource
principal_tags = 'user, content'
resource_tags = 'content:{read, write}'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can write content
allowed(principal_tags, resource_tags, 'write')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Root user has unlimited access
principal_tags = 'root'
allowed(principal_tags, resource_tags, 'anything')  # Returns True

# Void user can only access 'anyone' resources
void_tags = 'void'
allowed(void_tags, 'anyone:read', 'read')  # Returns True
allowed(void_tags, 'content:read', 'read')  # Returns False

Supertags and Superactions

# Principal tags can be supertags
principal_tags = 'admin'
resource_tags = 'admin_user:write, admin_content:delete'

# 'admin' is a supertag of 'admin_user' and 'admin_content'
allowed(principal_tags, resource_tags, 'write')  # Returns True
allowed(principal_tags, resource_tags, 'delete')  # Returns True

# Actions can have superactions
principal_tags = 'content'
resource_tags = 'content:create'

# 'create' is a superaction of 'create_asset'
allowed(principal_tags, resource_tags, 'create_asset')  # Returns True

Special Values

# 'anyone' resource tag allows access to all principals
principal_tags = 'basic_user'
resource_tags = 'anyone:read'
allowed(principal_tags, resource_tags, 'read')  # Returns True

# 'all' action allows all actions
principal_tags = 'content'
resource_tags = 'content:all'
allowed(principal_tags, resource_tags, 'read')  # Returns True
allowed(principal_tags, resource_tags, 'write')  # Returns True

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

1.2.5

1.2.4

This version

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tagth-1.2.3.tar.gz (8.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tagth-1.2.3-py3-none-any.whl (5.2 kB view details)

Uploaded Python 3

File details

Details for the file tagth-1.2.3.tar.gz.

File metadata

  • Download URL: tagth-1.2.3.tar.gz
  • Upload date:
  • Size: 8.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.1

File hashes

Hashes for tagth-1.2.3.tar.gz
Algorithm Hash digest
SHA256 252c3f5573bfd2123c763ecd2cd3f1651cd0ca43c3b6812bbeed692234fdbad2
MD5 083a1ff76ec47517d2b1bc8e535d0da6
BLAKE2b-256 b8f7b63e41a3a3a75cc71c794c41e207c3558b61d5b64049100f4951912bb353

See more details on using hashes here.

File details

Details for the file tagth-1.2.3-py3-none-any.whl.

File metadata

  • Download URL: tagth-1.2.3-py3-none-any.whl
  • Upload date:
  • Size: 5.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.1

File hashes

Hashes for tagth-1.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 8117f1804ae93bd01d7644e631070438ef61a7bd836a255f8cbdbfb25342b38f
MD5 983b1964a536fb1251c645c432fb9f00
BLAKE2b-256 e9e900b2b060218b4eb41a686efedfcee624117413eb70490e6b7b59dee74a94

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page